You used SVTI on one side and DVTI on the other. You can't inter-mix these.
Try the first on both sides.
Regards,
Tyson Scott
CCIE # 13513 (R&S, Security, SP)
Managing Partner/Technical Instructor - IPexpert Inc.
[email protected]
----- Reply message -----
From: "Robert Gridley" <[email protected]>
Date: Sun, May 8, 2011 5:40 am
Subject: [OSL | CCIE_Security] Tunnel without GRE or ACL
To: "Robert Gridley" <[email protected]>, "[email protected]"
<[email protected]>
Nobody who can help me ?
----- Original Message -----
From: Robert Gridley
To: [email protected]
Sent: Friday, May 06, 2011 6:58 PM
Subject: [OSL | CCIE_Security] Tunnel without GRE or ACL
Hi,
Im trying to build a IPSEC Tunnel without GRE, ACL. Im tried it with the
following configuration:
Plan:
R1-------------------------------ASA------------------------------------R2
fa0/1 outside:40.40.1.10 fa0/1
40.40.1.1 inside:40.40.100.10 40.40.100.2
L0:192.168.1.1
L0:192.168.2.2
ICMP, ESP and ISAKMP is allowed through ASA
R2:
crypto keyring WPSK
pre-shared-key address 40.40.1.1 key cisco123
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile DVTI
match identity address 40.40.1.1 255.255.255.255
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set myset
set isakmp-profile DVTI
interface Loopback0
ip address 192.168.2.2 255.255.255.0
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 40.40.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface FastEthernet0/1
ip address 40.40.100.2 255.255.255.0
duplex auto
speed auto
router eigrp 100
network 10.10.10.2 0.0.0.0
network 192.168.2.2 0.0.0.0
no auto-summary
ip route 40.40.1.0 255.255.255.0 40.40.100.10
R1:
crypto keyring WPSK
pre-shared-key address 40.40.100.2 key cisco
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile DVTI
keyring WPSK
match identity address 40.40.100.2 255.255.255.255
virtual-template 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set myset
set isakmp-profile DVTI
interface Loopback0
ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
ip address 40.40.1.1 255.255.255.0
speed 100
full-duplex
interface Virtual-Template1 type tunnel
ip address 10.10.10.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router eigrp 100
network 192.168.1.1 0.0.0.0
no auto-summary
ip route 40.40.100.0 255.255.255.0 40.40.1.10
Its not working yet. Somebody know whats wrong with the configuration ?
Thanks!
regards,
Robert
------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
