Hi Scott, thanks for the hint! I wasnt sure if you can mix both up. I know how to configure a normal Tunnel without GRE etc .... thats not a problem :) Have a nice sunday!
regards, Robert ----- Original Message ----- From: Tyson Scott To: Robert Gridley ; Robert Gridley ; [email protected] Sent: Sunday, May 08, 2011 4:00 PM Subject: Re: [OSL | CCIE_Security] Tunnel without GRE or ACL You used SVTI on one side and DVTI on the other. You can't inter-mix these. Try the first on both sides. Regards, Tyson Scott CCIE # 13513 (R&S, Security, SP) Managing Partner/Technical Instructor - IPexpert Inc. [email protected] ----- Reply message ----- From: "Robert Gridley" <[email protected]> Date: Sun, May 8, 2011 5:40 am Subject: [OSL | CCIE_Security] Tunnel without GRE or ACL To: "Robert Gridley" <[email protected]>, "[email protected]" <[email protected]> Nobody who can help me ? ----- Original Message ----- From: Robert Gridley To: [email protected] Sent: Friday, May 06, 2011 6:58 PM Subject: [OSL | CCIE_Security] Tunnel without GRE or ACL Hi, Im trying to build a IPSEC Tunnel without GRE, ACL. Im tried it with the following configuration: Plan: R1-------------------------------ASA------------------------------------R2 fa0/1 outside:40.40.1.10 fa0/1 40.40.1.1 inside:40.40.100.10 40.40.100.2 L0:192.168.1.1 L0:192.168.2.2 ICMP, ESP and ISAKMP is allowed through ASA R2: crypto keyring WPSK pre-shared-key address 40.40.1.1 key cisco123 crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile DVTI match identity address 40.40.1.1 255.255.255.255 crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto ipsec profile VTI set transform-set myset set isakmp-profile DVTI interface Loopback0 ip address 192.168.2.2 255.255.255.0 interface Tunnel0 ip address 10.10.10.2 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 40.40.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI interface FastEthernet0/1 ip address 40.40.100.2 255.255.255.0 duplex auto speed auto router eigrp 100 network 10.10.10.2 0.0.0.0 network 192.168.2.2 0.0.0.0 no auto-summary ip route 40.40.1.0 255.255.255.0 40.40.100.10 R1: crypto keyring WPSK pre-shared-key address 40.40.100.2 key cisco crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp profile DVTI keyring WPSK match identity address 40.40.100.2 255.255.255.255 virtual-template 1 crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto ipsec profile VTI set transform-set myset set isakmp-profile DVTI interface Loopback0 ip address 192.168.1.1 255.255.255.0 interface FastEthernet0/1 ip address 40.40.1.1 255.255.255.0 speed 100 full-duplex interface Virtual-Template1 type tunnel ip address 10.10.10.1 255.255.255.0 tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI router eigrp 100 network 192.168.1.1 0.0.0.0 no auto-summary ip route 40.40.100.0 255.255.255.0 40.40.1.10 Its not working yet. Somebody know whats wrong with the configuration ? Thanks! regards, Robert ------------------------------------------------------------------------------ _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
