robert - the peers don't seem to match exactly as tyson just mentioned. the first thing that i noticed was that on the server, EIGRP was missing the tunnel network:
router eigrp 100 > network 192.168.1.1 0.0.0.0 while i'm not one try to add: *network 10.10.10.1 0.0.0.0* . and also, on the client, the isakmp profile seems to be incomplete: crypto isakmp profile DVTI > match identity address 40.40.1.1 255.255.255.255 > i think you should add: *keyring WPSK* *virtual-template 1* so while these might not solve the problem for sure... other than that, i could not see anything jumping out at me. i would also suggest attaching some debugs here and then maybe one of us can more easily identify the issue. especially for VPN, there's a lot that can go wrong aside from a completely incorrect configuration... for VPN tunnels, i'd do the following on both peers: *debug crypto ipsec* *debug crypto isakmp* and i typically do *logging console 4 *on my ASAs or *ip inspect log drop *on IOS ZBFW/CBAC to make sure i'm not denying anything. sometimes i mistype addresses or forget about a NAT or loopback source or something. on the ASA, i might even consider logging level of debugging so that i can see any translations being made if i suspect a failure there. hopefully i'm not too far off base on this one since i'm not too sharp with VTI. take care, andrew On Sun, May 8, 2011 at 1:42 AM, Robert Gridley <[email protected]> wrote: > Nobody who can help me ? > > > > ----- Original Message ----- > *From:* Robert Gridley <[email protected]> > *To:* [email protected] > *Sent:* Friday, May 06, 2011 6:58 PM > *Subject:* [OSL | CCIE_Security] Tunnel without GRE or ACL > > Hi, > > Im trying to build a IPSEC Tunnel without GRE, ACL. Im tried it with the > following configuration: > > > Plan: > > > R1-------------------------------ASA------------------------------------R2 > > fa0/1 outside:40.40.1.10 fa0/1 > > 40.40.1.1 inside:40.40.100.10 40.40.100.2 > > L0:192.168.1.1 > L0:192.168.2.2 > > ICMP, ESP and ISAKMP is allowed through ASA > > R2: > > crypto keyring WPSK > > pre-shared-key address 40.40.1.1 key cisco123 > > crypto isakmp policy 10 > > encr 3des > > authentication pre-share > > group 2 > > crypto isakmp profile DVTI > > match identity address 40.40.1.1 255.255.255.255 > > crypto ipsec transform-set myset esp-3des esp-sha-hmac > > crypto ipsec profile VTI > > set transform-set myset > > set isakmp-profile DVTI > > interface Loopback0 > > ip address 192.168.2.2 255.255.255.0 > > interface Tunnel0 > > ip address 10.10.10.2 255.255.255.0 > > tunnel source FastEthernet0/1 > > tunnel destination 40.40.1.1 > > tunnel mode ipsec ipv4 > > tunnel protection ipsec profile VTI > > interface FastEthernet0/1 > > ip address 40.40.100.2 255.255.255.0 > > duplex auto > > speed auto > > router eigrp 100 > > network 10.10.10.2 0.0.0.0 > > network 192.168.2.2 0.0.0.0 > > no auto-summary > > ip route 40.40.1.0 255.255.255.0 40.40.100.10 > > > > R1: > > crypto keyring WPSK > > pre-shared-key address 40.40.100.2 key cisco > > crypto isakmp policy 10 > > encr 3des > > authentication pre-share > > group 2 > > crypto isakmp profile DVTI > > keyring WPSK > > match identity address 40.40.100.2 255.255.255.255 > > virtual-template 1 > > crypto ipsec transform-set myset esp-3des esp-sha-hmac > > crypto ipsec profile VTI > > set transform-set myset > > set isakmp-profile DVTI > > interface Loopback0 > > ip address 192.168.1.1 255.255.255.0 > > interface FastEthernet0/1 > > ip address 40.40.1.1 255.255.255.0 > > speed 100 > > full-duplex > > interface Virtual-Template1 type tunnel > > ip address 10.10.10.1 255.255.255.0 > > tunnel mode ipsec ipv4 > > tunnel protection ipsec profile VTI > > router eigrp 100 > > network 192.168.1.1 0.0.0.0 > > no auto-summary > > ip route 40.40.100.0 255.255.255.0 40.40.1.10 > > Its not working yet. Somebody know whats wrong with the configuration ? > > > Thanks! > > regards, > > Robert > > > ------------------------------ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
