Hi All,
Network Diagram, * lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3 * * loop2 for NTP Server* I am creating site to site tunnel between R1 and R3 by using CA.but it is not working. where loop1 and loop3 are the intresting traffic with respected routers. R1 and R3 are authenticated and enrolled with CA server lo2. ----------------------------------------------------------------------------------- R1 config --------------------------------------------------------------------------------------- crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN = R3.cisco.com revocation-check crl rsakeypair R3.cisco.com crypto pki certificate chain R3 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit crypto isakmp policy 10 encr aes group 2 crypto isakmp identity dn ! ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto map MAP 10 ipsec-isakmp set peer 20.1.1.1 set transform-set TSET match address ACS ! ! ! ip ssh version 1 ! ! ! ! interface Loopback1 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP router eigrp 1 network 10.0.0.0 no auto-summary ! ip forward-protocol nd ip route 1.1.1.0 255.255.255.0 10.1.1.2 ! ! ip http server no ip http secure-server ! ip access-list extended ACS permit ip host 1.1.1.1 host 3.3.3.3 ntp authentication-key 1 md5 13061E010803 7 ntp authenticate ntp trusted-key 1 ntp clock-period 17179880 ntp server 2.2.2.2 ----------------------------------------------------------------------- R2 Config ----------------------------------------------------------------------- crypto pki server R2 database level complete database archive pem password 7 060506324F41584B56 issuer-name CN = R2 CA Server,L = London,ST = MI cdp-url http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL database url flash: ! crypto pki trustpoint R2 revocation-check crl rsakeypair R2.cisco.com ! crypto pki certificate chain R2 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 20.1.1.2 255.255.255.0 duplex auto speed auto ! router eigrp 1 network 2.0.0.0 network 10.0.0.0 network 20.0.0.0 no auto-summary ! ip forward-protocol nd ! ! ip http server no ip http secure-server ntp authentication-key 1 md5 14141B180F0B 7 ntp authenticate ntp trusted-key 1 ntp source Loopback0 ntp master 2 -------------------------------------------------------------------- R3 Config -------------------------------------------------------------------- crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN = R3.cisco.com revocation-check crl rsakeypair R3.cisco.com crypto pki certificate chain R3 certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 4B201CC6 E7 quit crypto isakmp policy 10 encr aes group 2 crypto isakmp identity dn ! ! crypto ipsec transform-set TSET esp-aes esp-sha-hmac ! crypto map MAP 10 ipsec-isakmp set peer 10.1.1.1 set transform-set TSET match address ACS interface Loopback3 ip address 3.3.3.3 255.255.255.0 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 20.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP ! router eigrp 1 network 20.0.0.0 no auto-summary ! ip forward-protocol nd ip route 3.3.3.0 255.255.255.0 20.1.1.2 ! ! ip http server no ip http secure-server ! ip access-list extended ACS permit ip host 3.3.3.3 host 1.1.1.1 ntp authentication-key 1 md5 00071A150754 7 ntp authenticate ntp trusted-key 1 ntp clock-period 17179821 ntp server 2.2.2.2 !
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
