Hi, You have wrong static routes configured on R1 and R3. IP address 1.1.1.1 is local on R1, there should be static configured for 3.3.3.3. same on R3.
Regards, Piotr 2011/10/9 parvez ahmad <[email protected]> > Hi All, > > > > Network Diagram, > > * > lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3 > * > * loop2 for NTP Server* > > > I am creating site to site tunnel between R1 and R3 by using CA.but it is > not working. > > where loop1 and loop3 are the intresting traffic with respected routers. R1 > and R3 are authenticated and enrolled with CA server lo2. > > > > > > ----------------------------------------------------------------------------------- > R1 config > > --------------------------------------------------------------------------------------- > > > crypto pki trustpoint R3 > enrollment url http://2.2.2.2:80 > subject-name CN = R3.cisco.com > revocation-check crl > rsakeypair R3.cisco.com > > crypto pki certificate chain R3 > certificate ca 01 > 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 > > quit > > > crypto isakmp policy 10 > encr aes > group 2 > crypto isakmp identity dn > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > ! > crypto map MAP 10 ipsec-isakmp > set peer 20.1.1.1 > set transform-set TSET > match address ACS > ! > ! > ! > ip ssh version 1 > ! > ! > ! > ! > interface Loopback1 > ip address 1.1.1.1 255.255.255.0 > ! > interface FastEthernet0/0 > ip address 10.1.1.1 255.255.255.0 > duplex auto > speed auto > crypto map MAP > > router eigrp 1 > network 10.0.0.0 > no auto-summary > ! > ip forward-protocol nd > ip route 1.1.1.0 255.255.255.0 10.1.1.2 > ! > ! > ip http server > no ip http secure-server > ! > ip access-list extended ACS > permit ip host 1.1.1.1 host 3.3.3.3 > > > ntp authentication-key 1 md5 13061E010803 7 > ntp authenticate > ntp trusted-key 1 > ntp clock-period 17179880 > ntp server 2.2.2.2 > ----------------------------------------------------------------------- > R2 Config > ----------------------------------------------------------------------- > > crypto pki server R2 > database level complete > database archive pem password 7 060506324F41584B56 > issuer-name CN = R2 CA Server,L = London,ST = MI > cdp-url http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL > database url flash: > ! > crypto pki trustpoint R2 > revocation-check crl > rsakeypair R2.cisco.com > > ! > crypto pki certificate chain R2 > certificate ca 01 > 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 > > quit > > > interface FastEthernet0/0 > ip address 10.1.1.2 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > ip address 20.1.1.2 255.255.255.0 > duplex auto > speed auto > ! > router eigrp 1 > network 2.0.0.0 > network 10.0.0.0 > network 20.0.0.0 > no auto-summary > ! > ip forward-protocol nd > ! > ! > ip http server > no ip http secure-server > > > ntp authentication-key 1 md5 14141B180F0B 7 > ntp authenticate > ntp trusted-key 1 > ntp source Loopback0 > ntp master 2 > > -------------------------------------------------------------------- > R3 Config > -------------------------------------------------------------------- > > crypto pki trustpoint R3 > enrollment url http://2.2.2.2:80 > subject-name CN = R3.cisco.com > revocation-check crl > rsakeypair R3.cisco.com > > crypto pki certificate chain R3 > certificate ca 01 > 30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 > > 4B201CC6 E7 > quit > > > crypto isakmp policy 10 > encr aes > group 2 > crypto isakmp identity dn > ! > ! > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > ! > crypto map MAP 10 ipsec-isakmp > set peer 10.1.1.1 > set transform-set TSET > match address ACS > > interface Loopback3 > ip address 3.3.3.3 255.255.255.0 > ! > interface FastEthernet0/0 > no ip address > shutdown > duplex auto > speed auto > ! > interface FastEthernet0/1 > ip address 20.1.1.1 255.255.255.0 > duplex auto > speed auto > crypto map MAP > ! > router eigrp 1 > network 20.0.0.0 > no auto-summary > ! > ip forward-protocol nd > ip route 3.3.3.0 255.255.255.0 20.1.1.2 > ! > ! > ip http server > no ip http secure-server > ! > ip access-list extended ACS > permit ip host 3.3.3.3 host 1.1.1.1 > > ntp authentication-key 1 md5 00071A150754 7 > ntp authenticate > ntp trusted-key 1 > ntp clock-period 17179821 > ntp server 2.2.2.2 > ! > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
