Config VPN

Download as txt, pdf, or txt
Download as txt, pdf, or txt
You are on page 1of 28

Router#sh conf run t Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ho VPN_R1 VPN_R1(config)#end VPN_R1# VPN_R1# *Jul 20 17:10:36.139: %SYS-5-CONFIG_I: Configured from console by console VPN_R1#sh run VPN_R1#sh running-config Building configuration... Current configuration : 1049 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !--More-interface Loopback0 ip address 172.16.1.1 255.255.255.0

! interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown clock rate 125000 ! interface Serial0/0/1 no ip address shutdown clock rate 125000 --More-! router ospf 1 log-adjacency-changes network 172.16.1.0 0.0.0.255 area 0 network 192.168.12.0 0.0.0.255 area 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ! ! ! ! ! control-plane ! ! ! ! ! !--More-! ! ! ! gatekeeper shutdown ! ! line con 0 line aux 0 line vty 0 4 login ! scheduler allocate 20000 1000 ! end

VPN_R1#conf t Enter configuration commands, one per line. End with CNTL/Z. VPN_R1(config)#cry VPN_R1(config)#crypto isa VPN_R1(config)#crypto isakmp ena VPN_R1(config)#crypto isakmp enable VPN_R1(config)#cy VPN_R1(config)#cy ry VPN_R1(config)#crypto isa VPN_R1(config)#crypto isakmp pol VPN_R1(config)#crypto isakmp policy 10 VPN_R1(config-isakmp)#? ISAKMP commands: authentication Set authentication method for protection suite default Set a command to its defaults encryption Set encryption algorithm for protection suite exit Exit from ISAKMP protection suite configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults VPN_R1(config-isakmp)#aut VPN_R1(config-isakmp)#authentication pre VPN_R1(config-isakmp)#authentication pre-share VPN_R1(config-isakmp)#encr VPN_R1(config-isakmp)#encryption aes 256 VPN_R1(config-isakmp)#hash sha VPN_R1(config-isakmp)#grou VPN_R1(config-isakmp)#group 5 VPN_R1(config-isakmp)#life VPN_R1(config-isakmp)#lifetime 3600 VPN_R1(config-isakmp)#end VPN_R1# *Jul 20 17:17:20.319: %SYS-5-CONFIG_I: Configured from console by consolesho VPN_R1#show cry VPN_R1#show crypto isa VPN_R1#show crypto isakmp poli VPN_R1#show crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: AES - Advanced Encryption Standard (256 bit keys ). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #5 (1536 bit) lifetime: 3600 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit VPN_R1#conf t Enter configuration commands, one per line. End with CNTL/Z. VPN_R1(config)#cry VPN_R1(config)#crypto isa VPN_R1(config)#crypto isakmp key cisco address 192.168.23.3

VPN_R1(config)#cry VPN_R1(config)#crypto VPN_R1(config)#crypto VPN_R1(config)#crypto WORD Transform set

ip ipsec tra ipsec transform-set ? tag

VPN_R1(config)#crypto ipsec transform-set 50 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-seal ESP transform using SEAL cipher (160 bits) esp-sha-hmac ESP transform using HMAC-SHA auth VPN_R1(config)#crypto ipsec transform-set 50 VPN_R1(config)#crypto ipsec transform-set 50 VPN_R1(config)#crypto ipsec transform-set 50 128 128 bit keys. 192 192 bit keys. 256 256 bit keys. ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS esp-md5-hmac ESP transform using HMAC-MD5 esp-sha-hmac ESP transform using HMAC-SHA <cr> VPN_R1(config)#crypto ipsec transform-set 50 ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS esp-md5-hmac ESP transform using HMAC-MD5 esp-sha-hmac ESP transform using HMAC-SHA <cr> VPN_R1(config)#crypto ipsec transform-set 50 ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS esp-md5-hmac ESP transform using HMAC-MD5 esp-sha-hmac ESP transform using HMAC-SHA <cr> esp esp-ae esp-aes ?

compression algorithm auth auth esp-aes 256 ? compression algorithm auth auth esp-aes 256 ? compression algorithm auth auth

VPN_R1(config)#crypto ipsec transform-set 50 esp-aes 256 espVPN_R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sh VPN_R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm <cr> VPN_R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm <cr>

VPN_R1(config)#crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac VPN_R1(cfg-crypto-trans)#exit VPN_R1(config)#cry VPN_R1(config)#crypto ipsec VPN_R1(config)#crypto ipsec secu VPN_R1(config)#crypto ipsec security-association lif VPN_R1(config)#crypto ipsec security-association lifetime se VPN_R1(config)#crypto ipsec security-association lifetime seconds 1800 VPN_R1(config)#acc VPN_R1(config)#access-list 101 per VPN_R1(config)#access-list $ 101 permit101 ip 172.16.1.0 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 172.16.3.0 0.0.0.255 0.0. VPN_R1(config)#cry VPN_R1(config)#crypto map MYMAP 10 ipsec-is VPN_R1(config)#crypto map MYMAP 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. VPN_R1(config-crypto-map)#mat VPN_R1(config-crypto-map)#match add VPN_R1(config-crypto-map)#match address 101 VPN_R1(config-crypto-map)#set ? identity Identity restriction. ip Interface Internet Protocol config commands isakmp-profile Specify isakmp Profile nat Set NAT translation peer Allowed Encryption/Decryption peer. pfs Specify pfs settings security-association Security association parameters transform-set Specify list of transform sets in priority order VPN_R1(config-crypto-map)#set perr er 192.168.23.3 VPN_R1(config-crypto-map)#set pfs group5 VPN_R1(config-crypto-map)#set trans VPN_R1(config-crypto-map)#set transform-set 50 VPN_R1(config-crypto-map)#set sec VPN_R1(config-crypto-map)#set security-association lif VPN_R1(config-crypto-map)#set security-association lifetime se VPN_R1(config-crypto-map)#set security-association lifetime seconds 900 VPN_R1(config-crypto-map)#exit VPN_R1(config)#int VPN_R1(config)#interface fa VPN_R1(config)#interface fastEthernet 0/0 VPN_R1(config-if)#cry VPN_R1(config-if)#crypto map MYMAP VPN_R1(config-if)# *Jul 20 17:28:51.963: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON VPN_R1(config-if)#exit VPN_R1(config)#exit VPN_R1# *Jul 20 17:30:02.695: %SYS-5-CONFIG_I: Configured from console by consolesho cry p VPN_R1#sho crypto ip VPN_R1#sho crypto ipsec tra VPN_R1#sho crypto ipsec transform-set Transform set 50: { esp-256-aes esp-sha-hmac } will negotiate = { Tunnel, }, VPN_R1#sho sho crypto ipsec transform-set Transform set 50: { esp-256-aes esp-sha-hmac }

will negotiate = { Tunnel, }, VPN_R1#sho crypto ipsec transform-set Transform set 50: { esp-256-aes esp-sha-hmac } will negotiate = { Tunnel, }, VPN_R1#sh how cry VPN_R1#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr 192.168.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0) current_peer 192.168.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: --More-*Jul 20 17:35:43.459: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p acket. (ip) vrf/dest_addr= /172.16.1.1, src_addr= 172.16.3.1, prot= 1 --More-inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: VPN_R1# VPN_R1#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr 192.168.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0) current_peer 192.168.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: --More-inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: VPN_R1#ping Protocol [ip]: 172.16.2.1 3.1 % Unknown protocol - "172.16.3.1", type "ping ?" for help VPN_R1#172.16.3.1 Trying 172.16.3.1 ... Open Password required, but none set [Connection VPN_R1# VPN_R1#ping WORD appletalk clns decnet ip ipv6 ipx srb tag <cr> to 172.16.3.1 closed by foreign host] ? Ping destination address or hostname Appletalk echo CLNS echo DECnet echo IP echo IPv6 echo Novell/IPX echo srb echo Tag encapsulated IP echo

VPN_R1#ping Protocol [ip]: 172.16.3.1 % Unknown protocol - "172.16.3.1", type "ping ?" for help VPN_R1# VPN_R1#172.16.3.1 Trying 172.16.3.1 ... Open Password required, but none set [Connection to 172.16.3.1 closed by foreign host] VPN_R1#172.16.3.1 ping 172.16.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms VPN_R1#ping 172.16.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms VPN_R1#ping 172.16.3.1 rep VPN_R1#ping 172.16.3.1 repeat 1000 size 1500 Type escape sequence to abort. Sending 1000, 1500-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/4 ms VPN_R1#sh VPN_R1#show cry VPN_R1#show crypto ? ca Show certification authority policy call Show crypto call admission info debug-condition Debug Condition filters dynamic-map Crypto map templates eli Encryption Layer Interface engine Show crypto engine info identity Show crypto identity list ipsec Show IPSEC policy isakmp Show ISAKMP key Show long term public keys map Crypto maps mib Show Crypto-related MIB Parameters optional Optional Encryption Status pki Show PKI session Show crypto sessions (tunnels) sockets Secure Socket Information VPN_R1#show crypto ip VPN_R1#show crypto ipsec ? client Show Client Status policy Show IPSEC client policies profile Show ipsec profile information sa IPSEC SA table security-association Show parameters for IPSec security associations transform-set Crypto transform sets VPN_R1#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr 192.168.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)

current_peer 192.168.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: --More-inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: VPN_R1#show crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr 192.168.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0) current_peer 192.168.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: --More---More-inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: VPN_R1# *Jul 20 17:41:37.663: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p acket. (ip) vrf/dest_addr= /172.16.1.1, src_addr= 172.16.3.1, prot= 1 VPN_R1#ping

Protocol [ip]: Target IP address: 176. 2.16.3.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 *Jul 20 17:42:25.923: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m ode failed with peer at 192.168.23.3 ..... Success rate is 0 percent (0/5) VPN_R1# VPN_R1# VPN_R1# VPN_R1#sh run Building configuration... Current configuration : 1550 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card --More-- 0 no dspfarm --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More--

--More-VPN_R1#ping 172.16.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms VPN_R1#ping 172.16.3.1 rep 1000 size 15000 Type escape sequence to abort. Sending 1000, 15000-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (1000/1000), round-trip min/avg/max = 12/13/20 ms VPN_R1#ping Protocol [ip]: Target IP address: 172.16.3.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 *Jul 20 17:45:51.751: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m ode failed with peer at 192.168.23.3 ..... Success rate is 0 percent (0/5) VPN_R1#sh runn VPN_R1#sh running-config Building configuration... Current configuration : 1550 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1

! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card --More-- 0 no dspfarm --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-crypto --More-isakmp policy 10 encr aes 256 --More-authentication pre-share --More-group 5 --More-lifetime 3600 --More-crypto --More-isakmp key cisco address 192.168.23.3 !--More-crypto --More-ipsec security-association lifetime seconds 1800 !--More-crypto --More-ipsec transform-set 50 esp-aes 256 esp-sha-hmac !--More-crypto --More-map MYMAP 10 ipsec-isakmp set peer 192.168.23.3 --More-set security-association lifetime seconds 900 --More-set transform-set 50 --More-set pfs group5 --More-match address 101 --More-!--More-!--More-!--More-!--More-interface --More-- Loopback0 ip address 172.16.1.1 255.255.255.0 --More-!--More-interface --More-- FastEthernet0/0

--More-ip address 192.168.12.1 255.255.255.0 duplex auto --More-speed auto --More-crypto map MYMAP --More-!--More-interface --More-- FastEthernet0/1 no ip address --More-shutdown --More-duplex auto --More-speed auto --More-!--More-interface --More-- Serial0/0/0 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-interface --More-- Serial0/0/1 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-router --More-ospf 1 log-adjacency-changes --More-network 172.16.1.0 0.0.0.255 area 0 --More-network 192.168.12.0 0.0.0.255 area 0 --More-!--More-ip --More-forward-protocol nd !--More-!--More-no --More-ip http server no --More-ip http secure-server !--More-access-list --More-- 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 !--More-!--More-!--More-!--More-control-plane --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-gatekeeper --More-shutdown --More---More-VPN_R1#conf t Enter configuration commands, one per line. End with CNTL/Z. VPN_R1(config)#no crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac Transform-set 50 is in use by the crypto-map(s): MYMAP First remove the transform-set from the above crypto map(s). VPN_R1(config)# VPN_R1(config)#exit VPN_R1# *Jul 20 17:49:51.935: %SYS-5-CONFIG_I: Configured from console by consolesh run

Building configuration... Current configuration : 1550 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card --More-- 0 no dspfarm --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-crypto --More-isakmp policy 10 encr aes 256 --More-authentication pre-share --More-group 5 --More-lifetime 3600 --More-crypto --More-isakmp key cisco address 192.168.23.3 !--More-crypto --More-ipsec security-association lifetime seconds 1800 !--More-crypto --More-ipsec transform-set 50 esp-aes 256 esp-sha-hmac !--More-crypto --More-map MYMAP 10 ipsec-isakmp set peer 192.168.23.3 --More-set security-association lifetime seconds 900 --More-set transform-set 50 --More--

--More-set pfs group5 match address 101 --More-!--More-!--More-!--More-!--More---More-VPN_R1#copy run VPN_R1#copy running-config % Incomplete command. VPN_R1#conf t Enter configuration commands, one per line. End with CNTL/Z. VPN_R1(config)#crypto $c transform-set ipsec transform-set 50 esp-aes50 256 esp-aes esp-sha-hmac 256 esp-sha-hmac ah-sha-hmac ah-shaVPN_R1(cfg-crypto-trans)# VPN_R1(cfg-crypto-trans)#exit VPN_R1(config)#exit VPN_R1# VPN_R1# *Jul 20 17:50:54.147: %SYS-5-CONFIG_I: Configured from console by consolesh run Building configuration... Current configuration : 1562 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card --More-- 0 no dspfarm --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More--

!--More-!--More-!--More-!--More-!--More-crypto --More-isakmp policy 10 encr aes 256 --More-authentication pre-share --More-group 5 --More-lifetime 3600 --More-crypto --More-isakmp key cisco address 192.168.23.3 !--More-crypto --More-ipsec security-association lifetime seconds 1800 !--More-crypto --More-ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac !--More-crypto --More-map MYMAP 10 ipsec-isakmp set peer 192.168.23.3 --More-set security-association lifetime seconds 900 --More-set transform-set 50 --More-set pfs group5 --More-match address 101 --More-!--More-!--More-!--More-!--More-interface --More-- Loopback0 ip address 172.16.1.1 255.255.255.0 --More-!--More-interface --More-- FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 --More-duplex auto --More-speed auto --More-crypto map MYMAP --More-!--More-interface --More-- FastEthernet0/1 no ip address --More-shutdown --More-duplex auto --More-speed auto --More-!--More-interface --More-- Serial0/0/0 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-interface --More-- Serial0/0/1 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-router --More-ospf 1 log-adjacency-changes --More-network 172.16.1.0 0.0.0.255 area 0 --More-network 192.168.12.0 0.0.0.255 area 0 --More-!--More-ip --More-forward-protocol nd !--More-!--More-no --More-ip http server

no --More-ip http secure-server !--More-access-list --More-- 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 !--More-!--More-!--More-!--More-control-plane --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-gatekeeper --More-shutdown --More-!--More-!--More-line --More-con 0 line --More-aux 0 line --More-vty 0 4 login --More-!--More-scheduler --More-- allocate 20000 1000 !--More-end --More---More-VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1#ping Protocol [ip]: Target IP address: 172.16.3.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 176. 2.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 *Jul 20 17:51:49.231: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m ode failed with peer at 192.168.23.3 ..... Success rate is 0 percent (0/5) VPN_R1#172.16.1.1 Trying 172.16.1.1 ... Open

Password required, but none set [Connection to 172.16.1.1 closed by foreign host] VPN_R1# VPN_R1# VPN_R1#ping Protocol [ip]: Target IP address: 172.16.3.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: 172.16.1.1 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 ..... Success rate is 0 percent (0/5) VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1#sh cry VPN_R1#sh crypto ? ca Show certification authority policy call Show crypto call admission info debug-condition Debug Condition filters dynamic-map Crypto map templates eli Encryption Layer Interface engine Show crypto engine info identity Show crypto identity list ipsec Show IPSEC policy isakmp Show ISAKMP key Show long term public keys map Crypto maps mib Show Crypto-related MIB Parameters optional Optional Encryption Status pki Show PKI session Show crypto sessions (tunnels) sockets Secure Socket Information VPN_R1#sh crypto ip VPN_R1#sh crypto ipsec sa interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr 192.168.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0) current_peer 192.168.23.3 port 500

PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 20, #recv errors 0 local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: --More---More-inbound pcp sas: --More---More-outbound esp sas: --More---More-outbound ah sas: --More---More-outbound pcp sas: VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1# VPN_R1#sh runn VPN_R1#sh running-config Building configuration... Current configuration : 1562 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card 0 no dspfarm

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share --More-group 5 --More-lifetime 3600 --More-crypto --More-isakmp key cisco address 192.168.23.3 !--More-crypto --More-ipsec security-association lifetime seconds 1800 !--More-crypto --More-ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac !--More-crypto --More-map MYMAP 10 ipsec-isakmp set peer 192.168.23.3 --More-set security-association lifetime seconds 900 --More-set transform-set 50 --More-set pfs group5 --More-match address 101 --More-!--More-!--More-!--More-!--More-interface --More-- Loopback0 ip address 172.16.1.1 255.255.255.0 --More-!--More-interface --More-- FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 --More-duplex auto --More---More-VPN_R1# VPN_R1# VPN_R1#sh ip rou in VPN_R1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set

192.168.12.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, Loopback0 O 172.16.3.1/32 [110/3] via 192.168.12.2, 01:01:13, FastEthernet0/0 192.168.20.0/32 is subnetted, 1 subnets O 192.168.20.1 [110/2] via 192.168.12.2, 01:01:13, FastEthernet0/0 O 192.168.23.0/24 [110/2] via 192.168.12.2, 01:01:13, FastEthernet0/0 VPN_R1#sh running-config ip route Building configuration... Current configuration : 1562 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More---More-VPN_R1#sh ip running-config route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 192.168.12.0/24 is directly connected, FastEthernet0/0 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, Loopback0 O 172.16.3.1/32 [110/3] via 192.168.12.2, 01:02:09, FastEthernet0/0 192.168.20.0/32 is subnetted, 1 subnets O 192.168.20.1 [110/2] via 192.168.12.2, 01:02:09, FastEthernet0/0 O 192.168.23.0/24 [110/2] via 192.168.12.2, 01:02:09, FastEthernet0/0 VPN_R1#sh running-config ip route Building configuration... Current ! version service service configuration : 1562 bytes 12.4 timestamps debug datetime msec timestamps log datetime msec

no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! ! ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share --More-group 5 lifetime 3600 crypto isakmp key cisco address 192.168.23.3 ! crypto ipsec security-association lifetime seconds 1800 ! crypto ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac ! crypto map MYMAP 10 ipsec-isakmp set peer 192.168.23.3 set security-association lifetime seconds 900 set transform-set 50 set pfs group5 match address 101 ! ! ! ! interface Loopback0

ip address 172.16.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 --More-duplex auto --More-speed auto --More-crypto map MYMAP --More-!--More-interface --More-- FastEthernet0/1 no ip address --More-shutdown --More-duplex auto --More-speed auto --More-!--More-interface --More-- Serial0/0/0 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-interface --More-- Serial0/0/1 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-router --More-ospf 1 log-adjacency-changes --More-network 172.16.1.0 0.0.0.255 area 0 --More-network 192.168.12.0 0.0.0.255 area 0 --More-!--More-ip --More-forward-protocol nd !--More-!--More-no --More-ip http server no --More-ip http secure-server !--More-access-list --More-- 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 !--More-!--More-!--More-!--More-control-plane --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-gatekeeper --More-shutdown --More-!--More-!--More-line con 0 line aux 0 line vty 0 4 login !

scheduler allocate 20000 1000 ! end VPN_R1# VPN_R1#sh VPN_R1#show VPN_R1#show VPN_R1#show VPN_R1#show

cry crypto ip crypto ipsec sa crypto ipsec sa

interface: FastEthernet0/0 Crypto map tag: MYMAP, local addr 192.168.12.1 protected vrf: (none) local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0) current_peer 192.168.23.3 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 20, #recv errors 0 local crypto endpt.: 192.168.12.1, remote crypto endpt.: 192.168.23.3 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: --More---More-inbound pcp sas: --More---More-outbound esp sas: --More-outbound ah sas: outbound pcp sas: VPN_R1#sh run Building configuration... Current configuration : 1562 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! !

ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! !--More-voice-card --More-- 0 no dspfarm --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-crypto --More-isakmp policy 10 encr aes 256 --More-authentication pre-share --More-group 5 --More-lifetime 3600 --More-crypto --More-isakmp key cisco address 192.168.23.3 !--More-crypto --More-ipsec security-association lifetime seconds 1800 !--More-crypto --More-ipsec transform-set 50 ah-sha-hmac esp-aes 256 esp-sha-hmac !--More-crypto --More-map MYMAP 10 ipsec-isakmp set peer 192.168.23.3 --More-set security-association lifetime seconds 900 --More-set transform-set 50 --More-set pfs group5 --More-match address 101 --More-!--More-!--More-!--More-!--More-interface --More-- Loopback0 ip address 172.16.1.1 255.255.255.0 --More-!--More-interface --More-- FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 --More-duplex auto --More-speed auto --More-crypto map MYMAP --More-!--More-interface --More-- FastEthernet0/1 no ip address --More-shutdown --More--

--More-duplex auto speed auto --More-!--More-interface --More-- Serial0/0/0 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-interface --More-- Serial0/0/1 no ip address --More-shutdown --More-clock rate 125000 --More-!--More-router --More-ospf 1 log-adjacency-changes --More-network 172.16.1.0 0.0.0.255 area 0 --More-network 192.168.12.0 0.0.0.255 area 0 --More-!--More-ip --More-forward-protocol nd !--More-!--More-no --More-ip http server no --More-ip http secure-server !--More-access-list --More-- 101 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 !--More-!--More-!--More-!--More-control-plane --More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-!--More-gatekeeper --More-shutdown --More-!--More-!--More-line --More-con 0 line --More-aux 0 line --More-vty 0 4 login --More-!--More-scheduler --More-- allocate 20000 1000 !--More-end --More---More-VPN_R1# VPN_R1# VPN_R1# VPN_R1#reloa VPN_R1#reload System configuration has been modified. Save? [yes/no]: n

Proceed with reload? [confirm] *Jul 20 18:10:30.987: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Initializing memory for ECC . c2811 platform with 262144 Kbytes of main memory Main memory is configured to 64 bit mode with ECC enabled Readonly ROMMON initialized program load complete, entry point: 0x8000f000, size: 0x26bf090 Self decompressing the image : ################################################# ################################################################################ ################################################################################ ######## [OK] Smart Init is enabled smart init is sizing iomem ID MEMORY_REQ 0003E7 0X00473800 0X00263F50 0X000021B8 0X002C29F0 0X00211000 TOTAL: 0X00BAD2F8

TYPE C2811 Mainboard Onboard VPN Onboard USB public buffer pools public particle pools

If any of the above Memory Requirements are "UNKNOWN", you may be using an unsupported configuration or there is a software problem and system operation may be compromised. Rounded IOMEM up to: 12Mb. Using 4 percent iomem. [12Mb/256Mb] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_IVS-M), Version 12.4( 21), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 02:21 by prod_rel_team

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory. Processor board ID FTX1227A0GW 2 FastEthernet interfaces 2 Low-speed serial(sync/async) interfaces 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) --- System Configuration Dialog --Would you like to enter the initial configuration dialog? [yes/no]:

You might also like