Differences

This shows you the differences between two versions of the page.

--- cisco:books:ccnp_300-730:ch3:001 [2025/08/31 15:18] – Name
+++ cisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:54] (current) – Name
@@ Line 16: / Line 16: @@
 <code>en
 conf t
+no ip domain lookup
 hostname r1-hub
 line con 0
+history size 256
 logg syn
 exec-timeout 0 0
@@ Line 26: / Line 28: @@
  ip address 1.1.1.1 255.255.255.255
 !
-interface Ethernet0/0
+interface GigabitEthernet1
  shutdown
  ip address 12.1.1.1 255.255.255.0
@@ Line 63: / Line 65: @@
  match address castle-acl
 !
-interface Ethernet0/0
+interface GigabitEthernet1
  crypto map svpn-map
  no shutdown
@@ Line 73: / Line 75: @@
 <code>en
 conf t
+no ip domain lookup
 hostname r2-spoke
 line con 0
+history size 256
 logg syn
 exec-timeout 0 0
@@ Line 83: / Line 87: @@
  ip address 2.2.2.2 255.255.255.255
 !
-interface Ethernet0/0
+interface GigabitEthernet1
  shutdown
  ip address 12.1.1.2 255.255.255.0
@@ Line 120: / Line 124: @@
  match address castle-acl
 !
-interface Ethernet0/0
+interface GigabitEthernet1
  crypto map svpn-map
  no shutdown
@@ Line 140: / Line 144: @@
 <code>r1-hub#show ip cef 12.1.1.2
 .1.1.2/32
-  attached to Ethernet0/0</code>
+  attached to GigabitEthernet1</code>
   * The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
 <code>r1-hub#show ip arp 12.1.1.2
 Protocol  Address          Age (min)  Hardware Addr   Type   Interface
-Internet  12.1.1.2                9   aabb.cc00.2000  ARPA   Ethernet0/0</code>
+Internet  12.1.1.2                9   5000.0004.0000  ARPA   GigabitEthernet1</code>
   * A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
   * The following packet capture is taken when trying to ping the spoke from the hub.
@@ Line 434: / Line 438: @@
 *Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
 *Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA</code>
+  * Scroll the top where the IKEv2 is retrieving its configuration.
+<code>*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
+*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
+{Output omitted.}</code>
+  * Notice how the output keeps deleting the SA, then rebuilding the SA to send again. Turn on debugging on the spoke and try to ping the hub.
+<code>r2-spoke#debug crypto ikev2
+IKEv2 default debugging is on
+r2-spoke#ping 12.1.1.1</code>
+  * The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.
+<code>r2-spoke#show run int g1
+Building configuration...
+Current configuration : 138 bytes
+!
+interface GigabitEthernet1
+ ip address 12.1.1.2 255.255.255.0
+ negotiation auto
+ no mop enabled
+ no mop sysid
+ crypto map svpn-map
+end</code>
+  * The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.
+<code>r2-spoke#show run | s crypto
+! Ignore the PKI cert info at the top.
+crypto ikev2 proposal rook-proposal
+ encryption aes-cbc-256
+ integrity sha512
+ group 14
+crypto ikev2 policy svpn-policy
+ proposal rook-proposal
+crypto ikev2 keyring lion-key
+ peer peer-remote
+  address 12.1.1.1
+  pre-shared-key cisco
+ !
+crypto ikev2 profile side-profile
+ match identity remote address 12.1.1.1 255.255.255.255
+ authentication remote pre-share
+ authentication local pre-share
+ keyring local lion-key
+crypto ipsec transform-set tset esp-aes esp-sha512-hmac
+ mode tunnel
+crypto map svpn-map 10 ipsec-isakmp
+ set peer 12.1.1.1
+ set transform-set tset
+ set pfs group14
+ set ikev2-profile side-profile
+ match address castle-acl</code>
+  * The **crypto map svpn-map** does match. Reading through Chapter 3, as referenced above, concludes that the crypto configuration is correct. Lets look at the access-list the crypto map is referencing.
+<code>r2-spoke#show run | s access-list extended castle-acl
+ip access-list extended castle-acl
+ permit ip host 12.1.1.1 host 12.1.1.2<code>
+  * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.
+  * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited.
+<code>2-spoke#conf t
+Enter configuration commands, one per line.  End with CNTL/Z.
+r2-spoke(config)#ip access-list extended castle-acl
+r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
+%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map
+%Please first remove the ACL from crypto map or remove the crypto map from the interface</code>
+  * This is the correct procedure to migrate the ACL entry to the end.
+<code>r2-spoke#conf t
+Enter configuration commands, one per line.  End with CNTL/Z.
+r2-spoke(config)#int g1
+r2-spoke(config-if)#no crypto map
+r2-spoke(config-if)#
+*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55)
+r2-spoke(config-if)#
+*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
+r2-spoke(config-if)#ip access-list extended castle-acl
+r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
+r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code>
+  * Verify the ACL is correct.
+<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl
+ip access-list extended castle-acl
+permit ip host 12.1.1.2 host 12.1.1.1</code>
+  * The ACL is now correct. Next, add the crypto map back on the interface.
+<code>r2-spoke(config-ext-nacl)#int g1
+r2-spoke(config-if)# crypto map svpn-map</code>
+  * Turn debugging off on the hub and spoke.
+<code>r1-hub#u all
+All possible debugging has been turned off</code>
+<code>r2-spoke#u all
+All possible debugging has been turned off</code>
+  * Test with a ping again from either the hub or spoke.
+<code>r1-hub#ping 12.1.1.2
+Type escape sequence to abort.
+Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
+!!!!!
+Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code>
+<code>r2-spoke#ping 12.1.1.1
+Type escape sequence to abort.
+Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
+!!!!!
+Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code>
+  * Success. Verify the crypto sa.
+<code>r1-hub#show crypto ikev2 sa
+ IPv4 Crypto IKEv2  SA
+Tunnel-id Local                 Remote                fvrf/ivrf            Status
+         12.1.1.1/500          12.1.1.2/500          none/none            READY
+      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
+      Life/Active Time: 86400/276 sec</code>
+<code>r2-spoke#show crypto ikev2 sa
+ IPv4 Crypto IKEv2  SA
+Tunnel-id Local                 Remote                fvrf/ivrf            Status
+         12.1.1.2/500          12.1.1.1/500          none/none            READY
+      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
+      Life/Active Time: 86400/313 sec</code>
-  * Packet Capture on r1-hub e0/0 interface.
+  * One last check with Wireshark while pinging.
-{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?800 |Lab-001-Overview}}\\
+{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\

Tim's Technology Journey Wiki

User Tools

Site Tools

Differences

Page Tools