Tim's Technology Gauntlet Wiki

User Tools

Site Tools

Trace:
cisco:books:ccnp_300-730:ch3:001

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:25] Namecisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:54] (current) Name
Line 509: Line 509:
 r2-spoke(config-if)#ip access-list extended castle-acl r2-spoke(config-if)#ip access-list extended castle-acl
 r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2 r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
-r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1     +r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code> 
-r2-spoke(config-ext-nacl)#int g1 +  * Verify the ACL is correct. 
-r2-spoke(config-if)# crypto map svpn-map +<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl 
-r2-spoke(config-if)+ip access-list extended castle-acl 
-*Aug 31 17:24:34.273%CRYPTO-6-ISAKMP_ON_OFFISAKMP is ON</code>+ 10 permit ip host 12.1.1.2 host 12.1.1.1</code>  
 +  * The ACL is now correct. Next, add the crypto map back on the interface. 
 +<code>r2-spoke(config-ext-nacl)#int g1 
 +r2-spoke(config-if)# crypto map svpn-map</code> 
 +  * Turn debugging off on the hub and spoke. 
 +<code>r1-hub#u all 
 +All possible debugging has been turned off</code> 
 +<code>r2-spoke#u all 
 +All possible debugging has been turned off</code> 
 +  Test with a ping again from either the hub or spoke. 
 +<code>r1-hub#ping 12.1.1.2 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: 
 +!!!!! 
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code> 
 +<code>r2-spoke#ping 12.1.1.1 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: 
 +!!!!! 
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code> 
 +  * Success. Verify the crypto sa. 
 +<code>r1-hub#show crypto ikev2 sa  
 + IPv4 Crypto IKEv2  SA 
  
 +Tunnel-id Local                 Remote                fvrf/ivrf            Status 
 +1         12.1.1.1/500          12.1.1.2/500          none/none            READY  
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
 +      Life/Active Time: 86400/276 sec</code>
 +<code>r2-spoke#show crypto ikev2 sa
 + IPv4 Crypto IKEv2  SA 
  
- +Tunnel-id Local                 Remote                fvrf/ivrf            Status  
- +1         12.1.1.2/500          12.1.1.1/500          none/none            READY   
- +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK 
- +      Life/Active Time: 86400/313 sec</code> 
- +  * One last check with Wireshark while pinging
- +{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\ 
- +
- +
-  * Packet Capture on r1-hub e0/0 interface+
-{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?800 |Lab-001-Overview}}\\ +
  
  
cisco/books/ccnp_300-730/ch3/001.1756661101.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki