User Tools
cisco:books:ccnp_300-730:ch3:001
This is an old revision of the document!
Table of Contents
Lab 001 - Incorrect ACL Entry on Spoke
References:
Rob Riker Teaching VPN Concepts on YouTube
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide
- ISBN: 9780136660606
- Chapter 3, Router Configuration with IKEv2, page 78.
- This lab explains how to troubleshoot an incorrect access-list (ACL) entry on the spoke.
- This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.
r1-hub's initial configuration
en conf t hostname r1-hub line con 0 logg syn exec-timeout 0 0 width 512 exit interface Loopback0 no shutdown ip address 1.1.1.1 255.255.255.255 ! interface Ethernet0/0 shutdown ip address 12.1.1.1 255.255.255.0 ! ip access-list extended castle-acl remark Permit statements equal traffic that shall be encrypted. permit ip host 12.1.1.1 host 12.1.1.2 ! crypto ikev2 proposal rook-proposal encryption aes-cbc-256 integrity sha512 group 14 ! crypto ikev2 policy svpn-policy proposal rook-proposal ! crypto ikev2 keyring lion-key peer peer-remote address 12.1.1.2 pre-shared-key cisco ! crypto ikev2 profile side-profile match identity remote address 12.1.1.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local lion-key ! crypto ipsec transform-set tset esp-aes esp-sha512-hmac mode tunnel ! crypto map svpn-map 10 ipsec-isakmp set peer 12.1.1.2 set transform-set tset set pfs group14 set ikev2-profile side-profile match address castle-acl ! interface Ethernet0/0 crypto map svpn-map no shutdown ! end wr
r2-spoke's initial configuration
en conf t hostname r2-spoke line con 0 logg syn exec-timeout 0 0 width 512 exit interface Loopback0 no shutdown ip address 2.2.2.2 255.255.255.255 ! interface Ethernet0/0 shutdown ip address 12.1.1.2 255.255.255.0 ! ip access-list extended castle-acl remark Permit statements equal traffic that shall be encrypted. permit ip host 12.1.1.1 host 12.1.1.2 ! crypto ikev2 proposal rook-proposal encryption aes-cbc-256 integrity sha512 group 14 ! crypto ikev2 policy svpn-policy proposal rook-proposal ! crypto ikev2 keyring lion-key peer peer-remote address 12.1.1.1 pre-shared-key cisco ! crypto ikev2 profile side-profile match identity remote address 12.1.1.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local lion-key ! crypto ipsec transform-set tset esp-aes esp-sha512-hmac mode tunnel ! crypto map svpn-map 10 ipsec-isakmp set peer 12.1.1.1 set transform-set tset set pfs group14 set ikev2-profile side-profile match address castle-acl ! interface Ethernet0/0 crypto map svpn-map no shutdown ! end wr
Verification
r1-hub#ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
- The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.
r1-hub#show crypto ikev2 sa r1-hub#
- Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub.
r1-hub#show ip cef 12.1.1.2 12.1.1.2/32 attached to Ethernet0/0
- The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
r1-hub#show ip arp 12.1.1.2 Protocol Address Age (min) Hardware Addr Type Interface Internet 12.1.1.2 9 aabb.cc00.2000 ARPA Ethernet0/0
- A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
- The following packet capture is taken when trying to ping the spoke from the hub.
- Notice the absent of the ESP packets from Lab 000
- Packet Capture on r1-hub e0/0 interface.
Backlinks
cisco/books/ccnp_300-730/ch3/001.1756653231.txt.gz · Last modified: by Name
