iementor CCIE Service Provider Workbook v1.0 Lab13 Solutions: Layer 2 VPN II

Transcription

1 This lab is challenging because it requires knowledge of both security and MPLS. We did not include many solution notes with this lab because it is very difficult to address the various levels of our readers expertise. If any of this lab s configuration outputs and/or tasks are unclear, please your specific questions to sp@iementor.com. CE2 NASDAK Site 2 E 0/ / E0/0 CE4 NASDAK Site 1 HQ MPLS SP1 VLAN PE3 E0/0.31 FE 0/ Dot1q-Trunk PE Task 13.1: Customer NASDAK requires communicating between their Site 1 HQ and Site 2. The customer requires Site 1 and Site 2 to not send any routing or exchange any information/networks with SP1. The customer also requires to pass Multicast from Site 1 to Site 2. Knowing there requirements, you realize that your core is not Multicast enabled. Provide alternatives to accommodate their requirements. The customer mentions they have one 3550 switch with 1 VLAN at Site 1. 1 This product is individually licensed.

2 The customer also mentions that Site 2 has just a dumb-hub and all users need to be able to communicate with the HQs, and the hardware will not be changed. This side is not allowed to use Dot1q because the dumb-hub has no way to accept and examine the Dot1q trunk. Configure this task such that when the customer on CE2 executes show cdp neighbors they see CE4 as directly connected. To verify this task, ensure that CE4 and CE2 can ping each other s Loopbacks without advertising them in the SP1 core. PE1-RACK1(config)#pseudowire-class inter-working PE1-RACK1(config-pw-class)# encapsulation mpls PE1-RACK1(config-pw-class)# interworking ip PE1-RACK1(config-subif)#xconnect pw-class inter-working Enable CEF before configuring xconnect. PE1-RACK1(config-subif)#ip cef PE1-RACK1(config)#int Fastethernet 2/0.100 PE1-RACK1 (config-subif)#xconnect pw-class inter-working PE3-RACK1(config)#pseudowire-class inter-working PE3-RACK1(config-pw-class)# encapsulation mpls PE3-RACK1(config-pw-class)# interworking ip PE3-RACK1(config-pw-class)#interface Ethernet0/0 PE3-RACK1(config-if)# no ip address PE3-RACK1(config-if)# no ip directed-broadcast PE3-RACK1(config-if)# no cdp enable PE3-RACK1(config-if)# xconnect pw-class inter-working PE1-RACK1#sho mpls l2transport vc Local intf Local circuit Dest address VC ID Status Ft2/0.100 Feth VLAN UP PE1#sho mpls l2transport vc de Local interface: Ft2/0.100 up, line protocol up, Eth VLAN 100 up MPLS VC type is IP, interworking type is IP Destination address: , VC ID: 100, VC status: up Preferred path: not configured 2 This product is individually licensed.

3 Default path: active Next hop: Output interface: Ft1/0, imposed label stack {22} Create time: 00:01:18, last status change time: 00:00:16 Signaling protocol: LDP, peer :0 up MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 make sure MTU matches otherwise AC want come up Remote interface description: Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0 VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0 PE3-RACK1#sho mpls l2transport vc Local intf Local circuit Dest address VC ID Status Ft2/0 Ethernet UP PE3-RACK1#sho mpls l2transport vc de Local interface: Ft2/0 up, line protocol up, Ethernet up MPLS VC type is IP, interworking type is IP Destination address: , VC ID: 100, VC status: up Preferred path: not configured Default path: active Next hop: Output interface: Et1/0.31, imposed label stack {22} Create time: 00:04:54, last status change time: 00:00:42 Signaling protocol: LDP, peer :0 up MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0 VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 This verifies Inter-Working VC-Type 11 (raw IP) by using the debugs. PE3-RACK1#no debug all All possible debugging has been turned off PE3-RACK1#debug mpls l2transport signaling message AToM LDP message debugging is on PE3-RACK1#config t 3 This product is individually licensed.

4 Enter configuration commands, one per line. End with CNTL/Z. PE3-RACK1(config)#int e 0/0 PE3-RACK1(config-if)#no shutdown 00:10:55: AToM LDP [ ]: Sending label withdraw msg vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu :10:56: AToM LDP [ ]: Received label release msg, id 20, graceful restart instance 0 vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu 0 00:10:56: AToM LDP [ ]: Sending label mapping msg vc type 11, cbit 1, vc id 100, group id 0, vc label 22, status 0, mtu 1500 iementor Bank Site 2 CE8 F0/0 FE0/ /24 iementor Bank Site 1 HQ CE /24 E 0/0.1 FE1/0/ M Encrypt Layer 2 PE VLAN VLAN IP-CORE SP1 VLAN PE3 E0/0.31 FE 0/ E0/0.23 FE0/ E0/ FE0/ PE Remove all MPLS related commands from SP1 and disable MPLS per interface. Configure iementor Bank s Customer Requirements Customer iementor Bank requires Site 2 to communicate with their Site 1 HQ. The customer requires Site 1 HQ and Site 2 not to send any routing or exchange any information/networks with SP1. 4 This product is individually licensed.

5 The customer also requires to pass AppleTalk for the designers in their design department from Site 1 to Site 2. The customer has 2600 and 2800 routers in Site 1 and Site 2. They want SP1 to establish Layer 2 connectivity such that in the future they can bring multiple sites in to HQ without adding additional ports or modules. Configure SP1 PE2 and PE3 to accommodate all of the above requirements. SP1 is allowed to allocate a VLAN for Site 1 and Site 2. Configure the feature best suited to making this solution work, make the solution very dynamic. Configure a mechanism to transport customer s VLANs to be in a secure session. Configure PE2 and PE3 to minimize overhead for all sessions from PE2 to PE3. To verify this task, ensure that CE1 and CE8 can ping each other s Loopbacks without advertising them in SP1 core. The customer s new requirement is to encrypt all Layer 2 traffic from Site 1 to Site 2, and they are asking SP1 to do it for them. Configure ISAKMP Authentication rsa-sig Hash Md5 Traffic from Site 1 to Site 2 must be encrypted through the SP1 core hostname PE3 ip cef l2tp-class iementor-class authentication password 7 060F0A2C cookie size 4 pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class ip local interface Loopback0 5 This product is individually licensed.

6 crypto isakmp policy 10 hash md5q authentication rsa-sig crypto isakmp key iem6727 address crypto ipsec transform-set iem esp-des esp-md5-hmac crypto map combines 10 ipsec-isakmp description to PE1 set peer set transform-set iem match address 115 interface Loopback0 ip address crypto map combines interface Ethernet0/0.31 ip address crypto map combines interface Ethernet0/0.13 no ip address no cdp enable xconnect pw-class PE3-PE2 interface Ethernet0/0.30 ip address crypto map combines interface Ethernet0/0.123 ip address crypto map combines access-list 115 permit 115 any any log hostname PE2-RACK1 ip cef l2tp-class iementor-class authentication password 7 151B0E01 cookie size 4 pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class ip local interface Loopback0 crypto isakmp policy 10 hash md5 6 This product is individually licensed.

7 authentication rsa-sig crypto isakmp key iem6727 address crypto ipsec transform-set iem esp-des esp-md5-hmac crypto map combines 10 ipsec-isakmp description to PE3 set peer set transform-set iem match address 115 interface Loopback0 ip address crypto map combines interface Ethernet0/0.21 ip address crypto map combines interface Ethernet0/0.123 ip address crypto map combines interface ethernet0/0.82 no ip address no cdp enable xconnect pw-class PE3-PE2 PE3-RACK1#sho debugging Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC debugging is on 01:50:05: ISAKMP:(0):Notify has no hash. Rejected. 01:50:05: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: stat e = IKE_I_MM1 01:50:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 01:50:05: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 01:50:05: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed w ith peer at :50:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp PE3-RACK1#clear crypto 01:51:35: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src dst for SPI 0xD07B32DA 01:51:43: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src dst for SPI 0xD07B32DA 7 This product is individually licensed.

8 PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status MM_NO_STATE 0 0 ACTIVE (deleted) MM_NO_STATE 0 0 ACTIVE (deleted) As you can see there is an issue to keep ISAKMP up and active. IPSEC is missing IKE_MESG_FROM_PEER. Based on the debug above you can see that source peering is the issue. To resolve this issue, follow the steps bellow: PE2-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status MM_NO_STATE 0 0 ACTIVE (deleted) PE3-RACK1#sho crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit PE2-RACK1#sho crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite 8 This product is individually licensed.

9 keys). encryption algorithm: DES - Data Encryption Standard (56 bit hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit PE3-RACK1#sho crypto session Crypto session current status Interface: Ethernet0/0 Session status: DOWN-NEGOTIATING Peer: port 500 IKE SA: local /500 remote /500 Inactive IKE SA: local /500 remote /500 Inactive Active SAs: 0, origin: crypto map Interface: Ethernet3/0 Session status: DOWN Peer: port 500 Active SAs: 0, origin: crypto map Interface: Ethernet4/0 Session status: DOWN Peer: port 500 Active SAs: 0, origin: crypto map Interface: Loopback0 Session status: DOWN Peer: port 500 Active SAs: 0, origin: crypto map PE3-RACK1#sho crypto session 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:52: IPSEC(key_engine): request timer fired: count = 1, (identity) local= , remote= , local_proxy= / /115/0 (type=4), remote_proxy= / /115/0 (type=4) 01:54:52: IPSEC(sa_request):, PE3-RACK1#sho crypto session 01:54:52: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (loc al , remote ) 01:54:52: ISAKMP: Error while processing SA request: Failed to initialize SA 01:54:52: ISAKMP: Error while processing KMI message 0, error 2. 9 This product is individually licensed.

10 PE3-RACK1#sho crypto session 01:54:54: ISAKMP:(0):purging node :54:54: ISAKMP:(0):purging node PE3-RACK1#sho crypto session 01:55:01: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src dst for SPI 0xD07B32DAcofnig t Below is what you are missing. It is very common for people to forget to source the crypto map correctly. Because of L2TPv3, we are using Loopbacks as source and destination. We must source the crypto map the same as our peering points. PE2-RACK1(config)#crypto map combines local-address loopback 0 PE3-RACK1(config)#crypto map combines local-address loopback 0 Here we go 01:55:08: ISAKMP:(0):peer does not do paranoid keepalives. 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA TE (peer ) 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA TE (peer ) 01:55:08: ISAKMP: Unlocking peer struct 0x3D89390 for isadb_mark_sa_deleted(), c ount 0 01:55:08: ISAKMP: Deleting peer node by peer_reap for : 3D :55:08: ISAKMP:(0):deleting node error FALSE reason "IKE deleted" 01:55:08: ISAKMP:(0):deleting node error FALSE reason "IKE deleted" 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(sa_request):, (key eng. msg.) OUTBOUND local= , remote= , local_proxy= / /115/0 (type=4), remote_proxy= / /115/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and kb, 01:55:08: ISAKMP:(0): SA request profile is (NULL) 01:55:08: ISAKMP: Created a peer struct for , peer port :55:08: ISAKMP: New peer created peer = 0x3CC4618 peer_handle = 0x This product is individually licensed.

11 01:55:08: ISAKMP: Locking peer struct 0x3CC4618, refcount 1 for isakmp_initiator 01:55:08: ISAKMP: local port 500, remote port :55:08: ISAKMP: set new node 0 to QM_IDLE 01:55:08: insert sa successfully sa = 3E :55:08: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 01:55:08: ISAKMP:(0):found peer pre-shared key matching :55:08: ISAKMP:(0): constructed NAT-T vendor-07 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-03 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-02 ID 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 01:55:08: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 01:55:08: ISAKMP:(0): beginning Main Mode exchange 01:55:08: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) M M_NO_STATE 01:55:08: ISAKMP (0:0): received packet from dport 500 sport 500 Global (I) MM_NO_STATE 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): processing SA payload. message ID = 0 01:55:08: ISAKMP:(0): processing vendor id payload 01:55:08: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 01:55:08: ISAKMP (0:0): vendor ID is NAT-T v7 01:55:08: ISAKMP:(0):found peer pre-shared key matching :55:08: ISAKMP:(0): local preshared key found 01:55:08: ISAKMP : Scanning profiles for xauth... 01:55:08: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy 01:55:08: ISAKMP: encryption DES-CBC 01:55:08: ISAKMP: hash MD5 01:55:08: ISAKMP: default group 1 01:55:08: ISAKMP: auth pre-share 01:55:08: ISAKMP: life type in seconds 01:55:08: ISAKMP:(0):atts are acceptable. Next payload is 0 01:55:08: ISAKMP:(0): processing vendor id payload 01:55:08: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 01:55:08: ISAKMP (0:0): vendor ID is NAT-T v7 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) M M_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 01:55:08: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src dst for SPI 0xD07B32DA 01:55:08: ISAKMP (0:0): received packet from dport 500 sport 500 Global 11 This product is individually licensed.

12 (I) MM_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 01:55:08: ISAKMP:(0): processing KE payload. message ID = 0 01:55:08: ISAKMP:(0): processing NONCE payload. message ID = 0 01:55:08: ISAKMP:(0):found peer pre-shared key matching :55:08: ISAKMP:(1002): processing vendor id payload 01:55:08: ISAKMP:(1002): vendor ID is Unity 01:55:08: ISAKMP:(1002): processing vendor id payload 01:55:08: ISAKMP:(1002): vendor ID is DPD 01:55:08: ISAKMP:(1002): processing vendor id payload 01:55:08: ISAKMP:(1002): speaking to another IOS box 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4 01:55:08: ISAKMP:(1002):Send initial contact 01:55:08: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 01:55:08: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : protocol : 17 port : 500 length : 12 01:55:08: ISAKMP:(1002):Total payload length: 12 01:55:08: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (I ) MM_KEY_EXCH 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 01:55:08: ISAKMP (0:1002): received packet from dport 500 sport 500 Glo bal (I) MM_KEY_EXCH 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 0 01:55:08: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : protocol : 17 port : 500 length : 12 01:55:08: ISAKMP:(1002):: peer matches *none* of the profiles 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 0 01:55:08: ISAKMP:(1002):SA authentication status: authenticated 01:55:08: ISAKMP:(1002):SA has been authenticated with :55:08: ISAKMP: Trying to insert a peer / /500/, and inserted successfully 3CC :55:08: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 12 This product is individually licensed.

13 01:55:08: ISAKMP (0:1002): received packet from dport 500 sport 500 Glo bal (I) MM_KEY_EXCH 01:55:08: ISAKMP: set new node to QM_IDLE 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = :55:08: ISAKMP:(1002): processing DELETE payload. message ID = :55:08: ISAKMP:(1002):peer does not do paranoid keepalives. 01:55:08: ISAKMP:(1002):deleting node error FALSE reason "Informationa l (in) state 1" 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 01:55:08: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of :55:08: ISAKMP:(1002):QM Initiator gets spi 01:55:08: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (I ) QM_IDLE 01:55:08: ISAKMP:(1002):Node , Input = IKE_MESG_INTERNAL, IKE_INIT_QM 01:55:08: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 01:55:08: ISAKMP (0:1002): received packet from dport 500 sport 500 Glo bal (I) QM_IDLE 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = :55:08: ISAKMP:(1002): processing SA payload. message ID = :55:08: ISAKMP:(1002):Checking IPSec proposal 1 01:55:08: ISAKMP: transform 1, ESP_DES 01:55:08: ISAKMP: attributes in transform: 01:55:08: ISAKMP: encaps is 1 (Tunnel) 01:55:08: ISAKMP: SA life type in seconds 01:55:08: ISAKMP: SA life duration (basic) of :55:08: ISAKMP: SA life type in kilobytes 01:55:08: ISAKMP: authenticator is HMAC-MD5 01:55:08: ISAKMP:(1002):atts are acceptable. 01:55:08: IPSEC(validate_proposal_request): proposal part #1 01:55:08: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= , remote= , local_proxy= / /115/0 (type=4), remote_proxy= / /115/0 (type=4), 13 This product is individually licensed.

14 protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, 01:55:08: Crypto mapdb : proxy_match src addr : dst addr : protocol : 115 src port : 0 dst port : 0 01:55:08: ISAKMP:(1002): processing NONCE payload. message ID = :55:08: ISAKMP:(1002): processing ID payload. message ID = :55:08: ISAKMP:(1002): processing ID payload. message ID = :55:08: ISAKMP:(1002): Creating IPSec SAs 01:55:08: inbound SA from to (f/i) 0/ 0 (proxy to ) 01:55:08: has spi 0x35A80A69 and conn_id 0 01:55:08: lifetime of 3600 seconds 01:55:08: lifetime of kilobytes 01:55:08: outbound SA from to (f/i) 0/0 (proxy to ) 01:55:08: has spi 0x9C7B9051 and conn_id 0 01:55:08: lifetime of 3600 seconds 01:55:08: lifetime of kilobytes 01:55:08: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (I ) QM_IDLE 01:55:08: ISAKMP:(1002):deleting node error FALSE reason "No Error" 01:55:08: ISAKMP:(1002):Node , Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 01:55:08: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMP LETE 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: Crypto mapdb : proxy_match src addr : dst addr : protocol : 115 src port : 0 dst port : 0 01:55:08: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same pro xies and peer :55:08: IPSEC(policy_db_add_ident): src , dest , dest_port 0 PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status QM_IDLE ACTIVE <- New session MM_NO_STATE 0 0 ACTIVE (deleted) <- OLD 14 This product is individually licensed.

15 PE3-RACK1#sho crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap ACTIVE des md5 psk 1 23:59:29 Engine-id:Conn-id = SW: ACTIVE 0 0 Engine-id:Conn-id =??? (deleted) PE3-RACK1#sho access-lists 115 Extended IP access list permit 115 any any log (720 matches) PE3-RACK1#sho crypto ipsec sa interface: Ethernet0/0 Crypto map tag: combines, local addr protected vrf: (none) local ident (addr/mask/prot/port): ( / /115/0) remote ident (addr/mask/prot/port): ( / /115/0) current_peer port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051( ) inbound esp sas: spi: 0x35A80A69( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3514) IV size: 8 bytes 15 This product is individually licensed.

16 replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9C7B9051( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Ethernet3/0 Crypto map tag: combines, local addr protected vrf: (none) local ident (addr/mask/prot/port): ( / /115/0) remote ident (addr/mask/prot/port): ( / /115/0) current_peer port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051( ) inbound esp sas: spi: 0x35A80A69( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: 16 This product is individually licensed.

17 spi: 0x9C7B9051( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Ethernet4/0 Crypto map tag: combines, local addr protected vrf: (none) local ident (addr/mask/prot/port): ( / /115/0) remote ident (addr/mask/prot/port): ( / /115/0) current_peer port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051( ) inbound esp sas: spi: 0x35A80A69( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9C7B9051( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE 17 This product is individually licensed.

18 outbound ah sas: outbound pcp sas: interface: Loopback0 Crypto map tag: combines, local addr protected vrf: (none) local ident (addr/mask/prot/port): ( / /115/0) remote ident (addr/mask/prot/port): ( / /115/0) current_peer port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051( ) inbound esp sas: spi: 0x35A80A69( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3513) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9C7B9051( ) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): ( /3513) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: PE3-RACK1#show l2tun tunnel 18 This product is individually licensed.

19 %No active L2F tunnels L2TP Tunnel Information Total tunnels 1 sessions 1 LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/ VPDN Group PE2-RACK1 est iementorclass PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status QM_IDLE ACTIVE CE8-RACK1#sho arp Protocol Address Age (min) Hardware Addr Type Interface Internet aabb.cc ARPA Ethernet0/0 Internet aabb.cc ARPA Ethernet0/0 CE8-RACK1#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms CE8-RACK13#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms PE2-RACK1#sho crypto session de Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Loopback0 Session status: UP-NO-IKE Peer: port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) / This product is individually licensed.

20 Outbound: #pkts enc'ed 74 drop 1 life (KB/Sec) /3274 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) /3274 Outbound: #pkts enc'ed 74 drop 1 life (KB/Sec) /3274 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) /3274 Outbound: #pkts enc'ed 74 drop 1 life (KB/Sec) /3274 PE2-RACK1#sho crypto map Crypto Map: "combines" idb: Loopback0 local address: Crypto Map "combines" 10 ipsec-isakmp Description: to PE3 Peer = Extended IP access list 115 access-list 115 permit 115 any any Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ iem, } Interfaces using crypto map combines: Loopback0 Ethernet0/0.20 Ethernet0/0.21 Ethernet0/0.123 PE3-RACK1#sho crypto map Crypto Map: "combines" idb: Loopback0 local address: Crypto Map "combines" 10 ipsec-isakmp Description: to PE2-RACK Peer = Extended IP access list 115 access-list 115 permit 115 any any Current peer: Security association lifetime: kilobytes/3600 seconds PFS (Y/N): N Transform sets={ iem, } Interfaces using crypto map combines: Loopback0 Ethernet0/0.30 Ethernet0/0.31 Ethernet0/ This product is individually licensed.

21 PE3-RACK1#sho crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Loopback0 Session status: UP-NO-IKE Peer: port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) /3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) /3227 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) /3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) /3227 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) /3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) /3227 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) /3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) / This product is individually licensed.