This lab is challenging because it requires knowledge of both security and MPLS. We did not include many solution notes with this lab because it is very difficult to address the various levels of our readers expertise. If any of this lab s configuration outputs and/or tasks are unclear, please e-mail your specific questions to sp@iementor.com. CE2 NASDAK Site 2 E 0/0 4.4.4.4/24 10.1.1.3.3 E0/0 CE4 NASDAK Site 1 HQ MPLS SP1 VLAN 31 172.16.13.0.3 PE3 E0/0.31 FE 0/3 3550 Dot1q-Trunk PE1.1 10.1.1.1 Task 13.1: Customer NASDAK requires communicating between their Site 1 HQ and Site 2. The customer requires Site 1 and Site 2 to not send any routing or exchange any information/networks with SP1. The customer also requires to pass Multicast from Site 1 to Site 2. Knowing there requirements, you realize that your core is not Multicast enabled. Provide alternatives to accommodate their requirements. The customer mentions they have one 3550 switch with 1 VLAN at Site 1. 1 This product is individually licensed.
The customer also mentions that Site 2 has just a dumb-hub and all users need to be able to communicate with the HQs, and the hardware will not be changed. This side is not allowed to use Dot1q because the dumb-hub has no way to accept and examine the Dot1q trunk. Configure this task such that when the customer on CE2 executes show cdp neighbors they see CE4 as directly connected. To verify this task, ensure that CE4 and CE2 can ping each other s Loopbacks without advertising them in the SP1 core. PE1-RACK1(config)#pseudowire-class inter-working PE1-RACK1(config-pw-class)# encapsulation mpls PE1-RACK1(config-pw-class)# interworking ip PE1-RACK1(config-subif)#xconnect 10.1.1.3 100 pw-class inter-working Enable CEF before configuring xconnect. PE1-RACK1(config-subif)#ip cef PE1-RACK1(config)#int Fastethernet 2/0.100 PE1-RACK1 (config-subif)#xconnect 10.1.1.3 100 pw-class inter-working PE3-RACK1(config)#pseudowire-class inter-working PE3-RACK1(config-pw-class)# encapsulation mpls PE3-RACK1(config-pw-class)# interworking ip PE3-RACK1(config-pw-class)#interface Ethernet0/0 PE3-RACK1(config-if)# no ip address PE3-RACK1(config-if)# no ip directed-broadcast PE3-RACK1(config-if)# no cdp enable PE3-RACK1(config-if)# xconnect 10.1.1.1 100 pw-class inter-working PE1-RACK1#sho mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- ----------------------- --------------- ---------- ------- Ft2/0.100 Feth VLAN 100 10.1.1.3 100 UP PE1#sho mpls l2transport vc de Local interface: Ft2/0.100 up, line protocol up, Eth VLAN 100 up MPLS VC type is IP, interworking type is IP Destination address: 10.1.1.3, VC ID: 100, VC status: up Preferred path: not configured 2 This product is individually licensed.
Default path: active Next hop: 172.16.13.1 Output interface: Ft1/0, imposed label stack {22} Create time: 00:01:18, last status change time: 00:00:16 Signaling protocol: LDP, peer 10.1.1.3:0 up MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 make sure MTU matches otherwise AC want come up Remote interface description: Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0 VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0 PE3-RACK1#sho mpls l2transport vc Local intf Local circuit Dest address VC ID Status ------------- ----------------------- --------------- ---------- ------- Ft2/0 Ethernet 10.1.1.1 100 UP PE3-RACK1#sho mpls l2transport vc de Local interface: Ft2/0 up, line protocol up, Ethernet up MPLS VC type is IP, interworking type is IP Destination address: 10.1.1.1, VC ID: 100, VC status: up Preferred path: not configured Default path: active Next hop: 172.16.13.2 Output interface: Et1/0.31, imposed label stack {22} Create time: 00:04:54, last status change time: 00:00:42 Signaling protocol: LDP, peer 10.1.1.1:0 up MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0 VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 This verifies Inter-Working VC-Type 11 (raw IP) by using the debugs. PE3-RACK1#no debug all All possible debugging has been turned off PE3-RACK1#debug mpls l2transport signaling message AToM LDP message debugging is on PE3-RACK1#config t 3 This product is individually licensed.
Enter configuration commands, one per line. End with CNTL/Z. PE3-RACK1(config)#int e 0/0 PE3-RACK1(config-if)#no shutdown 00:10:55: AToM LDP [10.1.1.1]: Sending label withdraw msg vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu 1500 00:10:56: AToM LDP [10.1.1.1]: Received label release msg, id 20, graceful restart instance 0 vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu 0 00:10:56: AToM LDP [10.1.1.1]: Sending label mapping msg vc type 11, cbit 1, vc id 100, group id 0, vc label 22, status 0, mtu 1500 iementor Bank Site 2 CE8 F0/0 FE0/8 3550 8.8.8.8/24 iementor Bank Site 1 HQ CE1 1.1.1.1/24 E 0/0.1 FE1/0/1 3750-M Encrypt Layer 2 PE2 10.1.1.2 VLAN 21 172.16.12.0 VLAN 123 172.16.123.0 IP-CORE SP1 VLAN 31 172.16.13.0 10.1.1.3.3 PE3 E0/0.31 FE 0/3 3550 E0/0.23 FE0/03 3550 E0/0.13 - FE0/3 3550 PE1.1 10.1.1.1 Remove all MPLS related commands from SP1 and disable MPLS per interface. Configure iementor Bank s Customer Requirements Customer iementor Bank requires Site 2 to communicate with their Site 1 HQ. The customer requires Site 1 HQ and Site 2 not to send any routing or exchange any information/networks with SP1. 4 This product is individually licensed.
The customer also requires to pass AppleTalk for the designers in their design department from Site 1 to Site 2. The customer has 2600 and 2800 routers in Site 1 and Site 2. They want SP1 to establish Layer 2 connectivity such that in the future they can bring multiple sites in to HQ without adding additional ports or modules. Configure SP1 PE2 and PE3 to accommodate all of the above requirements. SP1 is allowed to allocate a VLAN for Site 1 and Site 2. Configure the feature best suited to making this solution work, make the solution very dynamic. Configure a mechanism to transport customer s VLANs to be in a secure session. Configure PE2 and PE3 to minimize overhead for all sessions from PE2 to PE3. To verify this task, ensure that CE1 and CE8 can ping each other s Loopbacks without advertising them in SP1 core. The customer s new requirement is to encrypt all Layer 2 traffic from Site 1 to Site 2, and they are asking SP1 to do it for them. Configure ISAKMP Authentication rsa-sig Hash Md5 Traffic from Site 1 to Site 2 must be encrypted through the SP1 core hostname PE3 ip cef l2tp-class iementor-class authentication password 7 060F0A2C cookie size 4 pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class ip local interface Loopback0 5 This product is individually licensed.
crypto isakmp policy 10 hash md5q authentication rsa-sig crypto isakmp key iem6727 address 10.1.1.2 crypto ipsec transform-set iem esp-des esp-md5-hmac crypto map combines 10 ipsec-isakmp description to PE1 set peer 10.1.1.2 set transform-set iem match address 115 interface Loopback0 ip address 10.1.1.3 255.255.255.255 crypto map combines interface Ethernet0/0.31 ip address 172.16.13.1 255.255.255.0 crypto map combines interface Ethernet0/0.13 no ip address no cdp enable xconnect 10.1.1.2 100 pw-class PE3-PE2 interface Ethernet0/0.30 ip address 172.16.30.2 255.255.255.0 crypto map combines interface Ethernet0/0.123 ip address 172.16.123.3 255.255.255.0 crypto map combines access-list 115 permit 115 any any log hostname PE2-RACK1 ip cef l2tp-class iementor-class authentication password 7 151B0E01 cookie size 4 pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class ip local interface Loopback0 crypto isakmp policy 10 hash md5 6 This product is individually licensed.
authentication rsa-sig crypto isakmp key iem6727 address 10.1.1.3 crypto ipsec transform-set iem esp-des esp-md5-hmac crypto map combines 10 ipsec-isakmp description to PE3 set peer 10.1.1.3 set transform-set iem match address 115 interface Loopback0 ip address 10.1.1.2 255.255.255.255 crypto map combines interface Ethernet0/0.21 ip address 172.16.12.1 255.255.255.0 crypto map combines interface Ethernet0/0.123 ip address 172.16.123.2 255.255.255.0 crypto map combines interface ethernet0/0.82 no ip address no cdp enable xconnect 10.1.1.3 100 pw-class PE3-PE2 PE3-RACK1#sho debugging Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC debugging is on 01:50:05: ISAKMP:(0):Notify has no hash. Rejected. 01:50:05: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: stat e = IKE_I_MM1 01:50:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 01:50:05: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 01:50:05: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed w ith peer at 10.1.1.2 01:50:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp PE3-RACK1#clear crypto 01:51:35: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA 01:51:43: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA 7 This product is individually licensed.
PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted) 10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted) As you can see there is an issue to keep ISAKMP up and active. IPSEC is missing IKE_MESG_FROM_PEER. Based on the debug above you can see that source peering is the issue. To resolve this issue, follow the steps bellow: PE2-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted) PE3-RACK1#sho crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit PE2-RACK1#sho crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite 8 This product is individually licensed.
keys). encryption algorithm: DES - Data Encryption Standard (56 bit hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit PE3-RACK1#sho crypto session Crypto session current status Interface: Ethernet0/0 Session status: DOWN-NEGOTIATING Peer: 10.1.1.2 port 500 IKE SA: local 172.16.13.1/500 remote 10.1.1.2/500 Inactive IKE SA: local 172.16.13.1/500 remote 10.1.1.2/500 Inactive Active SAs: 0, origin: crypto map Interface: Ethernet3/0 Session status: DOWN Peer: 10.1.1.2 port 500 Active SAs: 0, origin: crypto map Interface: Ethernet4/0 Session status: DOWN Peer: 10.1.1.2 port 500 Active SAs: 0, origin: crypto map Interface: Loopback0 Session status: DOWN Peer: 10.1.1.2 port 500 Active SAs: 0, origin: crypto map PE3-RACK1#sho crypto session 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:52: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 172.16.13.1, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4) 01:54:52: IPSEC(sa_request):, PE3-RACK1#sho crypto session 01:54:52: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (loc al 172.16.13.1, remote 10.1.1.2) 01:54:52: ISAKMP: Error while processing SA request: Failed to initialize SA 01:54:52: ISAKMP: Error while processing KMI message 0, error 2. 9 This product is individually licensed.
PE3-RACK1#sho crypto session 01:54:54: ISAKMP:(0):purging node -1243206952 01:54:54: ISAKMP:(0):purging node -1914778357 PE3-RACK1#sho crypto session 01:55:01: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DAcofnig t Below is what you are missing. It is very common for people to forget to source the crypto map correctly. Because of L2TPv3, we are using Loopbacks as source and destination. We must source the crypto map the same as our peering points. PE2-RACK1(config)#crypto map combines local-address loopback 0 PE3-RACK1(config)#crypto map combines local-address loopback 0 Here we go 01:55:08: ISAKMP:(0):peer does not do paranoid keepalives. 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA TE (peer 10.1.1.2) 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA TE (peer 10.1.1.2) 01:55:08: ISAKMP: Unlocking peer struct 0x3D89390 for isadb_mark_sa_deleted(), c ount 0 01:55:08: ISAKMP: Deleting peer node by peer_reap for 10.1.1.2: 3D89390 01:55:08: ISAKMP:(0):deleting node -1091408871 error FALSE reason "IKE deleted" 01:55:08: ISAKMP:(0):deleting node 1412236188 error FALSE reason "IKE deleted" 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(sa_request):, (key eng. msg.) OUTBOUND local= 10.1.1.3, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, 01:55:08: ISAKMP:(0): SA request profile is (NULL) 01:55:08: ISAKMP: Created a peer struct for 10.1.1.2, peer port 500 01:55:08: ISAKMP: New peer created peer = 0x3CC4618 peer_handle = 0x80000076 10 This product is individually licensed.
01:55:08: ISAKMP: Locking peer struct 0x3CC4618, refcount 1 for isakmp_initiator 01:55:08: ISAKMP: local port 500, remote port 500 01:55:08: ISAKMP: set new node 0 to QM_IDLE 01:55:08: insert sa successfully sa = 3E07118 01:55:08: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 01:55:08: ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 01:55:08: ISAKMP:(0): constructed NAT-T vendor-07 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-03 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-02 ID 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 01:55:08: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 01:55:08: ISAKMP:(0): beginning Main Mode exchange 01:55:08: ISAKMP:(0): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) M M_NO_STATE 01:55:08: ISAKMP (0:0): received packet from 10.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): processing SA payload. message ID = 0 01:55:08: ISAKMP:(0): processing vendor id payload 01:55:08: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 01:55:08: ISAKMP (0:0): vendor ID is NAT-T v7 01:55:08: ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 01:55:08: ISAKMP:(0): local preshared key found 01:55:08: ISAKMP : Scanning profiles for xauth... 01:55:08: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy 01:55:08: ISAKMP: encryption DES-CBC 01:55:08: ISAKMP: hash MD5 01:55:08: ISAKMP: default group 1 01:55:08: ISAKMP: auth pre-share 01:55:08: ISAKMP: life type in seconds 01:55:08: ISAKMP:(0):atts are acceptable. Next payload is 0 01:55:08: ISAKMP:(0): processing vendor id payload 01:55:08: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch 01:55:08: ISAKMP (0:0): vendor ID is NAT-T v7 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) M M_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 01:55:08: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA 01:55:08: ISAKMP (0:0): received packet from 10.1.1.2 dport 500 sport 500 Global 11 This product is individually licensed.
(I) MM_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 01:55:08: ISAKMP:(0): processing KE payload. message ID = 0 01:55:08: ISAKMP:(0): processing NONCE payload. message ID = 0 01:55:08: ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 01:55:08: ISAKMP:(1002): processing vendor id payload 01:55:08: ISAKMP:(1002): vendor ID is Unity 01:55:08: ISAKMP:(1002): processing vendor id payload 01:55:08: ISAKMP:(1002): vendor ID is DPD 01:55:08: ISAKMP:(1002): processing vendor id payload 01:55:08: ISAKMP:(1002): speaking to another IOS box 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4 01:55:08: ISAKMP:(1002):Send initial contact 01:55:08: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 01:55:08: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 10.1.1.3 protocol : 17 port : 500 length : 12 01:55:08: ISAKMP:(1002):Total payload length: 12 01:55:08: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I ) MM_KEY_EXCH 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 01:55:08: ISAKMP (0:1002): received packet from 10.1.1.2 dport 500 sport 500 Glo bal (I) MM_KEY_EXCH 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 0 01:55:08: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 10.1.1.2 protocol : 17 port : 500 length : 12 01:55:08: ISAKMP:(1002):: peer matches *none* of the profiles 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 0 01:55:08: ISAKMP:(1002):SA authentication status: authenticated 01:55:08: ISAKMP:(1002):SA has been authenticated with 10.1.1.2 01:55:08: ISAKMP: Trying to insert a peer 10.1.1.3/10.1.1.2/500/, and inserted successfully 3CC4618. 01:55:08: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 12 This product is individually licensed.
01:55:08: ISAKMP (0:1002): received packet from 10.1.1.2 dport 500 sport 500 Glo bal (I) MM_KEY_EXCH 01:55:08: ISAKMP: set new node 654786214 to QM_IDLE 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 654786214 01:55:08: ISAKMP:(1002): processing DELETE payload. message ID = 654786214 01:55:08: ISAKMP:(1002):peer does not do paranoid keepalives. 01:55:08: ISAKMP:(1002):deleting node 654786214 error FALSE reason "Informationa l (in) state 1" 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 01:55:08: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 750854051 01:55:08: ISAKMP:(1002):QM Initiator gets spi 01:55:08: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I ) QM_IDLE 01:55:08: ISAKMP:(1002):Node 750854051, Input = IKE_MESG_INTERNAL, IKE_INIT_QM 01:55:08: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 01:55:08: ISAKMP (0:1002): received packet from 10.1.1.2 dport 500 sport 500 Glo bal (I) QM_IDLE 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 750854051 01:55:08: ISAKMP:(1002): processing SA payload. message ID = 750854051 01:55:08: ISAKMP:(1002):Checking IPSec proposal 1 01:55:08: ISAKMP: transform 1, ESP_DES 01:55:08: ISAKMP: attributes in transform: 01:55:08: ISAKMP: encaps is 1 (Tunnel) 01:55:08: ISAKMP: SA life type in seconds 01:55:08: ISAKMP: SA life duration (basic) of 3600 01:55:08: ISAKMP: SA life type in kilobytes 01:55:08: ISAKMP: authenticator is HMAC-MD5 01:55:08: ISAKMP:(1002):atts are acceptable. 01:55:08: IPSEC(validate_proposal_request): proposal part #1 01:55:08: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.1.1.3, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), 13 This product is individually licensed.
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, 01:55:08: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 0.0.0.0 protocol : 115 src port : 0 dst port : 0 01:55:08: ISAKMP:(1002): processing NONCE payload. message ID = 750854051 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 750854051 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 750854051 01:55:08: ISAKMP:(1002): Creating IPSec SAs 01:55:08: inbound SA from 10.1.1.2 to 10.1.1.3 (f/i) 0/ 0 (proxy 0.0.0.0 to 0.0.0.0) 01:55:08: has spi 0x35A80A69 and conn_id 0 01:55:08: lifetime of 3600 seconds 01:55:08: lifetime of 4608000 kilobytes 01:55:08: outbound SA from 10.1.1.3 to 10.1.1.2 (f/i) 0/0 (proxy 0.0.0.0 to 0.0.0.0) 01:55:08: has spi 0x9C7B9051 and conn_id 0 01:55:08: lifetime of 3600 seconds 01:55:08: lifetime of 4608000 kilobytes 01:55:08: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I ) QM_IDLE 01:55:08: ISAKMP:(1002):deleting node 750854051 error FALSE reason "No Error" 01:55:08: ISAKMP:(1002):Node 750854051, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 01:55:08: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMP LETE 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 0.0.0.0 protocol : 115 src port : 0 dst port : 0 01:55:08: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same pro xies and peer 10.1.1.2 01:55:08: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 0.0.0.0, dest_port 0 PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.2 10.1.1.3 QM_IDLE 1002 0 ACTIVE <- New session 10.1.1.2 172.16.13.1 MM_NO_STATE 0 0 ACTIVE (deleted) <- OLD 14 This product is individually licensed.
PE3-RACK1#sho crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1002 10.1.1.3 10.1.1.2 ACTIVE des md5 psk 1 23:59:29 Engine-id:Conn-id = SW:2 0 172.16.13.1 10.1.1.2 ACTIVE 0 0 Engine-id:Conn-id =??? (deleted) PE3-RACK1#sho access-lists 115 Extended IP access list 115 10 permit 115 any any log (720 matches) PE3-RACK1#sho crypto ipsec sa interface: Ethernet0/0 Crypto map tag: combines, local addr 10.1.1.3 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.1.1.3, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051(2625343569) inbound esp sas: spi: 0x35A80A69(900205161) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3514) IV size: 8 bytes 15 This product is individually licensed.
replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9C7B9051(2625343569) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Ethernet3/0 Crypto map tag: combines, local addr 10.1.1.3 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.1.1.3, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051(2625343569) inbound esp sas: spi: 0x35A80A69(900205161) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: 16 This product is individually licensed.
spi: 0x9C7B9051(2625343569) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Ethernet4/0 Crypto map tag: combines, local addr 10.1.1.3 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.1.1.3, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051(2625343569) inbound esp sas: spi: 0x35A80A69(900205161) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9C7B9051(2625343569) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3514) IV size: 8 bytes replay detection support: Y Status: ACTIVE 17 This product is individually licensed.
outbound ah sas: outbound pcp sas: interface: Loopback0 Crypto map tag: combines, local addr 10.1.1.3 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/115/0) current_peer 10.1.1.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11 #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.1.1.3, remote crypto endpt.: 10.1.1.2 path mtu 1500, ip mtu 1500 current outbound spi: 0x9C7B9051(2625343569) inbound esp sas: spi: 0x35A80A69(900205161) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 3, flow_id: 3, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3513) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x9C7B9051(2625343569) transform: esp-des esp-md5-hmac, in use settings ={Tunnel, } conn id: 4, flow_id: 4, crypto map: combines sa timing: remaining key lifetime (k/sec): (4397498/3513) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: PE3-RACK1#show l2tun tunnel 18 This product is individually licensed.
%No active L2F tunnels L2TP Tunnel Information Total tunnels 1 sessions 1 LocID RemID Remote Name State Remote Address Port Sessions L2TP Class/ VPDN Group 47625 48460 PE2-RACK1 est 10.1.1.2 0 1 iementorclass PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.2 10.1.1.3 QM_IDLE 1002 0 ACTIVE CE8-RACK1#sho arp Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.1.1 106 aabb.cc00.6500 ARPA Ethernet0/0 Internet 172.16.1.2 - aabb.cc00.7200 ARPA Ethernet0/0 CE8-RACK1#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms CE8-RACK13#ping 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms PE2-RACK1#sho crypto session de Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Loopback0 Session status: UP-NO-IKE Peer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) 4404676/3274 19 This product is individually licensed.
Outbound: #pkts enc'ed 74 drop 1 life (KB/Sec) 4404675/3274 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) 4404676/3274 Outbound: #pkts enc'ed 74 drop 1 life (KB/Sec) 4404675/3274 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) 4404676/3274 Outbound: #pkts enc'ed 74 drop 1 life (KB/Sec) 4404675/3274 PE2-RACK1#sho crypto map Crypto Map: "combines" idb: Loopback0 local address: 10.1.1.2 Crypto Map "combines" 10 ipsec-isakmp Description: to PE3 Peer = 10.1.1.3 Extended IP access list 115 access-list 115 permit 115 any any Current peer: 10.1.1.3 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ iem, } Interfaces using crypto map combines: Loopback0 Ethernet0/0.20 Ethernet0/0.21 Ethernet0/0.123 PE3-RACK1#sho crypto map Crypto Map: "combines" idb: Loopback0 local address: 10.1.1.3 Crypto Map "combines" 10 ipsec-isakmp Description: to PE2-RACK Peer = 10.1.1.2 Extended IP access list 115 access-list 115 permit 115 any any Current peer: 10.1.1.2 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ iem, } Interfaces using crypto map combines: Loopback0 Ethernet0/0.30 Ethernet0/0.31 Ethernet0/0.123 20 This product is individually licensed.
PE3-RACK1#sho crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Loopback0 Session status: UP-NO-IKE Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) 4486506/3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) 4486506/3227 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) 4486506/3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) 4486506/3227 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) 4486506/3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) 4486506/3227 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 101 drop 0 life (KB/Sec) 4486506/3227 Outbound: #pkts enc'ed 98 drop 2 life (KB/Sec) 4486506/3227 21 This product is individually licensed.