I've been studying like mad to take my CCNA Security exam in the next couple weeks. I've posted on several various bulletins here with various topics. My main issue was trying to connect virtuelly via GNS3 and my router setup on it. Scratch that...
I have three Cisco 2621 XM routers set up. They all came with 2 FastEthernet ports. However, only one of them has a Serial port. So, what I'm doing is connecting the routers together with the fast ethernet ports using crossover cables.
So, I baselined two routers to start with. Very simple AAA, set up IP HTTP server, IP HTTP Secure Server, etc. Privledge lvl 15 access, etc.
I then set my Router A's inside Fa0/1 port with a 192.168.1.0/24 network. The outside port Fa0/0 is 10.0.0.0/30 network.
Router B is set up similar, 192.168.2.0/24 insice Fa0/1, Fa0/0 is 10.0.0.0/30 network outside. So, three networks 192.168.1.0, 192.168.2.0, 10.0.0.0 network.
Then, I set up OSPF routing. Very simple...
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 10.0.0.0 0.0.0.3 area 0
On the other router:
router ospf 1
network 192.168.2.0 0.0.0.255 area 0
network 10.0.0.0 0.0.0.3 area 0
Initially, routing worked. B's 2.0 network propagated into A's routing table, and vice versa with A's 1.0 network. I was able to ping acoss each other.
Now, I had a PC attached to a switch (set up as default, no acls, no nothing just bare bones default) which was attached to Fa0/1. The PC is 192.168.1.2. Subnet mask 255.255.255.0 Default gateway is the IP address of Fa0/1 which is 192.168.1.254 255.255.255.0
Similar on Router B, except 2.0 network.
So far, so good.
I then used SDM to connect from PC-A onto Router A via 192.168.1.254. It connected. SDM worked, brought up the router, interfaces, and showed OSPF routing. This is where it fell apart....
I attempted to create a Site to Site VPN via the wizard. Heres what I specified:
Inside interface fa0/1
Outside interface fa0/0
Network with interesting traffic 192.168.1.0/24
Peer 10.0.0.3 (that is the address of the outside facing interface f0/0 on Router B)
I then repeated the same on Router B, just transposing 2.0 network for interesting traffic, and Peer 10.0.0.2 for the Fa0/0 interface on Router A.
Everything else was defaulted.
When I "test" the tunnel, I get an error message. So, since I'm connected to Router B (which was working, had routing, and had Router A's network 1.0 in it's routing table), the error msg says that I need to add a route into the routing table (192.168.1.0). It was there up until I attempted to put the VPN in place. It's like it stopped the routing.
Where am I going wrong? At face value, it looks like this should be working! But when I debug the ospf process, it looks like hello packets aren't tranversing across to the other side. Is it because I just have the 192.xxx.xxx.xxx networks as "interesting" traffic? Can I have multiple networks marked as "interesting"? I thought that's what the peer statements were doing to allow the tunnel to be established.
Wow, that's interesting. I have not read ANYWHERE in the books I"ve been reviewing that you have to use static routes for tunnel configuration in a site to site VPN. It kinda makes sense, but I find it a little confusing that routing tables get shot down for this. I'll have to refer to some of the links mentioned above, and review my reading/notes.
The books may mention that multicast is not supported over IPSEC (no multicast is bad for IGPs). Thats true if there is not a virtual tunnel interface. The tunnel interface creates another routed interface and it populates the table accordingly. The attachment shows a virtual tunnel interface and how it creates overlay routing through the tunnel using EIGRP (routing the packet twice). Without a tunnel interface the packet gets routed once (LAN to WAN) and encrypted at the wan interface (crypto map) so there is no way to create overlay routing.
Traffic going over IPSEC without a virtual tunnel interface must use static routes. Dynamic routing is still supported with the ISP or downstream routers , ect.... just not over native IPSEC.
So, in my lab setup..I have two routers. I should skip OSPF routing, and just put in static routes. Then my VPN "should" come up? Don't route the wan links per se?
And if I add a third router...a to b to c. I want to have a VPN from A to C. Let's say C is going to be 192.168.3.0 network on the LAN side. THe WAN is going to be 10.0.0.4/30. I would do what with routing? Still static? No EIGRP or OSPF?
This type of vpn also needs interesting traffic for the vpn to come up. Once you have both sides provisioned and do a "show crypto ipsec sa" and show crypto isakmp sa there will not be any output. Once you have initiated Lan-to-Lan traffic the vpn will come up and have output for those two commands.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...