Task 4.1 – IOS CA
- What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
- When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
- Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.
Task 4.2 – IOS L2L
This is all about enrollment of certificates from the CA in previous task to two IOS-routers and setup an ipsec-tunnel.
- What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
- When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
- Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.
Task 4.3 – VPN IOS-ASA
The task was to setup a tunnel between IOS and ASA. Preshared-key, all straight-forward. However, I was asked to prioritize to certan traffic going into the tunnel from the IOS-router. This was done by creating a service-policy on outside-interface like this:
class-map match-all VPN-CLASS
match access-group 150 Â ! The ACL that defines the traffic to prioritize
policy-map VPN-POLICY
class VPNCLASS
priority 200 (I was also assign to restrict the prioritized traffic to 200kbps)
interface Fa1/1
service-policy output VPN-POLICY
- And, dont forget to do “qos pre-classify” on the crypto map! Otherwise your class-map has to look for ESP-traffic and that is not very granular, is it? 🙂
- “create lo3 on r2, assign it ip 192.168.3.2/24” and “create a vpn tunnel between Vlan100 and the newly created loopback network”. I used “host 192.168.3.2” in acl, but it clearly states “the loopback _network_”. Darn!
Task 4.4 L2L Aggressive mode with PSK
- Stuck Twice.
- Stuck again. Couldn´t get the tunnel up even when comparing my configs with the solution guide. After getting help from OSL I made it:
Hi
Not sure if this is it or not but you have crypto isakmp key ipexpert
hostname r5.ipexpert.com and the debug shows   FQDN name   : R5.ipexpert.com
Task 4.5 L2L Overlapping subnets.
- I havent worked  very much with tunnel-interfaces but this was a pleasant first date. It´s kind of magic making a virtual interface and make the router route traffic thru it. Even more coolish when you encrypt the traffic and make a routing protocol talk thru the tunnel.
- Since I wasn´t allowed to use static routing I had to create loopback-interfaces to force knowledge of that local networks translated address-space into the routing-protocol. I was thinking of some kind of “add-reverse-route”-option for the “ip nat source static network”-command but I guess there is no such solution? Or could this routing-issue be solved in another way?
Task 4.6 – Easy VPN Server on IOS
- This task deals with connecting a plain ipsec-client from XP workstation to an VPN-server on ios. First step was to verify connectivity on XP. Wrong IP, changing it. Now, a good advice from someone “who knows”: Do NOT add a default route on the student NIC of the labb pc:s. It has 2 nics and the other one is convinently named “Outside NIC – Do not Touch!” which is fine because thats how you reach the machine over internet. But if you add a default “gateway” on the student nic (which you are allowed to fool with) you will convert that kind little XP-machine into an unpredicible beast. If you are lucky u will reach it after a while and remove that default gw. So I´ve heard. 🙂
- IOS auto-enroll and the enroll-feature of ipsec vpn client is cool. Just point it to http://<ios ca ip>/cgi-bin/pkiclient.exe and request a certificate.
- I had to look at the solution guide quite alot in this case. Even when doing that I couldnt get the vpn-client to connect. I just got these error messages:
- Suddenly I looked at the bottom right corner of my screen and saw tht the time was 3 minutes until the lab-period was over. I have never backed up a bunch of routers this fast before. First thing next lab-attempt will be to load the configs and troubleshoot the EasyVPN-config of R4.
I read the about the topic elsewhere too. But you have
explained it in nice way.
http://www.isolcertificationtraining.com/cisco-training/