+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 26
  1. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #1

    Default 2 Routers s2s vpn

    Hi,

    I'm watching Jeremy's CCNA Sec nuggets and there's an implementing s2s vpn through cli section. I've redone it for like 3 times now and still couldn't get it to work, I cannot ping the other router. Help is appreciated, here are my confs:


    Router 1
    HTML Code:
     Test5#sh run
    Building configuration...
    
    
    Current configuration : 1207 bytes
    !
    version 12.4
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Test5
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 25
    !
    !
    ip cef
    !
    !
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 60
     encr aes
     authentication pre-share
     group 2
    crypto isakmp key cbt address 192.168.1.1
    !
    !
    crypto ipsec transform-set jeremy esp-aes esp-sha-hmac
    !
    crypto map s2s-vpn 100 ipsec-isakmp
     set peer 192.168.1.1
     set transform-set jeremy
     match address 100
    !
    !
    !
    !
    interface Loopback0
     ip address 10.0.2.250 255.255.255.0
     shutdown
    !
    interface FastEthernet2/0
     ip address 192.168.5.1 255.255.255.0
     speed 100
     full-duplex
     crypto map s2s-vpn
    !
    interface FastEthernet2/1
     ip address 192.168.9.1 255.255.255.0
     duplex full
     speed 100
    !
    router eigrp 80
     network 10.0.0.0
     no auto-summary
    !
    ip http server
    no ip http secure-server
    !
    ip forward-protocol nd
    !
    !
    access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
     logging synchronous
    line aux 0
    line vty 0 4
     login
    !
    !
    end
    Router2
    HTML Code:
    outer(config)#do sh run
    Building configuration...
    
    Current configuration : 994 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    no aaa new-model
    ip subnet-zero
    ip cef
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 10
     encr aes
     authentication pre-share
     group 2
    crypto isakmp key cbt address 192.168.5.1
    !
    !
    crypto ipsec transform-set jeremy esp-aes esp-sha-hmac
    !
    crypto map s2s-vpn 100 ipsec-isakmp
     set peer 192.168.5.1
     set transform-set jeremy
     match address 100
    !
    !
    !
    !
    interface FastEthernet0/0
     ip address 192.168.1.1 255.255.255.0
     duplex full
     speed 100
     crypto map s2s-vpn
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    no ip http server
    no ip http secure-server
    ip classless
    !
    !
    access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    !
    end
    Last edited by Akiii; 11-08-2010 at 02:36 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #2
    A couple of things jumped out to me...

    The interface on router 2 is shutdown. Also, router 2 doesn't have an access-list configured designating the traffic to bring up the vpn. HTH.

    -Peanut
    Reply With Quote Quote  

  4. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #3
    Quote Originally Posted by peanutnoggin View Post
    A couple of things jumped out to me...

    The interface on router 2 is shutdown. Also, router 2 doesn't have an access-list configured designating the traffic to bring up the vpn. HTH.

    -Peanut
    Thanks I realized the interface was done before you posted I just made an ACL but still no joy.. updated the configs in the #1 post
    Last edited by Akiii; 11-08-2010 at 02:10 PM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #4
    Have you enabled "isakmp"?

    crypto isakmp enable

    I haven't configured a site-to-site vpn in awhile... I'm trying to think of other items. Everything appears to be right since you have identical configs (with the "mirrored" access-lists). Have you enabled debugging on the IKE Phase 1? Are you generating traffic from clients within the specified subnets? HTH.

    -Peanut
    Reply With Quote Quote  

  6. Senior Member bermovick's Avatar
    Join Date
    Apr 2010
    Location
    San Antonio, TX
    Posts
    1,122

    Certifications
    CCNP, CCNA Security, CCDA, Project+, Linux+
    #5
    I tell ya, I've had the worst luck getting my VPNs to work too; then I'll wipe the whole configs, do exactly the same thing and have them work (I know I've done something different, but no idea what).

    I'll load up gns3 and plug in your configs and see what I can figure out.
    BS:IT (Security Focus) at WGU Progress:
    -={ Complete }=-

    MS:CIA at WGU Progress:
    9 of 10 done (and all non-capstone papers). Current: LQT2 - MS-CSIA Capstone
    Reply With Quote Quote  

  7. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #6
    Quote Originally Posted by peanutnoggin View Post
    Have you enabled "isakmp"?

    crypto isakmp enable

    I haven't configured a site-to-site vpn in awhile... I'm trying to think of other items. Everything appears to be right since you have identical configs (with the "mirrored" access-lists). Have you enabled debugging on the IKE Phase 1? Are you generating traffic from clients within the specified subnets? HTH.

    -Peanut
    Yes, enabling isakmp was my first commands. I've connected the routers together with a crossover cable and tried to ping the other one, or set one of them as my default GW and ping the other router but no luck.

    Ákos
    Reply With Quote Quote  

  8. Senior Member bermovick's Avatar
    Join Date
    Apr 2010
    Location
    San Antonio, TX
    Posts
    1,122

    Certifications
    CCNP, CCNA Security, CCDA, Project+, Linux+
    #7
    What's the topology like? What do you have between the 2?
    BS:IT (Security Focus) at WGU Progress:
    -={ Complete }=-

    MS:CIA at WGU Progress:
    9 of 10 done (and all non-capstone papers). Current: LQT2 - MS-CSIA Capstone
    Reply With Quote Quote  

  9. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #8
    Quote Originally Posted by bermovick View Post
    What's the topology like? What do you have between the 2?

    Ok so I believe here comes the missunderstanding from my part. Do you actually need a cloud or something between the 2 devices? Can't you just put up an ipsec tunnel between the 2 routers via crossover cable?
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Apr 2009
    Location
    Sheffield, UK
    Posts
    502

    Certifications
    CC(NA-IP-NP), JNCIA-JUNOS, JNCIS-ENT, BCNE
    #9
    Try adding

    access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

    Onto router 1 and

    access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

    On to router 2. In my experience, I've always needed an access list for both directions on each router, so you pretty much end up with the same ACL on each.
    Reply With Quote Quote  

  11. Cisco Moderator mikej412's Avatar
    Join Date
    May 2005
    Location
    Chicago
    Posts
    10,190

    Certifications
    CCNP CCIP CCSP CCVP CCDP CCDA CCNA CS-CIPSS CS-CIPTDS CS-CIPTOS CS-CIPCSS CS-CFWS CS-CVPNS CS-CISecS ISSP 4013 4011
    #10
    Were the routers able to ping each other before you set up the tunnel?
    Reply With Quote Quote  

  12. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #11
    Quote Originally Posted by mikej412 View Post
    Were the routers able to ping each other before you set up the tunnel?

    They are newly set up routers, didn't try it. Both interfaces are in up up.

    Do I need actually something between the 2 routers for the ipsec tunnel? Or a normal Crossover cable can do the job?
    Reply With Quote Quote  

  13. Cisco Moderator mikej412's Avatar
    Join Date
    May 2005
    Location
    Chicago
    Posts
    10,190

    Certifications
    CCNP CCIP CCSP CCVP CCDP CCDA CCNA CS-CIPSS CS-CIPTDS CS-CIPTOS CS-CIPCSS CS-CFWS CS-CVPNS CS-CISecS ISSP 4013 4011
    #12
    Quote Originally Posted by Akiii View Post
    Do I need actually something between the 2 routers for the ipsec tunnel?
    Network connectivity.
    Reply With Quote Quote  

  14. Senior Member bermovick's Avatar
    Join Date
    Apr 2010
    Location
    San Antonio, TX
    Posts
    1,122

    Certifications
    CCNP, CCNA Security, CCDA, Project+, Linux+
    #13
    Quote Originally Posted by Akiii View Post
    Ok so I believe here comes the missunderstanding from my part. Do you actually need a cloud or something between the 2 devices? Can't you just put up an ipsec tunnel between the 2 routers via crossover cable?
    I think you probably could, except your interfaces aren't in the same subnet?
    BS:IT (Security Focus) at WGU Progress:
    -={ Complete }=-

    MS:CIA at WGU Progress:
    9 of 10 done (and all non-capstone papers). Current: LQT2 - MS-CSIA Capstone
    Reply With Quote Quote  

  15. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #14
    Quote Originally Posted by bermovick View Post
    I think you probably could, except your interfaces aren't in the same subnet?

    Yes they aren't but I thought that the ipsec will do the routing between the subnets. So I'm really courius now that what do I have to place between the 2 routers or how to configure them to get it work.

    A
    Reply With Quote Quote  

  16. Senior Member bermovick's Avatar
    Join Date
    Apr 2010
    Location
    San Antonio, TX
    Posts
    1,122

    Certifications
    CCNP, CCNA Security, CCDA, Project+, Linux+
    #15
    You still need 'normal' IP connectivity between the 2 points. Most of my labs involve a router or 2 between the 2 endpoints, but I'd think the premise is the same if there's no physical devices between the 2.

    It looks like you're confusing what is being encrypted, thinking you'll encrypt 1.0 and 5.0, but what's really going to happen would be you're encrypting data coming in from other networks, through the endpoint routers, and encrypted before being sent out (normal IP routing) your 1.0/5.0 link.

    ... I'm not sure if I explain it well. It makes sense in my head.....
    BS:IT (Security Focus) at WGU Progress:
    -={ Complete }=-

    MS:CIA at WGU Progress:
    9 of 10 done (and all non-capstone papers). Current: LQT2 - MS-CSIA Capstone
    Reply With Quote Quote  

  17. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #16
    Quote Originally Posted by bermovick View Post
    You still need 'normal' IP connectivity between the 2 points. Most of my labs involve a router or 2 between the 2 endpoints, but I'd think the premise is the same if there's no physical devices between the 2.

    It looks like you're confusing what is being encrypted, thinking you'll encrypt 1.0 and 5.0, but what's really going to happen would be you're encrypting data coming in from other networks, through the endpoint routers, and encrypted before being sent out (normal IP routing) your 1.0/5.0 link.

    ... I'm not sure if I explain it well. It makes sense in my head.....
    thanks

    I'll try to set up one of my routers as a GW and ping the other side with the modification that you guys told me that should be enough for ip connectivity, I hope it will work
    Reply With Quote Quote  

  18. Senior Member bermovick's Avatar
    Join Date
    Apr 2010
    Location
    San Antonio, TX
    Posts
    1,122

    Certifications
    CCNP, CCNA Security, CCDA, Project+, Linux+
    #17
    OK, first off, forgive me if this stuff doesn't come out well; I'm still not used to uploading and inserting images.

    Secondly: R1 and R4 are computers here. They just LOOK like routers (I can't get QEMU to work, so I use routers as endpoint devices).



    R2 and R3 are going to create a VPN tunnel for traffic going between the 192.168.1.0 and 192.168.3.0 networks. I still need normal IP connectivity from end-to-end though.

    Here's the running-config from R2 and R3. R1 and R4 have no config other than ip addresses on the appropriate interface, and a default route.

    R2
    Code:
    Building configuration...
    
    Current configuration : 1050 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    memory-size iomem 5
    ip cef
    !
    !
    !
    !         
    !
    !
    !
    !
    !
    ! 
    !
    crypto isakmp policy 1
     encr aes
     hash md5
     authentication pre-share
     group 5
     lifetime 3600
    crypto isakmp key woohoo address 192.168.2.2
    !
    !
    crypto ipsec transform-set shorty esp-aes esp-md5-hmac 
    !
    crypto map R2_R3 100 ipsec-isakmp 
     set peer 192.168.2.2
     set transform-set shorty 
     match address vpn_acl
    !         
    !
    !
    interface FastEthernet0/0
     ip address 192.168.2.1 255.255.255.0
     duplex auto
     speed auto
     crypto map R2_R3
    !
    interface FastEthernet0/1
     ip address 192.168.1.1 255.255.255.0
     duplex auto
     speed auto
    !
    router eigrp 1
     network 192.168.1.0
     network 192.168.2.0
     auto-summary
    !
    !
    ip http server
    no ip http secure-server
    !
    !
    ip access-list extended vpn_acl
     permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    !
    end
    and R3
    Code:
    Building configuration...
    
    Current configuration : 1050 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R3
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    memory-size iomem 5
    ip cef
    !
    !
    !
    !         
    !
    !
    !
    !
    !
    ! 
    !
    crypto isakmp policy 1
     encr aes
     hash md5
     authentication pre-share
     group 5
     lifetime 3600
    crypto isakmp key woohoo address 192.168.2.1
    !
    !
    crypto ipsec transform-set shorty esp-aes esp-md5-hmac 
    !
    crypto map R3_R2 100 ipsec-isakmp 
     set peer 192.168.2.1
     set transform-set shorty 
     match address vpn_acl
    !         
    !
    !
    interface FastEthernet0/0
     ip address 192.168.2.2 255.255.255.0
     duplex auto
     speed auto
     crypto map R3_R2
    !
    interface FastEthernet0/1
     ip address 192.168.3.1 255.255.255.0
     duplex auto
     speed auto
    !
    router eigrp 1
     network 192.168.2.0
     network 192.168.3.0
     auto-summary
    !
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended vpn_acl
     permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    !
    end
    Verified with debug crypto ipsec
    Code:
    *Mar  1 02:08:33.735: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0xFCAF55ED(4239349229), conn_id= 0, keysize= 128, flags= 0x400A
    *Mar  1 02:08:34.023: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 0s and 0kb, 
        spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
    *Mar  1 02:08:34.027: Crypto mapdb : proxy_match
            src addr     : 192.168.1.0
            dst addr     : 192.168.3.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    *Mar  1 02:08:34.031: IPSEC(key_engine): got a queue event with 2 kei messages
    *Mar  1 02:08:34.031: IPSEC(initialize_sas): ,
      (key eng. msg.) INBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0xFCAF55ED(4239349229), conn_id= 0, keysize= 128, flags= 0x2
    *Mar  1 02:08:34.031: IPSEC(initialize_sas): ,
      (key eng. msg.) OUTBOUND local= 192.168.2.1, remote= 192.168.2.2, 
        local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), 
        remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
        lifedur= 3600s and 4608000kb, 
        spi= 0x8E9773AE(2392290222), conn_id= 0, keysize= 128, flags= 0xA
    *Mar  1 02:08:34.035: Crypto mapdb : proxy_match
            src addr     : 192.168.1.0
            dst addr     : 192.168.3.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    *Mar  1 02:08:34.035: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.2.2
    *Mar  1 02:08:34.035: IPSec: Flow_switching Allocated flow for sibling 80000002 
    *Mar  1 02:08:34.035: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 192.168.3.0, dest_port 0
    
    *Mar  1 02:08:34.035: IPSEC(create_sa): sa created,
      (sa) sa_dest= 192.168.2.1, sa_proto= 50, 
        sa_spi= 0xFCAF55ED(4239349229), 
        sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2001
    *Mar  1 02:08:34.035: IPSEC(create_sa): sa created,
      (sa) sa_dest= 192.168.2.2, sa_proto= 50, 
        sa_spi= 0x8E9773AE(2392290222), 
        sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2002
    BS:IT (Security Focus) at WGU Progress:
    -={ Complete }=-

    MS:CIA at WGU Progress:
    9 of 10 done (and all non-capstone papers). Current: LQT2 - MS-CSIA Capstone
    Reply With Quote Quote  

  19. Member
    Join Date
    Feb 2010
    Posts
    80

    Certifications
    CCNA, CCNA Security, CCDA, CCNP, CCDP
    #18
    Thanks for the illustration I've set up a same environment and it worked. The issue was that you need to have an active node on both ends(to wich you can assign an IP) but before that the ipsec tunnel will not get up.

    Thanks again for your help

    Á
    Reply With Quote Quote  

  20. Senior Member bermovick's Avatar
    Join Date
    Apr 2010
    Location
    San Antonio, TX
    Posts
    1,122

    Certifications
    CCNP, CCNA Security, CCDA, Project+, Linux+
    #19
    Well, you might be able to use an extended ping to ping from (in my example) R2's F0/1 port. That way the packet's source address is in the 192.168.1.0 network, which would trigger the ACL and cause R2 to attempt to build the VPN.
    BS:IT (Security Focus) at WGU Progress:
    -={ Complete }=-

    MS:CIA at WGU Progress:
    9 of 10 done (and all non-capstone papers). Current: LQT2 - MS-CSIA Capstone
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Mar 2010
    Location
    Los Angeles, California
    Posts
    200

    Certifications
    A+, Project+, Network+, Security+, CCNA: Security, CCNP R&S, CCDP, CCNP Security
    #20
    I'm sure this is faaaaaaar to late for the post but still the error was the interfaces where in the wrong subnet. That is the primary cause of them not being able to ping across the crossover cable. Looks like the config was right i just skimmed through it but what really stood out was the incorrect ip addressing.
    Reply With Quote Quote  

  22. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #21
    Quote Originally Posted by gregorio323 View Post
    the error was the interfaces where in the wrong subnet.
    Wait, you're saying 192.168.2.1/24 and 192.168.2.2/24 are not in the same subnet?
    Reply With Quote Quote  

  23. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,645

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #22
    Quote Originally Posted by phoeneous View Post
    Wait, you're saying 192.168.2.1/24 and 192.168.2.2/24 are not in the same subnet?
    If you look at the configs in the OP he is using 192.168.5.1/24 on one side and 192.168.1.1/24 on the other for the link between the routers.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  24. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #23
    Quote Originally Posted by networker050184 View Post
    If you look at the configs in the OP he is using 192.168.5.1/24 on one side and 192.168.1.1/24 on the other for the link between the routers.
    Ah, I was looking at reply #17 which seems to be correct as far as the subnet between R2 and R3.

    I also noticed that he doesnt have any routes configured, is this not necessary in a s2s vpn?
    Reply With Quote Quote  

  25. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,645

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #24
    Quote Originally Posted by phoeneous View Post
    Ah, I was looking at reply #17 which seems to be correct as far as the subnet between R2 and R3.

    I also noticed that he doesnt have any routes configured, is this not necessary in a s2s vpn?
    You would need some sort of route to get to the peer address. Which in this case happens to be a directly connected address so there is no need to add a route manually.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  26. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #25
    Quote Originally Posted by networker050184 View Post
    You would need some sort of route to get to the peer address. Which in this case happens to be a directly connected address so there is no need to add a route manually.
    Gotcha. I'm studying with the same cbt as him and ironically I'm doing both the vpn videos tonight.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks