ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II This lab is challenging because it requires knowledge of both security and MPLS. We did not include many solution notes with this lab because it is very difficult to address the various levels of our readers’ expertise. If any of this lab’s configuration outputs and/or tasks are unclear, please e-mail your specific questions to sp@ieMentor.com. CE2 NASDAK Site 2 E 0/0 10.1.1.3 .3 4.4.4.4/24 CE4 .3 MPLS SP1 NASDAK Site 1 HQ Dot1q-Trunk PE1 31 AN 3.0 VL 16.1 2. 17 E0/0 PE3 E0/0.31 FE 0/3 3550 .1 10.1.1.1 Task 13.1: ♦ Customer NASDAK requires communicating between their Site 1 HQ and Site 2. ♦ The customer requires Site 1 and Site 2 to not send any routing or exchange any information/networks with SP1. ♦ The customer also requires to pass Multicast from Site 1 to Site 2. Knowing there requirements, you realize that your core is not Multicast enabled. Provide alternatives to accommodate their requirements. ♦ The customer mentions they have one 3550 switch with 1 VLAN at Site 1. 1 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II ♦ The customer also mentions that Site 2 has just a dumb-hub and all users need to be able to communicate with the HQs, and the hardware will not be changed. This side is not allowed to use Dot1q because the dumb-hub has no way to accept and examine the Dot1q trunk. ♦ Configure this task such that when the customer on CE2 executes show cdp neighbors they see CE4 as directly connected. ♦ To verify this task, ensure that CE4 and CE2 can ping each other’s Loopbacks without advertising them in the SP1 core. PE1-RACK1(config)#pseudowire-class inter-working PE1-RACK1(config-pw-class)# encapsulation mpls PE1-RACK1(config-pw-class)# interworking ip PE1-RACK1(config-subif)#xconnect 10.1.1.3 100 pw-class inter-working Enable CEF before configuring xconnect. PE1-RACK1(config-subif)#ip cef PE1-RACK1(config)#int Fastethernet 2/0.100 PE1-RACK1 (config-subif)#xconnect 10.1.1.3 100 pw-class inter-working PE3-RACK1(config)#pseudowire-class inter-working PE3-RACK1(config-pw-class)# encapsulation mpls PE3-RACK1(config-pw-class)# interworking ip PE3-RACK1(config-pw-class)#interface Ethernet0/0 PE3-RACK1(config-if)# no ip address PE3-RACK1(config-if)# no ip directed-broadcast PE3-RACK1(config-if)# no cdp enable PE3-RACK1(config-if)# xconnect 10.1.1.1 100 pw-class inter-working PE1-RACK1#sho mpls l2transport vc Local intf ------------Ft2/0.100 Local circuit Dest address VC ID Status ----------------------- --------------- ---------- ------Feth VLAN 100 10.1.1.3 100 UP PE1#sho mpls l2transport vc de Local interface: Ft2/0.100 up, line protocol up, Eth VLAN 100 up MPLS VC type is IP, interworking type is IP Destination address: 10.1.1.3, VC ID: 100, VC status: up Preferred path: not configured 2 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II Default path: active Next hop: 172.16.13.1 Output interface: Ft1/0, imposed label stack {22} Create time: 00:01:18, last status change time: 00:00:16 Signaling protocol: LDP, peer 10.1.1.3:0 up MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Å make sure MTU matches otherwise AC want come up Remote interface description: Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0 VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, seq error 0, send 0 PE3-RACK1#sho mpls l2transport vc Local intf ------------Ft2/0 Local circuit Dest address VC ID Status ----------------------- --------------- ---------- ------Ethernet 10.1.1.1 100 UP PE3-RACK1#sho mpls l2transport vc de Local interface: Ft2/0 up, line protocol up, Ethernet up MPLS VC type is IP, interworking type is IP Destination address: 10.1.1.1, VC ID: 100, VC status: up Preferred path: not configured Default path: active Next hop: 172.16.13.2 Output interface: Et1/0.31, imposed label stack {22} Create time: 00:04:54, last status change time: 00:00:42 Signaling protocol: LDP, peer 10.1.1.1:0 up MPLS VC labels: local 22, remote 22 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: Sequencing: receive disabled, send disabled Sequence number: receive 0, send 0 VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 This verifies Inter-Working VC-Type 11 (raw IP) by using the debugs. PE3-RACK1#no debug all All possible debugging has been turned off PE3-RACK1#debug mpls l2transport signaling AToM LDP message debugging is on PE3-RACK1#config t 3 message This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II Enter configuration commands, one per line. End with CNTL/Z. PE3-RACK1(config)#int e 0/0 PE3-RACK1(config-if)#no shutdown 00:10:55: AToM LDP [10.1.1.1]: Sending label withdraw msg vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu 1500 00:10:56: AToM LDP [10.1.1.1]: Received label release msg, id 20, graceful restart instance 0 vc type 11, cbit 1, vc id 100, group id 0, vc label 23, status 0, mtu 0 00:10:56: AToM LDP [10.1.1.1]: Sending label mapping msg vc type 11, cbit 1, vc id 100, group id 0, vc label 22, status 0, mtu 1500 ieMentor Bank Site 1 HQ ieMentor Bank Site 2 1.1.1.1/24 8.8.8.8/24 CE1 CE8 E 0/0 F0/0 .1 FE1/0/1 3750-M FE0/8 3550 Encrypt Layer 2 10.1.1.3 10.1.1.2 E0/0.23 FE0/03 3550 VLAN 123 172.16.123.0 PE2 V 17 LAN 2.1 21 6.1 2.0 IP-CORE SP1 PE1 E0/0.13 - FE0/3 3550 .3 PE3 E0/0.31 FE 0/3 3550 31 AN 3.0 VL 16.1 2. 17 .1 10.1.1.1 ♦ Remove all MPLS related commands from SP1 and disable MPLS per interface. ♦ Configure ieMentor Bank’s Customer Requirements ♦ Customer ieMentor Bank requires Site 2 to communicate with their Site 1 HQ. ♦ The customer requires Site 1 HQ and Site 2 not to send any routing or exchange any information/networks with SP1. 4 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II ♦ The customer also requires to pass AppleTalk for the designers in their design department from Site 1 to Site 2. ♦ The customer has 2600 and 2800 routers in Site 1 and Site 2. They want SP1 to establish Layer 2 connectivity such that in the future they can bring multiple sites in to HQ without adding additional ports or modules. ♦ Configure SP1 PE2 and PE3 to accommodate all of the above requirements. SP1 is allowed to allocate a VLAN for Site 1 and Site 2. ♦ Configure the feature best suited to making this solution work, make the solution very dynamic. ♦ Configure a mechanism to transport customer’s VLANs to be in a secure session. ♦ Configure PE2 and PE3 to minimize overhead for all sessions from PE2 to PE3. ♦ To verify this task, ensure that CE1 and CE8 can ping each other’s Loopbacks without advertising them in SP1 core. ♦ The customer’s new requirement is to encrypt all Layer 2 traffic from Site 1 to Site 2, and they are asking SP1 to do it for them. ♦ Configure ISAKMP ♦ Authentication rsa-sig ♦ Hash Md5 ♦ Traffic from Site 1 to Site 2 must be encrypted through the SP1 core hostname PE3 ! ip cef ! l2tp-class iementor-class authentication password 7 060F0A2C cookie size 4 ! pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class ip local interface Loopback0 ! 5 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II ! crypto isakmp policy 10 hash md5q authentication rsa-sig crypto isakmp key iem6727 address 10.1.1.2 ! ! crypto ipsec transform-set iem esp-des esp-md5-hmac ! crypto map combines 10 ipsec-isakmp description to PE1 set peer 10.1.1.2 set transform-set iem match address 115 ! interface Loopback0 ip address 10.1.1.3 255.255.255.255 crypto map combines ! interface Ethernet0/0.31 ip address 172.16.13.1 255.255.255.0 crypto map combines ! interface Ethernet0/0.13 no ip address no cdp enable xconnect 10.1.1.2 100 pw-class PE3-PE2 ! interface Ethernet0/0.30 ip address 172.16.30.2 255.255.255.0 crypto map combines ! interface Ethernet0/0.123 ip address 172.16.123.3 255.255.255.0 crypto map combines ! access-list 115 permit 115 any any log hostname PE2-RACK1 ip cef ! l2tp-class iementor-class authentication password 7 151B0E01 cookie size 4 ! pseudowire-class PE3-PE2 encapsulation l2tpv3 protocol l2tpv3 iementor-class ip local interface Loopback0 ! crypto isakmp policy 10 hash md5 6 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II authentication rsa-sig ! crypto isakmp key iem6727 address 10.1.1.3 ! crypto ipsec transform-set iem esp-des esp-md5-hmac ! crypto map combines 10 ipsec-isakmp description to PE3 set peer 10.1.1.3 set transform-set iem match address 115 ! interface Loopback0 ip address 10.1.1.2 255.255.255.255 crypto map combines ! interface Ethernet0/0.21 ip address 172.16.12.1 255.255.255.0 crypto map combines ! interface Ethernet0/0.123 ip address 172.16.123.2 255.255.255.0 crypto map combines ! interface ethernet0/0.82 no ip address no cdp enable xconnect 10.1.1.3 100 pw-class PE3-PE2 PE3-RACK1#sho debugging Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC debugging is on 01:50:05: ISAKMP:(0):Notify has no hash. Rejected. 01:50:05: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: stat e = IKE_I_MM1 01:50:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 01:50:05: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 01:50:05: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed w ith peer at 10.1.1.2 01:50:05: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp PE3-RACK1#clear crypto 01:51:35: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA 01:51:43: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DA 7 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 10.1.1.2 172.16.13.1 (deleted) 10.1.1.2 172.16.13.1 (deleted) | Lab13 Solutions: Layer 2 VPN II state MM_NO_STATE conn-id slot status 0 0 ACTIVE MM_NO_STATE 0 0 ACTIVE As you can see there is an issue to keep ISAKMP up and active. IPSEC is missing IKE_MESG_FROM_PEER. Based on the debug above you can see that source peering is the issue. To resolve this issue, follow the steps bellow: PE2-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 10.1.1.2 172.16.13.1 (deleted) state MM_NO_STATE conn-id slot status 0 0 ACTIVE PE3-RACK1#sho crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: keys). hash algorithm: authentication method: Diffie-Hellman group: lifetime: Default protection suite encryption algorithm: keys). hash algorithm: authentication method: Diffie-Hellman group: lifetime: DES - Data Encryption Standard (56 bit Message Digest 5 Pre-Shared Key #1 (768 bit) 86400 seconds, no volume limit DES - Data Encryption Standard (56 bit Secure Hash Standard Rivest-Shamir-Adleman Signature #1 (768 bit) 86400 seconds, no volume limit PE2-RACK1#sho crypto isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: keys). hash algorithm: authentication method: Diffie-Hellman group: lifetime: Default protection suite 8 DES - Data Encryption Standard (56 bit Message Digest 5 Pre-Shared Key #1 (768 bit) 86400 seconds, no volume limit This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II encryption algorithm: DES - Data Encryption Standard (56 bit hash algorithm: authentication method: Diffie-Hellman group: lifetime: Secure Hash Standard Rivest-Shamir-Adleman Signature #1 (768 bit) 86400 seconds, no volume limit keys). PE3-RACK1#sho crypto session Crypto session current status Interface: Ethernet0/0 Session status: DOWN-NEGOTIATING Peer: 10.1.1.2 port 500 IKE SA: local 172.16.13.1/500 remote 10.1.1.2/500 Inactive IKE SA: local 172.16.13.1/500 remote 10.1.1.2/500 Inactive IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map Interface: Ethernet3/0 Session status: DOWN Peer: 10.1.1.2 port 500 IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map Interface: Ethernet4/0 Session status: DOWN Peer: 10.1.1.2 port 500 IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map Interface: Loopback0 Session status: DOWN Peer: 10.1.1.2 port 500 IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map PE3-RACK1#sho crypto session 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:51: No peer struct to get peer description 01:54:52: IPSEC(key_engine): request timer fired: count = 1, (identity) local= 172.16.13.1, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4) 01:54:52: IPSEC(sa_request): , PE3-RACK1#sho crypto session 01:54:52: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (loc al 172.16.13.1, remote 10.1.1.2) 01:54:52: ISAKMP: Error while processing SA request: Failed to initialize SA 01:54:52: ISAKMP: Error while processing KMI message 0, error 2. 9 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II PE3-RACK1#sho crypto session 01:54:54: ISAKMP:(0):purging node -1243206952 01:54:54: ISAKMP:(0):purging node -1914778357 PE3-RACK1#sho crypto session 01:55:01: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1.1.3 dst 10.1.1.2 for SPI 0xD07B32DAcofnig t Below is what you are missing. It is very common for people to forget to source the crypto map correctly. Because of L2TPv3, we are using Loopbacks as source and destination. We must source the crypto map the same as our peering points. PE2-RACK1(config)#crypto map combines local-address loopback 0 PE3-RACK1(config)#crypto map combines local-address loopback 0 Here we go! 01:55:08: ISAKMP:(0):peer does not do paranoid keepalives. 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA TE (peer 10.1.1.2) 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 01:55:08: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON 01:55:08: ISAKMP:(0):deleting SA reason "Death by tree-walk" state (I) MM_NO_STA TE (peer 10.1.1.2) 01:55:08: ISAKMP: Unlocking peer struct 0x3D89390 for isadb_mark_sa_deleted(), c ount 0 01:55:08: ISAKMP: Deleting peer node by peer_reap for 10.1.1.2: 3D89390 01:55:08: ISAKMP:(0):deleting node -1091408871 error FALSE reason "IKE deleted" 01:55:08: ISAKMP:(0):deleting node 1412236188 error FALSE reason "IKE deleted" 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.1.1.3, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, 01:55:08: ISAKMP:(0): SA request profile is (NULL) 01:55:08: ISAKMP: Created a peer struct for 10.1.1.2, peer port 500 01:55:08: ISAKMP: New peer created peer = 0x3CC4618 peer_handle = 0x80000076 10 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II 01:55:08: ISAKMP: Locking peer struct 0x3CC4618, refcount 1 for isakmp_initiator 01:55:08: ISAKMP: local port 500, remote port 500 01:55:08: ISAKMP: set new node 0 to QM_IDLE 01:55:08: insert sa successfully sa = 3E07118 01:55:08: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 01:55:08: ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 01:55:08: ISAKMP:(0): constructed NAT-T vendor-07 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-03 ID 01:55:08: ISAKMP:(0): constructed NAT-T vendor-02 ID 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 01:55:08: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 01:55:08: ISAKMP:(0): beginning Main Mode exchange 01:55:08: ISAKMP:(0): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) M M_NO_STATE 01:55:08: ISAKMP (0:0): received packet from 10.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: policy 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: ISAKMP:(0): processing SA payload. message ID = 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0:0): vendor ID is NAT-T v7 ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 ISAKMP:(0): local preshared key found ISAKMP : Scanning profiles for xauth ... ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP:(0):atts are acceptable. Next payload is 0 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch ISAKMP (0:0): vendor ID is NAT-T v7 ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 01:55:08: ISAKMP:(0): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I) M M_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 01:55:08: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.1 .1.3 dst 10.1.1.2 for SPI 0xD07B32DA 01:55:08: ISAKMP (0:0): received packet from 10.1.1.2 dport 500 sport 500 Global 11 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II (I) MM_SA_SETUP 01:55:08: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: 01:55:08: ISAKMP:(0): processing KE payload. message ID = 0 ISAKMP:(0): processing NONCE payload. message ID = 0 ISAKMP:(0):found peer pre-shared key matching 10.1.1.2 ISAKMP:(1002): processing vendor id payload ISAKMP:(1002): vendor ID is Unity ISAKMP:(1002): processing vendor id payload ISAKMP:(1002): vendor ID is DPD ISAKMP:(1002): processing vendor id payload ISAKMP:(1002): speaking to another IOS box! ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM4 01:55:08: ISAKMP:(1002):Send initial contact 01:55:08: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 01:55:08: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 10.1.1.3 protocol : 17 port : 500 length : 12 01:55:08: ISAKMP:(1002):Total payload length: 12 01:55:08: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I ) MM_KEY_EXCH 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM4 New State = IKE_I_MM5 01:55:08: ISAKMP (0:1002): received packet from 10.1.1.2 dport 500 sport 500 Glo bal (I) MM_KEY_EXCH 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 0 01:55:08: ISAKMP (0:1002): ID payload next-payload : 8 type : 1 address : 10.1.1.2 protocol : 17 port : 500 length : 12 01:55:08: ISAKMP:(1002):: peer matches *none* of the profiles 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 0 01:55:08: ISAKMP:(1002):SA authentication status: authenticated 01:55:08: ISAKMP:(1002):SA has been authenticated with 10.1.1.2 01:55:08: ISAKMP: Trying to insert a peer 10.1.1.3/10.1.1.2/500/, and inserted successfully 3CC4618. 01:55:08: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM5 New State = IKE_I_MM6 12 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II 01:55:08: ISAKMP (0:1002): received packet from 10.1.1.2 dport 500 sport 500 Glo bal (I) MM_KEY_EXCH 01:55:08: ISAKMP: set new node 654786214 to QM_IDLE 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 654786214 01:55:08: ISAKMP:(1002): processing DELETE payload. message ID = 654786214 01:55:08: ISAKMP:(1002):peer does not do paranoid keepalives. 01:55:08: ISAKMP:(1002):deleting node 654786214 error FALSE reason "Informationa l (in) state 1" 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_I_MM6 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 01:55:08: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of 750854051 01:55:08: ISAKMP:(1002):QM Initiator gets spi 01:55:08: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I ) QM_IDLE 01:55:08: ISAKMP:(1002):Node 750854051, Input = IKE_MESG_INTERNAL, IKE_INIT_QM 01:55:08: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 01:55:08: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 01:55:08: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 01:55:08: ISAKMP (0:1002): received packet from 10.1.1.2 dport 500 sport 500 Glo bal (I) QM_IDLE 01:55:08: ISAKMP:(1002): processing HASH payload. message ID = 750854051 01:55:08: ISAKMP:(1002): processing SA payload. message ID = 750854051 01:55:08: ISAKMP:(1002):Checking IPSec proposal 1 01:55:08: ISAKMP: transform 1, ESP_DES 01:55:08: ISAKMP: attributes in transform: 01:55:08: ISAKMP: encaps is 1 (Tunnel) 01:55:08: ISAKMP: SA life type in seconds 01:55:08: ISAKMP: SA life duration (basic) of 3600 01:55:08: ISAKMP: SA life type in kilobytes 01:55:08: ISAKMP: authenticator is HMAC-MD5 01:55:08: ISAKMP:(1002):atts are acceptable. 01:55:08: IPSEC(validate_proposal_request): proposal part #1 01:55:08: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.1.1.3, remote= 10.1.1.2, local_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/115/0 (type=4), 13 This product is individually licensed. Copyright® 2005 ieMentor http://www.iementor.com. ieMentor CCIE™ Service Provider Workbook v1.0 | Lab13 Solutions: Layer 2 VPN II protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, 01:55:08: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 0.0.0.0 protocol : 115 src port : 0 dst port : 0 01:55:08: ISAKMP:(1002): processing NONCE payload. message ID = 750854051 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 750854051 01:55:08: ISAKMP:(1002): processing ID payload. message ID = 750854051 01:55:08: ISAKMP:(1002): Creating IPSec SAs 01:55:08: inbound SA from 10.1.1.2 to 10.1.1.3 (f/i) 0/ 0 (proxy 0.0.0.0 to 0.0.0.0) 01:55:08: has spi 0x35A80A69 and conn_id 0 01:55:08: lifetime of 3600 seconds 01:55:08: lifetime of 4608000 kilobytes 01:55:08: outbound SA from 10.1.1.3 to 10.1.1.2 (f/i) 0/0 (proxy 0.0.0.0 to 0.0.0.0) 01:55:08: has spi 0x9C7B9051 and conn_id 0 01:55:08: lifetime of 3600 seconds 01:55:08: lifetime of 4608000 kilobytes 01:55:08: ISAKMP:(1002): sending packet to 10.1.1.2 my_port 500 peer_port 500 (I ) QM_IDLE 01:55:08: ISAKMP:(1002):deleting node 750854051 error FALSE reason "No Error" 01:55:08: ISAKMP:(1002):Node 750854051, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH 01:55:08: ISAKMP:(1002):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMP LETE 01:55:08: IPSEC(key_engine): got a queue event with 1 KMI message(s) 01:55:08: Crypto mapdb : proxy_match src addr : 0.0.0.0 dst addr : 0.0.0.0 protocol : 115 src port : 0 dst port : 0 01:55:08: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same pro xies and peer 10.1.1.2 01:55:08: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 0.0.0.0, dest_port 0 PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 10.1.1.2 10.1.1.3 state QM_IDLE conn-id slot status 1002 0 ACTIVE [...]... isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Lifetime Cap Remote 1002 10.1.1.3 23:59:29 10.1.1.2 Engine-id:Conn-id = 0 172.16.13.1 I-VRF ACTIVE des md5 psk ACTIVE ??? PE3-RACK1#sho access-lists 115 Extended IP... round-trip min/avg/max = 20/20/20 ms CE8-RACK13#ping 172.16.1.2 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms PE2-RACK1#sho crypto session de Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE... http://www.iementor.com ieMentor CCIE™ Service Provider Workbook v1.0 | Lab1 3 Solutions: Layer 2 VPN II PE3-RACK1#sho crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Loopback0 Session status: UP-NO-IKE Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: (none) Desc: (none)... dest_port 0 PE3-RACK1#sho crypto isakmp sa IPv4 Crypto ISAKMP SA dst src 10.1.1.2 10.1.1.3 state QM_IDLE conn-id slot status 1002 0 ACTIVE ... 10.1.1 .2 255 .25 5 .25 5 .25 5 crypto map combines ! interface Ethernet0/0 .21 ip address 1 72. 16. 12. 1 25 5 .25 5 .25 5.0 crypto map combines ! interface Ethernet0/0. 123 ip address 1 72. 16. 123 .2 255 .25 5 .25 5.0... xconnect 10.1.1 .2 100 pw-class PE3-PE2 ! interface Ethernet0/0.30 ip address 1 72. 16.30 .2 255 .25 5 .25 5.0 crypto map combines ! interface Ethernet0/0. 123 ip address 1 72. 16. 123 .3 25 5 .25 5 .25 5.0 crypto... 10.1.1 .2 set transform-set iem match address 115 ! interface Loopback0 ip address 10.1.1.3 25 5 .25 5 .25 5 .25 5 crypto map combines ! interface Ethernet0/0.31 ip address 1 72. 16.13.1 25 5 .25 5 .25 5.0 crypto