3 replies to this topic

[ozoubi]

Hi all,

i failed in the sec lab, what i remember from the questions was ( each 6 points):

1- configure L2L IPsec tunnel between two routers without using crypto map and without using an ACL to identify the interesting traffic.

2- DMVPN and EzVpn on the same router as a Hub.



could any one advise regarding point 1...?

Regards..

[othmanjo]

Hi,

for point 1, they are referring to configuring Static Virtual Tunnel interface (known as SVTI), were you configre IPSec using IPSec profiles (hence, no crypto map) and define the encrypted traffic using some sort of routing (usually EIGRP) to route the traffic to the tunnel interface.

imagine the router has 2 interfaces:
fa0/0 (outside) with IP 1.1.1.1
fa0/1 (inside) with IP 192.168.1.1

the config needed is:

cry isakmp policy
encryption 3des
hash sha
group 2
authentication pre-share

crypto isakmp key <string> address <peer IP>
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec profile IPSEC
set transform-set myset

interface tunnel 1
ip add 10.10.10.1 255.255.255.0
no shut
tunnel source fa0/0
tunnel destination <peer IP address>
tunnel mode ipsec ipv4 <--------------- the most important command which makes the tunnel interface an IPSec interface
tunnel protection ipsec profile IPSEC

router eigrp 1
network 192.168.1.0 0.0.0.255
network 10.10.10.0 0.0.0.255
no auto-summary

for sure, the same should be done on the peer router.

this way, you create an IPSec tunnel without a crypto map and without the need to have an ACL for interesting traffic

hope it helps

Othman

[ozoubi]

many thanks my brother... appreciated Othman..

[hadivip2000]

was it your first time which you took the exam ?