One tool I am learning to appreciate is the iSSH app. It does telnet and RDP as well. It’s about ten dollars in the app store but let’s you have multiple connections open at once and depending on the orientation of the iPad it kinda gets out of the way. Here are a few screen shots while messing around with a router.

Please add your thoughts or apps you are using to study to the comments section.

Happy labbing!

Related posts:

1. Long Flights… Yesterday morning I had a long flight back to the...
2. Re-starting the R&S study Some time ago I had the hair brained idea that...
3. What kind of study plan is right for you? Its been a few months since I passed the CCIE...

Related posts brought to you by Yet Another Related Posts Plugin.

I have been a Cisco Instructor for 8 years now. I have been teaching the CCSP track since it’s inception, and taught various courses of the CSS-1 prior to that. Although I was a CCSP, I didn’t take the CCIE Security Written exam until March 21, 2007. I passed with an 85 on my first attempt. I used the CCBootcamp written exam guide to prepare for that, along with my existing knowledge as a CCSP/Instructor.

Studying for the lab is a whole new ball game. It’s weird because there is a total difference between knowing the book material that Cisco tests you on for the Professional level certifications, and being able to teach it, and knowing the material that is on the CCIE lab exam and being able to implement it. Don’t get me wrong, I knew the material, and the concept of why things were happening were easy to me. What was difficult is putting it all together. When you teach an ASA class, IPS class, or any other security class for that matter, it doesn’t cover how all these things work together. Thats where the CCIE will get you!

Anyhow, I know people are wondering what material I used in preparing for the lab exam. I made a video to show you, mainly because I think the spread of material is impressive. Please do not get mad at me for killing a tree. In the future I’ll use PDFs. Also, forgive me for the quality of the video. I am to cheap to buy an HD camera. I made the video at 6-am so don’t expect much.

So, assuming you watched that video and know what I used to prepare, I’ll give you the run down of the lab.

First time was in San Jose. I was overwhelmed. I had a decent understanding but no strategy. I ran out of time and had maybe 50 points.

Second time was in San Jose as well. It went better than the first but still there were some grey areas for me and even though I took the InternetworkExpert Online Bootcamp and used Brian’s strategy I still was missing something.

The Third, and Final attempt was in RTP, North Carolina. There is no particular reason I switch to RTP. It’s not closer to me by any means. I live in Seattle. But I wanted something fresh. I stayed at the Wingate hotel which was great. The bed was comfortable and the rate was fair. I flew in the night before the exam. I arrived at the hotel at 9pm, took half of a sleeping pill (Melatonin) and crashed. I woke up refreshed and ready to go.

The hotel had a continental breakfast and I didn’t eat much but forced myself to eat a little. I stopped at Starbucks on the way, and headed over to the Cisco office. Now when you get there you should know that the building will remain dark until right around 7am. There is nobody there to meet you in the lobby. Someone from Cisco was taking the lab as well and they let me in the lobby using their badge. At about 7:10 the proctor came out. He was very nice and much more chatty than Tom (nice guy) in San Jose.

We were led back to the room and from there its your standard lab exam stuff. We broke at about 11 for lunch. I say about 11 because they cater in lunch and there wasn’t a set time. You still only get 30 minutes for lunch. I ate a bit and tried to work out some issues in my head.

I finished about 45 minutes early but left 15 minutes before the Proctor called it a day. That includes my clean up and so on. I didn’t use the last 45 minutes to do any extra verifications because I didn’t want to break anything. Then I went to dinner at the Angus Barn. I had Alaskan King Crab Claws, a 24oz New York Strip and an Oatmeal Stout. Pass or fail I was going to enjoy that meal.

The wait was excruciating. I didn’t get my results until about 8:30 on Sunday night, so if you are planning on taking the lab on Friday you should be aware of that.

Now that its over I am enjoying the fact that I don’t have a deadline staring me in the face, but I still love the technology and want to learn more. I think the next track that I am going to pursue is the CCIE voice, but I have the CCVP in between that I have to get up to Instructor level on. I already have the IPexpert CCIE Voice BLS and plan on renting from Proctor Labs.

The big kicker for me was the bootcamp at ipexpert and the labs i did after that. Without the information I gained from IPexperts Jared Scrivener I dont think I would have passed. Im not going to give away all of his tricks because thats what he gets paid to do. But Seriously, Jared- You are the man!.

Also I can’t say enough about the support that I received from Ted Wagner at Ascolta. He really stood behind me even though there were other things he probably wanted me working on.

Wayne Lawson at IPexpert was another key player in my success along with Matt Brooks, Neil Apolzan, and Drew LaPla.

I can’t forget to mention Mike Down. Before Mike started pinging me online I only owned the IPexpert Volume 4.1 and the Proctor Guide, and I wasn’t really looking at using IPexpert.

One last person I have to mention is my wife. She was patient with me even though the family would take a hit from time to time while I was studying. The CCIE is not easy on a family but the accomplishment and the job security afterwards was the payoff I was looking for. I think I got it. Time will tell. At least I have her if the other stuff doesn’t pan out.

Thats about it for this rant. I’m going to keep blogging about topics that come up in my classes as well as through the contact form. When I start to study for the Voice IE I’ll try to blog it all here as well. In the mean time I am going to spend some time posting on Network World for the CCNA Wireless candidates and catching up on my sleep/socializing/theocratic activities/yard work/home improvement projects/reading/DVR/family videos/familiy photos/email/projects at work/fitness/weight loss/rss feeds/staring into space/day dreaming/playing darts with tyrel/texting my daughter/emailing my mom/calling my grandma/netflix/and enjoying whatever comes my way.

Related posts:

1. Is your weekend going to Rock? Mine is! I have the opportunity to take a really...

Related posts brought to you by Yet Another Related Posts Plugin.

1. Create an SA
2. Create inbound and Outbound rules for the hosts to be encrypted.
3. Apply the rules to the public filter with the action of “Apply IPSec” and attach the Security Association.
4. Create a group with the preshared key.
5. Set it to type L2L.

Now it seems like a short list but jumping around in the CLI menus makes it tough.

TIP:

When you are looking at the public filter you want to see the
IPSec Rules applied with the Security Association Attached.

Uploaded with plasq‘s Skitch!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

class-map vpn_data
match flow ip destination-address
match tunnel-group ezvpn

Next create the policy map to police based on the class we just created:

policy-map outside
class vpn_voice
priority
class vpn_data
police output 256000
class class-default
police output 2000000

Finally activate it on the interface:

service-policy outside interface outside

So while that is pretty simple I did come across a gotcha.  In the IE lab workbook volume 1 it has you create a class-map for vpn_voice, match dscp=ef and the same tunnel-group.  It then wants to apply priority queueing to it.  Here is where it could cause some issues.  When you apply the policy-map to the interface with the priority command configured for a class it give you a really nice error:

asa1(config-pmap-c)# service-policy outside int outside
ERROR: Class vpn_voice has 'priority' set
without 'priority-queue' in any interface

A quick show service-policy indicates that it was not actually enabled:

asa1(config)# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0

So watch out!

TIP:

if you are telling a class that it should priority queue packets
 you need to enable the priority queue on that interface:

asa1(config-if)# priority-queue outside
asa1(config-priority-queue)#

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Anyhow, I guess everyone knows what I am working on right now. I can tell you this, the anyconnect client works much better!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

asa1(config-username)# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 136.1.123.12 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 136.1.121.12 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list split_tunnel standard permit 136.1.121.0 255.255.255.0
access-list OUTSIDE_IN extended permit udp any any eq isakmp
access-list OUTSIDE_IN extended permit udp any any eq 4500
access-list OUTSIDE_IN extended permit esp any any
pager lines 24
logging enable
logging console debugging
mtu outside 1500
mtu inside 1500
ip local pool mypool 20.0.0.1-20.0.0.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router rip
network 136.1.0.0
redistribute static metric 1
version 2
no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server aaa protocol radius
aaa-server aaa (outside) host 10.0.0.100
key CISCO
radius-common-pw CISCO
group-policy ezvpn external server-group aaa password CISCO
username bcarroll password 8QAYyQeRI6l.X61w encrypted
username bcarroll attributes
vpn-group-policy ezvpn
username cisoc password Bn4.yL6RmqN0ezJL encrypted
username cisco password aKPiPFm6dYuj.C5/ encrypted
username cisco attributes
vpn-group-policy ezvpn
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
crypto dynamic-map dynamic 10 set transform-set 3des_md5
crypto dynamic-map dynamic 10 set reverse-route
crypto map vpn 10 ipsec-isakmp dynamic dynamic
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group ezvpn type ipsec-ra
tunnel-group ezvpn general-attributes
address-pool mypool
default-group-policy ezvpn
tunnel-group ezvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9b2252bb685ae17c9b748c4034fbede9
: end
%ASA-7-111009: User 'enable_15' executed cmd: show running-config
asa1(config-username)#

Here is the error:

%ASA-7-715047: Group = ezvpn, Username = bcarroll, IP = 136.1.100.200, processing notify payload
%Dec 02 06:26:33 [IKEAv1]: Group = ezvpn, Username = bcarroll, IP = 136.1.100.200S, Removing peer from peer table failed, no match!

Here is the ACS Server- the group authenticates fine according to the passed authention logs:

Any one see what I am doing wrong?  Thanks in advance to anyone that throws their thoughts in.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

So, What is it?

The Answer: Recommended Reading. You may be wondering why this is such a big deal to me. Well if you have the IE workbooks you will find a box at the end of each lab that says “Further Reading.” Up until now I thought that these were just search terms for the Cisco Web site. Wrong!

Check out this link for the list.

Here is the CCIE Security Vol 1 list and here is the CCIE Security Vol2 list.

Now compare to the Further readings listed at the end of each lab. SWEET!

Now enough blogging, I have some further reading to do.

Thanks IE!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Uploaded with plasq‘s Skitch!

I ran into an Intersting situation:

r1#sh cry map
Crypto Map "vpn" 10 ipsec-isakmp
	Peer = 136.5.122.2
	Extended IP access list r1tor2
	    access-list r1tor2 permit ip 150.1.1.0 0.0.0.255 150.2.2.0 0.0.0.255
	Current peer: 136.5.122.2
	Security association lifetime: 4608000 kilobytes/3600 seconds
	PFS (Y/N): N
	Transform sets={
		3des-esp,
	}
	Interfaces using crypto map vpn:
		FastEthernet0/0

Pings fail:

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.....
Success rate is 0 percent (0/5)

But it looks like its working based on the stats:

local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (150.2.2.0/255.255.255.0/0/0)
   current_peer: 136.5.122.2:4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest 29
    #pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 136.5.121.1, remote crypto endpt.: 136.5.122.2
     path mtu 1500, media mtu 1500
     current outbound spi: 674293ED

     inbound esp sas:
      spi: 0xBD012AAD(3170970285)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590553/3219)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x674293ED(1732416493)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4590551/3219)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

r1#

A little tweaking on the ASA, clear the ASA and try again:

r1#clear cry sa
r1#
r1#
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#ping 150.2.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
r1#sh cry isa sa
dst             src             state          conn-id slot
136.5.122.2     136.5.121.1     QM_IDLE              2    0
136.5.122.2     136.5.121.1     MM_NO_STATE          1    0 (deleted)

r1#

So what was the problem? Access-list on the ACL didn’t allow NAT-T.

On another note the interesting thing about this configuration is that you have to initiate the connection from the inside since R2 is using a dynamic crypto map.

Final Configs (zipped)

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

The topology:

Uploaded with plasq‘s Skitch!

Allow ESP and ISAKMP thru the ASA:

ciscoasa(config-router)# conf t
ciscoasa(config)# access-l outside_in permit esp any any
ciscoasa(config)# access-l outside_in permit udp any any eq isakmp
ciscoasa(config)# access-g outside_in in int outside
ciscoasa(config)#

Over on R2 I create a loopback to encrypt traffic to R1:

r2(config)#int lo0
r2(config-if)#ip add 150.1.2.2 255.255.255.0
r2(config-if)#

Next create and isakmp policy:

r2(config-if)#cry isa pol 10
r2(config-isakmp)#enc 3
r2(config-isakmp)#has md
r2(config-isakmp)#authen pre
r2(config-isakmp)#exit

Next define the pre-shared-key

r2(config)#cry isa key CISCO address 136.7.121.1

Next create a transform set:

r2(config)#cry ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

now create an access-list to define interesting traffic:

r2(config)#ip access-l ext vpn-to-r1
r2(config-ext-nacl)#permit ip 150.1.2.0 0.0.0.255 150.1.1.0 0.0.0.255
r2(config-ext-nacl)#exit

Now tie it together with a crypto map and apply it to the interface:

r2(config)#cry map vpn 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r2(config-crypto-map)#match add vpn-to-r1
r2(config-crypto-map)# set peer 136.7.121.1
r2(config-crypto-map)#set trans 3des-md5
r2(config-crypto-map)#int f0/0
r2(config-if)#cry map vpn
r2(config-if)#end
r2#

Now I just need to duplicate the same config on R1:

r1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#int lo0
r1(config-if)#ip add 150.1.1.1 255.255.255.0
r1(config-if)#exit
r1(config)#cry isa pol 10
r1(config-isakmp)#enc 3
r1(config-isakmp)#has md
r1(config-isakmp)#authen pre
r1(config-isakmp)#exit
r1(config)#cry isa key CISCO add 136.7.122.2
r1(config)#cry ipsec trans 3des-md5 esp-3 esp-m
r1(cfg-crypto-trans)#exit
r1(config)#cry map vpn 10 ipsec-isa
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
r1(config-crypto-map)#match add vpn-to-r2
r1(config-crypto-map)#set peer 136.7.122.2
r1(config-crypto-map)#set trans 3des-md5
r1(config-crypto-map)#exit
r1(config)#ip access-l ext vpn-to-r2
r1(config-ext-nacl)#permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
r1(config-ext-nacl)#int f0/0
r1(config-if)#cry map vpn
r1(config-if)#end
r1#
Oct 22 22

now ill turn on isakmp debugs while i test:

r1#
r1#debug cry isa
Crypto ISAKMP debugging is on
r1#

before testing make sure that each router has a route to the others loopback. the lab probably wont allow static routes so im going to advertise them into rip:

r1(config)#router rip
r1(config-router)#net 150.1.0.0
r1(config-router)#

r2(config)#router rip
r2(config-router)#net 150.1.0.0
r2(config-router)#end

and to test source a packet from the loopback interface of r1 to the loopback interface or r2:

r1#ping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1

Oct 22 22:09:53.890: ISAKMP: received ke message (1/1)
Oct 22 22:09:53.890: ISAKMP (0:0): SA request profile is (NULL)
Oct 22 22:09:53.890: ISAKMP: local port 500, remote port 500
Oct 22 22:09:53.890: ISAKMP: set new node 0 to QM_IDLE
Oct 22 22:09:53.890: ISAKMP: insert sa successfully sa = 82E92840
Oct 22 22:09:53.890: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Oct 22 22:09:53.894: ISAKMP: Looking for a matching key for 136.7.122.2 in default : success
Oct 22 22:09:53.894: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:53.894: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Oct 22 22:09:53.894: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Oct 22 22:09:53.894: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 22:09:53.894: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Oct 22 22:09:53.894: ISAKMP (0:1): beginning Main Mode exchange
Oct 22 22:09:53.894: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 22:09:54.074: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 22:09:54.074: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.074: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 22 22:09:54.078: ISAKMP (0:1): processing SA payload. message ID = 0
Oct 22 22:09:54.078: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.078: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:09:54.078: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:09:54.078: ISAKMP: Looking for a matching key .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
r1#for 136.7.122.2 in default : success
Oct 22 22:09:54.078: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:54.078: ISAKMP (0:1) local preshared key found
Oct 22 22:09:54.082: ISAKMP : Scanning profiles for xauth ...
Oct 22 22:09:54.082: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Oct 22 22:09:54.082: ISAKMP:      encryption 3DES-CBC
Oct 22 22:09:54.082: ISAKMP:      hash MD5
Oct 22 22:09:54.082: ISAKMP:      default group 1
Oct 22 22:09:54.082: ISAKMP:      auth pre-share
Oct 22 22:09:54.082: ISAKMP:      life type in seconds
Oct 22 22:09:54.082: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 22 22:09:54.082: ISAKMP (0:1): atts are acceptable. Next payload is 0
Oct 22 22:09:54.243: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.243: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:09:54.243: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:09:54.243: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.243: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 22 22:09:54.255: ISAKMP (0:1): constructed HIS NAT-D
Oct 22 22:09:54.255: ISAKMP (0:1): constructed MINE NAT-D
Oct 22 22:09:54.255: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 22:09:54.259: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.259: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 22 22:09:54.467: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 22:09:54.471: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.471: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 22 22:09:54.471: ISAKMP (0:1): processing KE payload. message ID = 0
Oct 22 22:09:54.671: ISAKMP (0:1): processing NONCE payload. message ID = 0
Oct 22 22:09:54.671: ISAKMP: Looking for a matching key for 136.7.122.2 in default : success
Oct 22 22:09:54.671: ISAKMP (0:1): found peer pre-shared key matching 136.7.122.2
Oct 22 22:09:54.675: ISAKMP (0:1): SKEYID state generated
Oct 22 22:09:54.675: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.675: ISAKMP (0:1): vendor ID is Unity
Oct 22 22:09:54.675: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.675: ISAKMP (0:1): vendor ID is DPD
Oct 22 22:09:54.679: ISAKMP (0:1): processing vendor id payload
Oct 22 22:09:54.679: ISAKMP (0:1): speaking to another IOS box!
Oct 22 22:09:54.679: ISAKMP:received payload type 17
Oct 22 22:09:54.679: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:09:54.679: ISAKMP (0:1): NAT match MINE hash
Oct 22 22:09:54.679: ISAKMP:received payload type 17
Oct 22 22:09:54.679: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:09:54.679: ISAKMP (0:1): NAT match HIS hash
Oct 22 22:09:54.679: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.679: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 22 22:09:54.683: ISAKMP (0:1): Send initial contact
Oct 22 22:09:54.683: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 22:09:54.683: ISAKMP (1): ID payload
next-payload : 8
type         : 1
addr         : 136.7.121.1
protocol     : 17
port         : 500
length       : 8
Oct 22 22:09:54.683: ISAKMP (1): Total payload length: 12
Oct 22 22:09:54.687: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 22:09:54.687: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.687: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 22 22:09:54.699: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 22:09:54.699: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:09:54.699: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 22 22:09:54.703: ISAKMP (0:1): processing ID payload. message ID = 0
Oct 22 22:09:54.703: ISAKMP (0:1): processing HASH payload. message ID = 0
Oct 22 22:09:54.703: ISAKMP (0:1): SA has been authenticated with 136.7.122.2
Oct 22 22:09:54.703: ISAKMP (0:1): peer matches *none* of the profiles
Oct 22 22:09:54.703: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:09:54.703: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 22 22:09:54.707: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:09:54.707: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 22 22:09:54.707: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -1599248551
Oct 22 22:09:54.711: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:09:54.715: ISAKMP (0:1): Node -1599248551, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 22 22:09:54.715: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 22 22:09:54.715: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 22 22:09:54.715: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 22 22:09:54.976: ISAKMP (0:1): received packet from 136.7.122.2 dport 500 sport 500 Global (I) QM_IDLE
Oct 22 22:09:54.980: ISAKMP (0:1): processing HASH payload. message ID = -1599248551
Oct 22 22:09:54.980: ISAKMP (0:1): processing SA payload. message ID = -1599248551
Oct 22 22:09:54.980: ISAKMP (0:1): Checking IPSec proposal 1
Oct 22 22:09:54.980: ISAKMP: transform 1, ESP_3DES
Oct 22 22:09:54.980: ISAKMP:   attributes in transform:
Oct 22 22:09:54.980: ISAKMP:      encaps is 1
Oct 22 22:09:54.980: ISAKMP:      SA life type in seconds
Oct 22 22:09:54.980: ISAKMP:      SA life duration (basic) of 3600
Oct 22 22:09:54.980: ISAKMP:      SA life type in kilobytes
Oct 22 22:09:54.980: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 22 22:09:54.980: ISAKMP:      authenticator is HMAC-MD5
Oct 22 22:09:54.984: ISAKMP (0:1): atts are acceptable.
Oct 22 22:09:54.984: ISAKMP (0:1): processing NONCE payload. message ID = -1599248551
Oct 22 22:09:54.984: ISAKMP (0:1): processing ID payload. message ID = -1599248551
Oct 22 22:09:54.984: ISAKMP (0:1): processing ID payload. message ID = -1599248551
Oct 22 22:09:54.992: ISAKMP (0:1): Creating IPSec SAs
Oct 22 22:09:54.992:         inbound SA from 136.7.122.2 to 136.7.121.1 (f/i)  0/ 0
(proxy 150.1.2.0 to 150.1.1.0)
Oct 22 22:09:54.992:         has spi 0xE2D71338 and conn_id 2000 and flags 2
Oct 22 22:09:54.992:         lifetime of 3600 seconds
Oct 22 22:09:54.992:         lifetime of 4608000 kilobytes
Oct 22 22:09:54.992:         has client flags 0x0
Oct 22 22:09:54.992:         outbound SA from 136.7.121.1     to 136.7.122.2     (f/i)  0/ 0 (proxy 150.1.1.0       to 150.1.2.0      )
Oct 22 22:09:54.992:         has spi 771123710 and conn_id 2001 and flags A
Oct 22 22:09:54.992:         lifetime of 3600 seconds
Oct 22 22:09:54.992:         lifetime of 4608000 kilobytes
Oct 22 22:09:54.992:         has client flags 0x0
Oct 22 22:09:54.996: ISAKMP (0:1): sending packet to 136.7.122.2 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:09:54.996: ISAKMP (0:1): deleting node -1599248551 error FALSE reason ""
Oct 22 22:09:54.996: ISAKMP (0:1): Node -1599248551, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 22 22:09:54.996: ISAKMP (0:1): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETEping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
r1#

So after a really long debug output we can see that the pings worked. Lets make sure they are actually being encrypted:

r1#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     QM_IDLE              1    0

r1#sh cry ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpn, local addr. 136.7.121.1

protected vrf:
local  ident (addr/mask/prot/port): (150.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (150.1.2.0/255.255.255.0/0/0)
current_peer: 136.7.122.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 136.7.121.1, remote crypto endpt.: 136.7.122.2
path mtu 1500, media mtu 1500
current outbound spi: 2DF669FE

inbound esp sas:
spi: 0xE2D71338(3805745976)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4586184/3510)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x2DF669FE(771123710)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4586184/3510)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

r1#

We have both an ISAKMP sa and an IPSEC sa. the IPSEC sa shows that we have packets flowing. Lets filter the output a bit and ping again:

r1#sh cry ipsec sa | in pkts encaps
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
r1#ping 150.1.2.2 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
Packet sent with a source address of 150.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r1#sh cry ipsec sa | in pkts encaps
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
r1#

Perfect! Before we had 9 packets, after the ping we have 14. The numbers add up. Now for good measure I want to establish the tunnel from the outside interface of the ASA by pinging from R2:

First Ill kill the SA:

r2#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     QM_IDLE              1    0

r2#clear cry isakmp 1
r2#sh cry isa sa
dst             src             state          conn-id slot
136.7.122.2     136.7.121.1     MM_NO_STATE          1    0 (deleted)

Then Ill turn debug on for R2:

r2#debug cry isa sa

Then I generate the ping:

r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2

Oct 22 22:17:30.687: ISAKMP: received ke message (1/1)
Oct 22 22:17:30.687: ISAKMP (0:0): SA request profile is (NULL)
Oct 22 22:17:30.687: ISAKMP: local port 500, remote port 500
Oct 22 22:17:30.691: ISAKMP: set new node 0 to QM_IDLE
Oct 22 22:17:30.691: ISAKMP: insert sa successfully sa = 835EF214
Oct 22 22:17:30.691: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Oct 22 22:17:30.691: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:30.691: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:30.691: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Oct 22 22:17:30.691: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Oct 22 22:17:30.695: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 22:17:30.695: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Oct 22 22:17:30.695: ISAKMP (0:1): beginning Main Mode exchange
Oct 22 22:17:30.695: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 22:17:30.868: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 22:17:30.872: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:30.872: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Oct 22 22:17:30.872: ISAKMP (0:1): processing SA payload. message ID = 0
Oct 22 22:17:30.872: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:30.872: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:17:30.876: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:17:30.876: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:30.876: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:30.876: ISAKMP (0:1) local preshared key found
Oct 22 22:17:30.876: ISAKMP : Scanning profiles for xauth.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/8/8 ms
r2# ...
Oct 22 22:17:30.876: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Oct 22 22:17:30.876: ISAKMP:      encryption 3DES-CBC
Oct 22 22:17:30.876: ISAKMP:      hash MD5
Oct 22 22:17:30.876: ISAKMP:      default group 1
Oct 22 22:17:30.876: ISAKMP:      auth pre-share
Oct 22 22:17:30.876: ISAKMP:      life type in seconds
Oct 22 22:17:30.876: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Oct 22 22:17:30.880: ISAKMP (0:1): atts are acceptable. Next payload is 0
Oct 22 22:17:31.040: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.040: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157 mismatch
Oct 22 22:17:31.040: ISAKMP (0:1): vendor ID is NAT-T v3
Oct 22 22:17:31.040: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.040: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Oct 22 22:17:31.044: ISAKMP (0:1): constructed HIS NAT-D
Oct 22 22:17:31.044: ISAKMP (0:1): constructed MINE NAT-D
Oct 22 22:17:31.044: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 22:17:31.048: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.048: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Oct 22 22:17:31.264: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 22:17:31.264: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:31.264: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Oct 22 22:17:31.268: ISAKMP (0:1): processing KE payload. message ID = 0
Oct 22 22:17:31.469: ISAKMP (0:1): processing NONCE payload. message ID = 0
Oct 22 22:17:31.469: ISAKMP: Looking for a matching key for 136.7.121.1 in default : success
Oct 22 22:17:31.469: ISAKMP (0:1): found peer pre-shared key matching 136.7.121.1
Oct 22 22:17:31.469: ISAKMP (0:1): SKEYID state generated
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): vendor ID is Unity
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): vendor ID is DPD
Oct 22 22:17:31.473: ISAKMP (0:1): processing vendor id payload
Oct 22 22:17:31.473: ISAKMP (0:1): speaking to another IOS box!
Oct 22 22:17:31.473: ISAKMP:received payload type 17
Oct 22 22:17:31.473: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:17:31.473: ISAKMP (0:1): NAT match MINE hash
Oct 22 22:17:31.477: ISAKMP:received payload type 17
Oct 22 22:17:31.477: ISAKMP (0:1): Detected NAT-D payload
Oct 22 22:17:31.477: ISAKMP (0:1): NAT match HIS hash
Oct 22 22:17:31.477: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.477: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Oct 22 22:17:31.493: ISAKMP (0:1): Send initial contact
Oct 22 22:17:31.493: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 22:17:31.493: ISAKMP (1): ID payload
next-payload : 8
type         : 1
addr         : 136.7.122.2
protocol     : 17
port         : 500
length       : 8
Oct 22 22:17:31.493: ISAKMP (1): Total payload length: 12
Oct 22 22:17:31.497: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 22:17:31.497: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.497: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Oct 22 22:17:31.509: ISAKMP (0:0): received packet from 136.7.121.1 dport 500 sport 500 Global (N) NEW SA
Oct 22 22:17:31.509: %CRYPTO-4-IKMP_NO_SA: IKE message from 136.7.121.1     has no SA and is not an initialization offer
Oct 22 22:17:31.509: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 22:17:31.513: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 22:17:31.513: ISAKMP (0:1): Old State = IKE_I_MM5  New State = IKE_I_MM6

Oct 22 22:17:31.513: ISAKMP (0:1): processing ID payload. message ID = 0
Oct 22 22:17:31.513: ISAKMP (0:1): processing HASH payload. message ID = 0
Oct 22 22:17:31.517: ISAKMP (0:1): SA has been authenticated with 136.7.121.1
Oct 22 22:17:31.517: ISAKMP (0:1): peer matches *none* of the profiles
Oct 22 22:17:31.517: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 22:17:31.517: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_I_MM6

Oct 22 22:17:31.517: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 22:17:31.521: ISAKMP (0:1): Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Oct 22 22:17:31.521: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -308265645
Oct 22 22:17:31.525: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:17:31.525: ISAKMP (0:1): Node -308265645, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 22 22:17:31.525: ISAKMP (0:1): Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Oct 22 22:17:31.529: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 22 22:17:31.529: ISAKMP (0:1): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Oct 22 22:17:31.789: ISAKMP (0:1): received packet from 136.7.121.1 dport 500 sport 500 Global (I) QM_IDLE
Oct 22 22:17:31.793: ISAKMP (0:1): processing HASH payload. message ID = -308265645
Oct 22 22:17:31.793: ISAKMP (0:1): processing SA payload. message ID = -308265645
Oct 22 22:17:31.793: ISAKMP (0:1): Checking IPSec proposal 1
Oct 22 22:17:31.793: ISAKMP: transform 1, ESP_3DES
Oct 22 22:17:31.793: ISAKMP:   attributes in transform:
Oct 22 22:17:31.793: ISAKMP:      encaps is 1
Oct 22 22:17:31.793: ISAKMP:      SA life type in seconds
Oct 22 22:17:31.797: ISAKMP:      SA life duration (basic) of 3600
Oct 22 22:17:31.797: ISAKMP:      SA life type in kilobytes
Oct 22 22:17:31.797: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Oct 22 22:17:31.797: ISAKMP:      authenticator is HMAC-MD5
Oct 22 22:17:31.797: ISAKMP (0:1): atts are acceptable.
Oct 22 22:17:31.797: ISAKMP (0:1): processing NONCE payload. message ID = -308265645
Oct 22 22:17:31.797: ISAKMP (0:1): processing ID payload. message ID = -308265645
Oct 22 22:17:31.801: ISAKMP (0:1): processing ID payload. message ID = -308265645
Oct 22 22:17:31.805: ISAKMP (0:1): Creating IPSec SAs
Oct 22 22:17:31.805:         inbound SA from 136.7.121.1 to 136.7.122.2 (f/i)  0/ 0
(proxy 150.1.1.0 to 150.1.2.0)
Oct 22 22:17:31.805:         has spi 0xF684B57D and conn_id 2000 and flags 2
Oct 22 22:17:31.805:         lifetime of 3600 seconds
Oct 22 22:17:31.805:         lifetime of 4608000 kilobytes
Oct 22 22:17:31.805:         has client flags 0x0
Oct 22 22:17:31.805:         outbound SA from 136.7.122.2     to 136.7.121.1     (f/i)  0/ 0 (proxy 150.1.2.0       to 150.1.1.0      )
Oct 22 22:17:31.809:         has spi -1711058480 and conn_id 2001 and flags A
Oct 22 22:17:31.809:         lifetime of 3600 seconds
Oct 22 22:17:31.809:         lifetime of 4608000 kilobytes
Oct 22 22:17:31.809:         has client flags 0x0
Oct 22 22:17:31.809: ISAKMP (0:1): sending packet to 136.7.121.1 my_port 500 peer_port 500 (I) QM_IDLE
Oct 22 22:17:31.809: ISAKMP (0:1): deleting node -308265645 error FALSE reason ""
Oct 22 22:17:31.809: ISAKMP (0:1): Node -308265645, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Oct 22 22:17:31.813: ISAKMP (0:1): Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
r2#ping 150.1.1.1 source l0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
r2#

And again after a very long output we see a success.

Here are my ending configs:

final-configs

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

So here is the Game Plan:

On the right side of this blog I have placed a countdown timer to my third lab date.  This is the one I am going to pass. (It’s ok, I can delete this post if I fail again)

Between now and then I am resolved to go back through the Internetwork Expert Volume 1 Lab guide and do every VPN lab in it until I can see the configs in my sleep.  Then, I want to firm up the MPF on the PIX and ASA.  Mostly just the ones that use regex in them.  I want to be able to burn through those configs.  Finally, Network Attacks I think I should work on.  What I may end up doing between now and then is ALL of Volume 1 and Volume 2 again.

I am also scheduled for the ipexpert bootcamp.  If work doesn’t hassle me that should put me over the top.

There is however one little catch.  I have a CCNA Wireless Quick Reference Sheet due into Cisco Press by November 1st.  I better go wrap that up.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.