DAMN YOU ACS!!!!

My lab exam is on Friday, so I have a few hours today, a few tomorrow and then Monday to Thursday, it's a mere five days to get stuff right and it isn't.

ACS is kicking my arse and I can't figure out why. I have had this working before, but I have spent two days trying to get this to work, and it's two days that I cannot afford to spend fucking about.

I am consoling myself by listening to some angry hip-hop:

My musical taste has not really moved on since the 90's. But I digress. Hopefully, by blogging about it, it might give me a chance to figure out why it is not working - or someone else might point out my problem (with ACS, not any of my other problems)...

We have a location:

We have a device type:

We have two devices. Originally I was just using SW6 (a router image with a switch module), thinking it might be a version issue I added R6:

We have two identity groups (Admins and Users):

We have two users (Admin1 and User1). These are in the groups above:

We have two Shell profiles, one for Admins, one for Users.

The User one gets a privilege of 8.

We have some allowed commands:

We have a policy called Telnet:

Telnet looks for a device type of Switch, and a location of Inside. It matches the Tacacs protocol, and internal users:

The Authorization part of Telnet set up the mapping Users should get the User-Shell and the User-Commands.

But when I try, I do not get the desired result. We do not match a permit rule, when logging in as User1:

As the next two grabs show, we should get the User-Commands command set, we are found in the Users Identity group, the service selection rule matches Telnet, as does the Identity policy.

We have a hit on the Telnet-Users - so we *should* get the shell and command set matching this.

But we don't. We pass authentication, but not authorization:

From the device:

R6#sh priv
Command authorization failed.

R6#sh ver
Command authorization failed.

R6#conf t
      ^
% Invalid input detected at '^' marker.

R6#en
% Error in authentication.

R6#

Admin works fine, though:

So, clearly, something is different between the User and Admin configurations.

The Admin-Commands has the tick next to "Permit any command that is not listed in the table below:

If this is unticked, commands that are permitted actually fail:

R6#sh ver
Command authorization failed.

R6#sh ver
Cisco IOS Software, IOSv Software (VIOS-ADVENTERPRISEK9-M), Version 15.5(2)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 25-Mar-15 13:34 by prod_rel_team


ROM: Bootstrap program is IOSv

R6 uptime is 2 hours, 7 minutes
System returned to ROM by reload
System image file is "flash0:/vios-adventerprisek9-m"
Last reload reason: Unknown reason



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
          
R6#

You can see that when unticked the command fails and works when ticked. So, actually, there is no difference in working/not working when comparing the User setup to the Admin setup. Something is just wrong, somewhere.

Here is the R6 config:

R6#sh run | i aaa
aaa new-model
aaa authentication login Admin group tacacs+ local
aaa authorization config-commands
aaa authorization exec Admin group tacacs+ local 
aaa authorization commands 1 Admin group tacacs+ 
aaa authorization commands 8 Admin group tacacs+ 
aaa authorization commands 15 Admin group tacacs+ 
aaa session-id common
R6#sh run | s line vty
line vty 0 4
 password cisco
 authorization commands 1 Admin
 authorization commands 8 Admin
 authorization commands 15 Admin
 authorization exec Admin
 login authentication Admin
 transport input telnet
R6#sh run | i tacacs
aaa authentication login Admin group tacacs+ local
aaa authorization exec Admin group tacacs+ local 
aaa authorization commands 1 Admin group tacacs+ 
aaa authorization commands 8 Admin group tacacs+ 
aaa authorization commands 15 Admin group tacacs+ 
tacacs-server host 192.168.20.102 key cisco
tacacs-server directed-request
R6#

I added a few changes:

R6(config)#aaa authentication login CONSOLE none
R6(config)#aaa authorization console 
R6(config)#line con 0
R6(config-line)#login authentication CONSOLE
R6(config-line)#exi
R6(config)#aaa accounting exec Admin start-stop group tacacs+ 
R6(config)#aaa accounting commands 8 Admin start-stop group tacacs+ 
R6(config)#aaa accounting commands 15 Admin start-stop group tacacs+ 
R6(config)#aaa accounting commands 1 Admin start-stop group tacacs+  
R6(config)#line vty 0 4
R6(config-line)#accounting commands 1 Admin
R6(config-line)#accounting commands 8 Admin
R6(config-line)#accounting commands 15 Admin
R6(config-line)#

But the problem remains the same.

I now have four days left before the lab. not feeling too good about it, to be honest!

But I need to move on, give myself a break from ACS and come back to it another day, not that I have many days remaining.

EDIT: 28/09/2016

I now have it working. I created a new access policy (Telnet-2), but on the Identity I set the conditions to be:

NDG:Location = in All Locations:Inside
NDG:Device Type = in All Device Types:Inside
Device IP Address = 150.1.7.66

The authorization part remained the same (albeit with the Command Sets result being first).

This gave me the desired result.

I think the issue with the first try was that the protocol condition would not be correct, the connection would be Telnet.

Got there in the end.

One day 19 hours to go before D-Day...

802101 is moving to Wordpress

blogger wordpress

Unknown 01:50:00 Add Comment

Unknown

Instead of using the last few days before my CCIE Security lab exam wisely, I have decided to move the site to the Wordpress platform.

Blogger has been great, I just feel it's time to take the next step up.

This will take some time, but expect some changes over the next week or so.

The drivers for this are that I will be able to do much more with the site, such as easier hosting of downloadable PDFs and cool things like that.

Anyway... I really should do some studying, but I thought I'd let you know in case the site goes offline for any amount of time.

CCIE by the numbers

CCIE HOF

Unknown 05:12:00 Add Comment

Unknown

As the CCIE Hall of Fame has recently been updated, I thought it would be fun to get a bit of a breakdown of the current state of play and see what the trends are.

It's not a perfect list, the numbers are only as good as the data, and not everyone is listed on the website, but the percentages will probably be about right. I would also like to thank Marc La Porte for maintaining the HOF and I am sure that it is no easy task!

According to Brad Reese, around 23% are not active or suspended. this includes very notable and revered engineers such as Ivan Pepelnjak. So while the numbers below are not perfect, they do give a decent view of the CCIE as it breaks down.

There are 17434 CCIEs listed on the website, and the current numbers are in the 53000's (or above), so clearly a big gap between those on the HOF, and how many there are, but again, if we look at the percentages, rather than then number, it'll probably be pretty close (unless the missing 40,000 all have the Data Center certification or something like that).

1868 were listed as "not verifiable", this is around 10% and accounts for the discrepancies.

Double and triple trouble...

So, of the 17434 CCIEs on the HOF, how many have more than one CCIE?

# of certifications	Number	Percentage
1	13373	76.71
2	1636	9.38
3	411	2.36
4	84	0.48
5	33	0.19
6	13	0.07
7	13	0.07
8	2	0.01

Just under one-quarter of CCIEs hold more than one certification.

Popularity

What are the most popular CCIE tracks?

Track	Number	Percentage
Routing and Switching	11722	67.24
Service Provider	1872	10.74
Security	1864	10.69
Voice	1112	6.38
Data Center	893	5.12
Collaboration	590	3.38
Wireless	188	1.08
Storage	121	0.69

Then we have older tracks, such as WAN Switching (286 / 1.64%) and ISP Dial (108 / 0.62%).

It is hardly surprising that R&S is the more popular. Service Provider and Security are about the same at just under 11% each. It is quite surprising that the others are so low, though, but then this is usually the case with specialist areas.

Anyway, hope this was mildly interesting... I am back off to my CCIE Security notes.

30 days to go.

30days CCIE Security

Unknown 05:28:00 1 Comment

Unknown

It's now just 30 days till the CCIE Security lab exam. Nerves are starting to kick in, and I did not get much time to study whilst sunning myself in the glorious South of France sun, but a break was most definitely needed.

I did do some studying, though, watched a few of the INE videos on VPNs and would highly recommend INE to anyone following the same path.

What to do now, in order to get lab-ready over the next month?

I will start by listing the areas from strongest to weakest:

ASAs (basic configs, NAT)
IPS (it's pretty intuitive)
DMVPN
Routing
Services (NTP/DHCP)
Other VPNs
WSA
ISE/ACS

ISE and ACS come bottom of the list, and so this is where I need to focus my efforts for the majority of the time remaining.

The joy of it is that I do find both of these topics interesting, so that makes it easier to concentrate on them. Brian McGahan's videos will certainly help, and I have also started to read the CCNP Security SISAS 300-208 Official Cert Guide, which although it's for the CCNP Security, should certainly help things.

It is truly amazing how quickly the time goes, I am not sure (at this stage) whether I will be fully prepared when the day comes, but I can go in and give it a damn good try (and hopefully squeeze in a re-sit in December if required and seats are available).

I probably won't blog much over the next month, so I wish you all the best and will catch up soon.

A CCIE Security engineer walks into a bar, things get weird

CCIE easy vpn flex vpn GETVPN IKEv1 IKEv2

Unknown 05:57:00 2 Comments

Unknown

This might get a bit weird, and you can blame me for watching too much of The Might Boosh, but bear with it.

Picture the scene.

You walk into a bar, with a friend who you refer to as "silly knickers".

At the first table, you point to your friend, and can see a pissed-up architect, trying to draw whilst wearing cashmere mittens. What an idiot.

You look at the second table, and point to your friend again, as there are two pissed-up architects, both trying to draw whilst wearing cashmere mittens. Idiots,

Getting a drink is Easy. You politely point at the bar and grab an alcoholic apple juice. Then you head to the bathroom and pee in private. You fancy a vanilla tequila.

Back at the bar, the barman is also a fitness instructor. He's flexing happily. Two authors walk in, they politely propose a policy of only drinking alcoholic apple juice, in order to keep bar profits set high. You prefer a vanilla tequila.

One of the authors is actually a client of the barman, so he does not point and laugh. Instead, he says he'd like the same, but instead of vanilla tequila, he'd like a cup of tea in two cups.

The authors get served.

The next to get served is a policeman with a key. He's carrying Optimus Prime under one arm, and Bumblebee under the other. He has another key, which is huge, it's a really strong key. He orders a cucumber and a lemonade and nods to the group.

As is a bar policy, anyone with a key gets to make the rules. Before you know it, everyone is wearing cashmere mittens. Idiots!

Ok, story time over. All good stories have meanings, so what's this one all about (if you haven't worked it out from the clues)? I am sure lots of readers are thinking.. WTF?

Well, this is to try and remember VPN setups.

I made the VPNs cheatsheet a week or two ago, and this is good for showing where things fit in with each other, but I was still forgetting the steps.

I tried mnemonics, but they just came out as unrelated words, so decided to turn it into a story, with enough information to remember all the steps.

Let's break it down.

The first table is IKEv1.

I = ISAMKP
Point = Policy
To = Transform
Silly = Set
Knickers = Keyring
If = ISAMKP
Pissed = Profile
Architect = ACL
Cashmere = Crypto
Mittens = MAP
Idiot = Interface

Table 2 is IKEv2

I = ISAMKP
Point = Policy
To = Transform
Silly = Set
Knickers = Keyring
If = ISAMKP
2
Pissed = Profile
Architect = ACL
Cashmere = Crypto
Mittens = MAP
Idiots = Interface

A little harder, but the 2 signifies IKEv2 commands, and we need four of them (proposal, policy, keyring and profile). Each starts with "crypto ikev2", so we can use the context-sensitive help.

Easy VPN is next (its EASY to get served...)

I = ISAKMP
Politely = Policy
Point = Pool
Grab = Group
An Alcoholic Apple (juice) = AAA
I = ISAKMP
Pee = Profile
In = IPSec
Private = Profile
Vanilla = Virtual
Tequila = Template

I have left the client-side out, as that's pretty easy (create the "crypto ipsec client ez group", and assign the outside and inside interfaces)

Then comes FlexVPN Server (our flexing barman)

Point = Pool
And = Access
Laugh = List
2 Authors = IKEv2 Authorization
Politely = Policy
Propose = Proposal
Policy = Policy
Alcoholic Apple = AAA
2 Keep = Ikev2 Keyring
Profiles = IKEv2 Profile
Set = Transform Set
I = IPSec
Prefer = Profile
Vanilla = Virtual
Tequila = Template

A server is no good without a client And this is much the same. Here the author wants the same as the server, without the pointing and laughing, but he does not want the vanilla tequila (virtual template), and orders:

Tea = Tunnel
In = Interface
2 = IKEv2
Cups = Client

The policeman is getting served next, which brings us onto GETVPN.

Is A = ISAMKP
Policeman = Policy
Key = ISAKMP key
Transformers = Transform Set
Really Strong Key = RSA key
A Cucumber and Lemonade = ACL
(nods to the) Group = GDOI Group

I have left out the IPSec profile from the server. I could not think of anything to fit, and the IOS will actually complain (I think) if this is missing, so it should be easy to figure out the missing bit(s).

Finally, we have the GETVPN client:

(As) Is A = ISAKMP
(bar) policy = Policy
Key = ISAKMP Key
Group = GDOI group
Cashmere = Crypto
Mittens = Map
Idiots = Interface

Trying to keep things like crypto map (cashmere mittens), interface (idiot/s) and virtual template (vanilla tequila) the same across the story, as it makes it (slightly) easier to remember. It's a weird story, but with enough repetition, and picturing yourself in the bar, it should aid memory.

CCIE:Sec: Day 12 - Flex VPN.

CCIE flex vpn Security

Unknown 05:48:00 Add Comment

Unknown

I did not manage to get any studying done over the weekend, so need to make up for it, that said, it was a good weekend. The annual Thai/Prague barbecue, where some of my wife's friends come over, and we eat some good food, have some good conversation and drink.

And I certainly did drink. Being the suave and cool-cat kind of guy I decided that (at about 10pm) bed would be the best option for me. My wife found me asleep on the bathroom floor at about midnight, whereupon I muttered something about having to "do the chicken", and then she put me to bed.

Yup. Stay classy Stuart.

Anyway, I am picking up from last week and finishing off FlexVPN. To be honest I am having a hard time remembering all the required components of all the different VPNs, so created a VPNs Cheatsheet for each of the IOS VPNs. You can download it, I'll be doing more later on as well. It definitely came in handy today. But before we get to today, let's go back to last week - cue flashback wobbly screen and weird music...

Sometime last week...

Time to set up FlexVPN between Telnet-2 (Flex VPN client) and Telnet-1:

Flex VPN Client configuration

Telnet-2(config)#crypto ikev2 client flexvpn FLEX-VPN 
Telnet-2(config-ikev2-flexvpn)#peer 1 1.1.1.1 
Telnet-2(config-ikev2-flexvpn)#client connect tunnel 1
Telnet-2(config-ikev2-flexvpn)#exit          
Telnet-2(config)#int tunnel 1
Telnet-2(config-if)#tunnel destinatio 1.1.1.1
Telnet-2(config-if)#tun source loop 0
Telnet-2(config-if)#tunnel mode ipsec ipv4
Telnet-2(config-if)#tunnel protectio ipsec profile Flex-Protect
Profile Flex-Protect is not defined.
Telnet-2(config-if)#
Telnet-2(config-if)#exit
Telnet-2(config)#cryp ipsec profile Flex-Profile
Telnet-2(ipsec-profile)#set transform-set 3des
%ERROR: transform set with tag "3des" does not exist.

Telnet-2(ipsec-profile)#exit
Telnet-2(config)#cry ipsec transform-set 3des esp-3des esp-sha-hmac
Telnet-2(cfg-crypto-trans)#exit
Telnet-2(config)#cryp ipsec profile Flex-Profile                   
Telnet-2(ipsec-profile)#set transform-set 3des         
Telnet-2(ipsec-profile)#int tunnel 1                   
Telnet-2(config-if)#tunnel protectio ipsec profile Flex-Profile
Telnet-2(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Telnet-2(config-if)#ip add nego  
Telnet-2(config-if)#do sh run | s crypto
crypto ikev2 client flexvpn FLEX-VPN
  peer 1 1.1.1.1
crypto ipsec transform-set 3des esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec profile Flex-Profile
 set transform-set 3des 
Telnet-2(config-if)#exi                 
Telnet-2(config)#aa new-model 
Telnet-2(config)#aaa authorization network AuthZ-list local
Telnet-2(config)#crypto ikev2 proposal Flex-IKEv2-Prop
IKEv2 proposal MUST either have a set of an encryption algorithm other than aes-gcm, an integrity algorithm and a DH group configured or 
 encryption algorithm aes-gcm, a prf algorithm and a DH group configured
Telnet-2(config-ikev2-proposal)#encryption 3des 
Telnet-2(config-ikev2-proposal)#integrity sha1
Telnet-2(config-ikev2-proposal)#group 5
Telnet-2(config-ikev2-proposal)#exit
Telnet-2(config)#crypto ikev2 policy Flex-Policy
IKEv2 policy MUST have atleast one complete proposal attached 
Telnet-2(config-ikev2-policy)#proposal Flex-IKEv2-Prop
Telnet-2(config-ikev2-policy)#exit
Telnet-2(config)#crypto ikev2 profile Flex-IKEv2-Prof 
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate or match any statement.
Telnet-2(config-ikev2-profile)#authentication local pre-share 
Telnet-2(config-ikev2-profile)#auth remote pre-share 
Telnet-2(config-ikev2-profile)#$ity remote fqdn Telnet-1.ccielab.local       
Telnet-2(config-ikev2-profile)#identity local fqdn Telnet-2.ccielab.local
Telnet-2(config-ikev2-profile)#
Telnet-2(config-ikev2-profile)#keyring local Telnet1-Keyring
% Invalid keyring Telnet1-Keyring

Telnet-2(config-ikev2-profile)#exit
Telnet-2(config)#cry ikev2 keyring Telnet1-Keyring
Telnet-2(config-ikev2-keyring)#peer Telnet-1
Telnet-2(config-ikev2-keyring-peer)#address 1.1.1.1
Telnet-2(config-ikev2-keyring-peer)#pre-shared-key CCIE
Telnet-2(config-ikev2-keyring-peer)#exit
Telnet-2(config-ikev2-keyring)#exit
Telnet-2(config)#crypto ikev2 profile Flex-IKEv2-Prof
Telnet-2(config-ikev2-profile)#keyring local Telnet1-Keyring
Telnet-2(config-ikev2-profile)#
Telnet-2(config-ikev2-profile)#exit
Telnet-2(config)#crypto ikev2 client flexvpn FLEX-VPN
Telnet-2(config-ikev2-flexvpn)#client connect tunnel 1
Telnet-2(config-ikev2-flexvpn)#
Telnet-2(config-ikev2-flexvpn)#exit
Telnet-2(config)#
Telnet-2(config)#do sh run | i profile
crypto ikev2 profile Flex-IKEv2-Prof
crypto ipsec profile Flex-Profile
 tunnel protection ipsec profile Flex-Profile
Telnet-2(config)#crypto ipsec profile Flex-Profile
Telnet-2(ipsec-profile)#set transform-set 3des
Telnet-2(ipsec-profile)#set ikev2-profile Flex-IKEv2-Prof
Telnet-2(ipsec-profile)#

Hardly the smoothest setup in the work! Let's move on to the server:

Flex VPN Server configuration

Telnet-1(config)#ip local pool Flex-Pool 1.1.2.10 1.1.2.20
Telnet-1(config)#
Telnet-1(config)#aaa new-model 
Telnet-1(config)#
Telnet-1(config)#crypto ikev2 authorization policy default
%Warning: This will Modify Default IKEv2 Authorization Policy. Exit if you don't want
Telnet-1(config-ikev2-author-policy)#pool Flex-Pool
Telnet-1(config-ikev2-author-policy)#exit
Telnet-1(config)#
Telnet-1(config)#cry ikev2 profile Flex-IKEv2-Policy
IKEv2 profile MUST have:
   1. A local and a remote authentication method.
   2. A match identity or a match certificate or match any statement.
Telnet-1(config-ikev2-profile)#authentication local pre-share 
Telnet-1(config-ikev2-profile)#auth remote pre
Telnet-1(config-ikev2-profile)#$ity remote fqdn Telnet2.ccielab.local        
Telnet-1(config-ikev2-profile)#keyring local Flex-Keyring
% Invalid keyring Flex-Keyring

Telnet-1(config-ikev2-profile)#exi
Telnet-1(config)#cry ikev2 keyring Flex-Keyring
Telnet-1(config-ikev2-keyring)#peer Telnet1
Telnet-1(config-ikev2-keyring-peer)#address 2.2.2.2
Telnet-1(config-ikev2-keyring-peer)#pre CCIE
Telnet-1(config-ikev2-keyring-peer)#exit
Telnet-1(config-ikev2-keyring)#exit
Telnet-1(config)#cry ikev2 profile Flex-IKEv2-Policy             
Telnet-1(config-ikev2-profile)#keyring local Flex-Keyring         
Telnet-1(config-ikev2-profile)#exit
Telnet-1(config)#
Telnet-1(config)#cry ikev2 proposal Flex-Prop
IKEv2 proposal MUST either have a set of an encryption algorithm other than aes-gcm, an integrity algorithm and a DH group configured or 
 encryption algorithm aes-gcm, a prf algorithm and a DH group configured
Telnet-1(config-ikev2-proposal)#en 3des
Telnet-1(config-ikev2-proposal)#int sha1
Telnet-1(config-ikev2-proposal)#gr 5
Telnet-1(config-ikev2-proposal)#exit
Telnet-1(config)#
Telnet-1(config)#cry ikev2 poli
Telnet-1(config)#do sh run | i policy 
crypto ikev2 authorization policy default
Telnet-1(config)#cry ikev2 policy Flex-Policy
IKEv2 policy MUST have atleast one complete proposal attached 
Telnet-1(config-ikev2-policy)#proposal Flex-Prop
Telnet-1(config-ikev2-policy)#exit
Telnet-1(config)#cry ipsec profile Flex-IPSec-Prof
Telnet-1(ipsec-profile)#set transform-set 3des
%ERROR: transform set with tag "3des" does not exist.

Telnet-1(ipsec-profile)#do sh run | i transf
Telnet-1(ipsec-profile)#exit
Telnet-1(config)#cry ips transform-set 3des esp-3des esp-sha-hmac
Telnet-1(cfg-crypto-trans)#cry ipsec profile Flex-IPSec-Prof               
Telnet-1(ipsec-profile)#set transform-set 3des
Telnet-1(ipsec-profile)#set ikev2-profile Flex-IKEv2-Policy
Telnet-1(ipsec-profile)#exit
Telnet-1(config)#
Telnet-1(config)#int tun 1
Telnet-1(config-if)#ip unn loop0
Telnet-1(config-if)#
Telnet-1(config-if)#tun so lo0
Telnet-1(config-if)#tun mo ipsec ipv4
Telnet-1(config-if)#tun prot ipsec prof Flex-IPSec-Prof
Telnet-1(config-if)#
Telnet-1(config-if)#cry ikev2 profile Flex-IKEv2-Policy
Telnet-1(config-ikev2-profile)#virtual-template 1
Telnet-1(config-ikev2-profile)#exi
Telnet-1(config)#int virtual-tem 1 t t
Telnet-1(config-if)#ip unnu lo0
Telnet-1(config-if)#tun so lo0
Telnet-1(config-if)#tun mo ipse ipv4
Telnet-1(config-if)#tun prot ipsec profile Flex-IPSec-Prof
Telnet-1(config-if)#
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Telnet-1(config-if)#
Telnet-1(config-if)#

Present day:

The configuration looks OK, and as the Flex VPN traffic will be carried within the IKE traffic, we do not need to worry about opening up the firewalls for the traffic between Telnet-1 and Telnet-2. However, the Flex VPN is not working. I can see the traffic, but nothing is getting established:

We'll need some debugging:

Telnet-1#debug cry isak
Crypto ISAKMP debugging is on
Telnet-1#debug cry ikev2 clie
Telnet-1#debug cry ikev2 client flex
ISAKMP: (0):peer matches *none* of the profiles
Telnet-1#debug cry ikev2 client flexvpn 
FlexVPN debugging is on
Telnet-1# 
ISAKMP: (0):peer matches *none* of the profiles
ISAKMP: (0):peer matches *none* of the profiles
Telnet-1#

We have the profiles set up, each should be identifying itself by the FQDN. Let's check:

Telnet-1#sh run | s crypto
crypto ikev2 authorization policy default
 pool Flex-Pool
 no route set interface
 route set access-list Flex-Routes
crypto ikev2 proposal Flex-Prop 
 encryption 3des
 integrity sha1
 group 5
crypto ikev2 policy Flex-Policy 
 proposal Flex-Prop
crypto ikev2 keyring Flex-Keyring
 peer Telnet1
  address 2.2.2.2
  pre-shared-key CCIE
 !
crypto ikev2 profile Flex-IKEv2-Policy
 match identity remote fqdn Telnet2.ccielab.local
 authentication remote pre-share
 authentication local pre-share
 keyring local Flex-Keyring
 aaa authorization group psk list AuthC default
 virtual-template 1
crypto ipsec transform-set 3des esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec profile Flex-IPSec-Prof
 set transform-set 3des 
 set ikev2-profile Flex-IKEv2-Policy
Telnet-1#

We are expecting an FQDN of Telnet2.ccielab.local, but are actually being sent Telnet-2.ccielab.local. Let's fix it:

Telnet-2(config)#crypto ikev2 profile Flex-IKEv2-Prof
Telnet-2(config-ikev2-profile)#no identity local fqdn Telnet-2.ccielab.local
Telnet-2(config-ikev2-profile)#identity local fqdn Telnet2.ccielab.local 
Telnet-2(config-ikev2-profile)#

Telnet-1(config)#
ISAKMP: (0):peer matches Flex-IKEv2-Policy profile
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
%LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
Telnet-1(config)#

Now we can start to see some action, but what is true for one is true for the other, and the line flaps. I actually missed the local identity command from Telnet-1, I'd better add it:

Telnet-1(config)#crypto ikev2 profile Flex-IKEv2-Policy
Telnet-1(config-ikev2-profile)#identity local fqdn Telnet-1.ccielab.local
Telnet-1(config-ikev2-profile)#
ISAKMP: (0):peer matches Flex-IKEv2-Policy profile
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
%LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Telnet-1(config-ikev2-profile)#do un all
All possible debugging has been turned off
Telnet-1(config-ikev2-profile)#

Telnet-2(config-ikev2-profile)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
Telnet-2(config-ikev2-profile)#do sh ip int bri      
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.13.1       YES NVRAM  up                    up      
GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/3         unassigned      YES NVRAM  administratively down down    
Loopback0                  2.2.2.2         YES NVRAM  up                    up      
Tunnel1                    1.1.2.12        YES manual up                    up      
Telnet-2(config-ikev2-profile)#

We now have a working tunnel, and the mistake I made was a very simple one. Still, hopefully the cheatsheet should help. I think its better to have the visual of how the different parts make up the VPNs, then just trying to blindly remember it!

That's the hope anyway.

With not just over two months to go, things are starting to fall into place. I still need to memorize the VPN components, and build up the speed. But there is still plenty of time.

Cisco IOS VPNs Cheatsheet

CCIE Security VPNs

Unknown 04:49:00 Add Comment

Unknown

I have put together a little VPNs cheatsheet, it has got IKEv1, IKEv2, EasyVPN, DMVPN, FlexVPN and GETVPN.

Each VPN can be created with just two routers, and the steps are shown, like this:

You can download the file by heading over to the forum post.

I will be doing another one with ASA-based VPNs (L2L, Remote access etc), and one for troubleshooting.