Quantcast
Channel: IEOC - INE's Online Community
Viewing all articles
Browse latest Browse all 10672

IKEv1 L2L Between IOS Routers with ISAKMP Profile

$
0
0

Question on this lab. Is there a reason why we wouldn't set the proxy identity on R1 in the dynamic crypto map? If we dont set the proxy idenetity using the match address ACL_NAME command we cannot originate the tunnel from R1. However given we are using a dynamic crypto map and don't set the peer IP would R1 be able to establish the tunnel given it doesn't know the peer IP? From my testing it seems you can. With the proxy ACL on R1 I cleared the ISAKMP and IPSEC SA on both devices using "clear crypto isakmp" and "clear crypto sa" however on R2 the IPSEC sa never seems to be cleared. But if i specifiy the proxy ACL on R1 and clear the tunnel I am able to establish the tunnel when originating the traffic from R1. So it seems even though R1 doens't know the peer for the tunnel it is able to establish the tunnel.

Without setting the proxy identity on R1 if there isn't an exisiting tunnel R1 will just pass traffic to R2 normally without establishing a tunnel and R2 will drop the traffic given it matches the proxy ACL. R2 provides this log in that senario.

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /150.1.2.2, src_addr= 150.1.1.1, prot= 1


Viewing all articles
Browse latest Browse all 10672

Trending Articles