Lab 1 Task 3.2 IPsec VPN

The last subtask says that if R4 loses its connection to the Frame Relay cloud, the VPN should stay up.  Just so you know, I wasted over 3 hours on trying to get this damn thing working only to find out the SG doesn't even test a Frame Relay outage.

But, rant aside, from looking at the diagram, the back up path will traverse the BB1 and BB3 routers.  I know the BB routers are talking to each other and routes that I advertise from R6 are showing up at R1, but not vice versa.  But connectivity issues, also aside, the SG didn't complete the scenario because IPSEC traffic is not being allowed in via R1 or R6 (which are treating the BB networks as "outside").  Am I right?

Comments

  • Hi,

    Yes I had the same questions, but I believe the WB is just testing our knowledge to source the packets out of the Loopback and using the local-address on the crypto map. Also when they say a backup connection they are referring to the FR connection on Serial0/0.345 instead of the P2P link between R4-R5 (which is not pictured in the diagram, but does exist in the configs). If I shutdown both the P2P and FR connections to test this out it doesn't work it either, even if I put routes on R6. This is mainly due to task 2.1 ZBFW, which does not allow ESP or ISAKMP connections from the Outside connection BB1->R1.

    I wish they could take this into account.

    HTH

    Good luck!

  • I agree with your first statement about what we're being tested on.  And to be perfectly honest, I didn't even check to see if the S0/1 interfaces were up because, as you said, its not shown on the map (and I've always been told by the proctors that the map is always right....). 

    Still, if S0/1 is supposed to be the backup link, the SG still doesn't verify that it will work.  And, as it turns out, the initial configs do attempt to bring up the link, but the 'clock rate' command is only applied to one side, which in my case, the DCE was on the side that didn't get the clock rate (go figure).  So, had the initial configs been sound, or the diagram at least accurate to show there's a s0/1 link, I don't think I would have wasted too much time trying to get the BB path to work.

    As for zbfw blocking ESP/ISAKMP, this is a perfect scenario that I could see cropping up in the real lab where you have to go back and modify a previous task to make a later task work.  However, this is one where I'd double check with the procotor because task 2.1 does clearly state "Drop all other traffic".

    Anyway, thanks for clearing this up.  This had been bugging me all night (basically if this was a real lab, I would never have made it past task 3.2...)

Sign In or Register to comment.