Chapter 8: IPSec Troubleshooting Lab Solutions

This section contains solutions for IPSec Troubleshooting Labs 1, 2, and 3. Note that the directory IPSec/LabSolution directory working configurations for all routers for your reference.

Troubleshooting Lab 1 Solution

A1:

In Troubleshooting Lab 1, the crypto map mjlnetmap is not applied to the serial 0/0 interface on Tokyo. Apply the crypto map to the interface using the crypto map mjlnetmap command. For more details on troubleshooting this issue, see the section entitled "IKE Negotiation Is Not Initiated" on page 696. Additionally, there is an access list configured on Osaka that is blocking ISAKMP. This access list should be removed. The section entitled "ISAKMP Is Blocked by an Access List or Firewall" on page 705 contains more information on troubleshooting this issue.

Troubleshooting Lab 2 Solution

A1:

The IKE (ISAKMP) policy is mismatched between Tokyo and Fukuoka. Modify the IKE (ISAKMP) policy on either Fukuoka or Tokyo so that the policies are no longer mismatched. More details about troubleshooting this issue can be found in the section entitled "IKE Policy Mismatch Exists" on page 709. There is also a mismatch between the IPSec transform sets configured on Tokyo and Fukuoka. Reconfigure the transform set on either Fukuoka or Tokyo so that there is no longer a mismatch. See the section entitled "IPSec Transform Set Mismatch Exists Between Peers" on page 723 for more information about troubleshooting this issue.

Troubleshooting Lab 3 Solution

A1:

There is an access list configured on Tokyo that is blocking ESP. Remove this access list. Additionally, there is an access list configured on Fukuoka that is blocking traffic from the Tokyo LAN (10.1.1.0/24). Remove this access list. More information on troubleshooting both of these issues can also be found in the section entitled "Access List or Firewall Is Blocking AH or ESP" on page 733.