From: Brad Hedlund (BHedlund@xxxxxxxxxxxxxxxxxxx)
Date: Sat Jan 08 2000 - 19:28:05 GMT-3
As I suspected, Apparently I DO need "Crypto ISAKMP Policy 1". When I
removed it from my configuration it failed to work! I cleared all the SA's
and reloaded the routers just to make sure.
When it wasnt working I checked IPsec to see how it was doing and found that
it wasnt able to encapsulate the packets due to errors:
R9#show cryp ipsec sa
interface: Ethernet0/0
interface: Tunnel0
Crypto map tag: summer, local addr. 64.100.100.9
local ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
current_peer: 63.100.100.4
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#send errors 10, #recv errors 0
local crypto endpt.: 64.100.100.9, remote crypto endpt.: 63.100.100.4
path mtu 1514, media mtu 1514
current outbound spi: 0
Notice the 10 send errors from 2 ping tries.
Naushad, Im curious how you got yours working without an ISAKMP
protection-suite.
Are you sure the packets were actually getting encrypted?
'show crypto ipsec sa'
Can I/we see your complete configurations?
Im just as confused as you are with all this Crypto Lingo, but Im pretty
sure IPSec needs and ISAKMP protection-suite configured. I could be wrong
though.
-Brad
>
> Brad,
>
> Do you must have "Crypto ISAKMP Policy 1". I have been able
> to make it work
> without this policy. Refer to the URL below for an example. I
> have tried it
> and it works.
>
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
> 0/12cgcr/secur
> _c/scprt4/scipsec.htm#xtocid2141731
>
>
> This stuff is extremely confusing. Specially various
> encrpytion methodoloy
> and its application.
>
> Naushad
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brad Hedlund
> Sent: Thursday, January 06, 2000 3:32 PM
> To: 'ccielab@groupstudy.com'
> Subject: Working VPN config
>
>
>
> I was able to put together a working VPN configuration as follows:
>
> ------e0 R4 s0 --------- Internet ---------
> e0/0 R9 e1/0 ----
>
> <---------Encrypted Tunnel---> (IPsec)
>
> I am running EIGRP over the tunnel making the "internet" look
> like a leased
> line.
> Given that I may be able to do dial-backup over the VPN with floating
> statics.
> The URL I mailed out int the previous email doesnt use a
> tunnel interface, I
> just threw that in.
> I will just show the configs. If I add all the show commands
> that proves it
> works this email might be too long for the list to send.
>
> R4#wr t
> Building configuration...
>
> Current configuration:
> !
> version 11.3
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R4
> !
> !
> no ip domain-lookup
> !
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 300
> crypto isakmp key MyFirstVPN address 200.100.100.9
> !
> !
> crypto ipsec transform-set VPNtoR9 ah-md5-hmac esp-des
> !
> !
> crypto map winter 10 ipsec-isakmp
> set peer 200.100.100.9
> set security-association lifetime seconds 600
> set transform-set VPNtoR9
> set pfs group2
> match address 101
> !
> !
> !
> interface Loopback99
> ip address 4.4.4.4 255.255.255.255
> !
> interface Tunnel0
> ip address 10.10.49.4 255.255.255.0
> tunnel source 200.200.200.4
> tunnel destination 200.100.100.9
> crypto map winter
> !
> interface BRI0/0
> no ip address
> shutdown
> !
> interface Ethernet0/0
> ip address 10.10.4.1 255.255.255.0
> no keepalive
> !
> interface Serial0/0
> ip address 200.200.200.4 255.255.255.0
> encapsulation frame-relay
> ip ospf network point-to-multipoint
> no ip mroute-cache
> no fair-queue
> !
> router eigrp 100
> network 10.0.0.0
> !
> router ospf 1
> network 200.200.200.0 0.0.0.255 area 0.0.1.244
> !
> ip classless
> !
> logging buffered 4096 debugging
> no logging console
> access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> !
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> end
>
> R4#
>
> R9#sh ru
> Building configuration...
>
> Current configuration:
> !
> version 11.3
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R9
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> !
> voice-port 2/0/0
> !
> voice-port 2/0/1
> !
> voice-port 2/1/0
> !
> voice-port 2/1/1
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 300
> crypto isakmp key MyFirstVPN address 200.200.200.4
> !
> !
> crypto ipsec transform-set VPNtoR4 ah-md5-hmac esp-des
> !
> !
> crypto map summer 10 ipsec-isakmp
> set peer 200.200.200.4
> set security-association lifetime seconds 600
> set transform-set VPNtoR4
> set pfs group2
> match address 101
> !
> !
> !
> interface Loopback99
> ip address 9.9.9.9 255.255.255.255
> no ip directed-broadcast
> !
> interface Tunnel0
> ip address 10.10.49.9 255.255.255.0
> tunnel source 200.100.100.9
> tunnel destination 200.200.200.4
> crypto map summer
> !
> interface Ethernet0/0
> ip address 200.100.100.9 255.255.255.0
> no ip directed-broadcast
> no keepalive
> !
> interface Serial0/0
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> shutdown
> no fair-queue
> !
> interface BRI1/0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Ethernet1/0
> ip address 10.10.9.1 255.255.255.0
> no ip directed-broadcast
> no keepalive
> !
> interface BRI1/1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> router eigrp 100
> network 10.0.0.0
> !
> router ospf 1
> network 200.100.100.0 0.0.0.255 area 0
> !
> ip classless
> !
> no logging console
> access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> !
> !
> line con 0
> exec-timeout 0 0
> transport input none
> line aux 0
> line vty 0 4
> no login
> !
> end
>
> R9#
>
> -Brad
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:43 GMT-3