From: pbosio@xxxxxxxxxxxxxx
Date: Mon Jan 17 2000 - 03:04:34 GMT-3
Jaime,
This is a quote straight of the "Security Configuration Guide" for Cisco IOS
Release 12.0
Under IPsec Overview, under RESTRICTIONS
"At this time, IPSec can be applied to unicast IP datagrams only. Because the
IPSec Working Group has not yet addressed the issue of group key distribution,
IPSec does not currently work with multicasts or broadcast IP datagrams"
The book doesn't mention any solutions for routing protocols, but I'm pretty
sure the neighbor command should work as its is sent as a unicast packet...
Otherwise, not much else that I can add.
Have you tried RIP, IGRP with neighbor command?
Paul
jaime.salazar@equant.com on 17/01/2000 02:45:42 pm
To: pbosio@comtech.com.au
cc: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
Subject: RE: [VPN]
I just tryed but I can not make eigrp to propagate in the tunnel interface, but
I can ping both sides of the tunnel and the packets are encrypted and
encapsulated. Some more ideas?
pbosio@comtech.com.au on 16/01/2000 06:16:14 PM
Please respond to pbosio@comtech.com.au
To: Jaime Salazar/Mexico/AMERICAS/Equant@Equant
cc: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
Subject: RE: [VPN]
Jaime,
Try the neighbor command under eigrp !!!!!!!!!!!!!!!!!!!
Paul
jaime.salazar@equant.com on 16/01/2000 09:45:36 am
Please respond to jaime.salazar@equant.com
To:
cc:
Subject: RE: [VPN]
Brad,
I am not receiving eigrp updates across the tunnel, I have included the crypto
map on physical interfaces and in access list. But I Iam still getting the same
errors. Any ideas?
Brad Hedlund <BHedlund@LifeTimeFitness.com> on 15/01/2000 04:59:15 PM
Please respond to Brad Hedlund <BHedlund@LifeTimeFitness.com>
To: Jaime Salazar/Mexico/AMERICAS/Equant@Equant
cc: "'ccielab@groupstudy.com'" <ccielab@groupstudy.com>
Subject: RE: [VPN]
Cryto maps should be applied to both the physical and tunnel interface.
I realize that the first VPN config I sent out didnt do this. I have since
learned I was wrong.
My VPN was working, but it wasnt textbook.
-Brad
>
> Hey folks, calm down!!!
>
> Talking about VPN's, I did the excercise of Brad's
> recommendation for VPN. If
> you configure that it works fine, but when I tryed to add a
> tunnel interface to
> it, I get this kind of messages:
> 00:03:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
> Informational mode failed w
> ith peer at 192.168.10.66
> Here are the configs, can you figure it out the problem?
>
> Thanks in advance.
> Jaime
>
> sh run
> Building configuration...
>
> Current configuration:
> !
> version 11.3
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname dt3-45a
> !
> !
> ip host ciscoca-ultra 171.69.54.46
> ip domain-name cisco.com
> ip name-server 171.69.2.132
> ip name-server 198.92.30.32
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key slurpee-machine address 192.168.10.38
> !
> !
> --More--
crypto ipsec
> transform-set PapaBear
> esp-rfc1829
> crypto ipsec transform-set MamaBear ah-md5-hmac esp-des
> crypto ipsec transform-set BabyBear ah-rfc1828
> !
> !
> crypto map armadillo 10 ipsec-isakmp
> set peer 192.168.10.38
> set transform-set PapaBear MamaBear BabyBear
> match address 101
> !
> !
> process-max-time 200
> !
> interface Tunnel0
> ip address 10.10.49.1 255.255.255.0
> tunnel source 192.168.10.66
> tunnel destination 192.168.10.38
> crypto map armadillo
> !
> interface Serial0
> ip address 192.168.10.66 255.255.255.0
> no fair-queue
> clockrate 64000
> --More--
!
> interface Serial1
> no ip address
> shutdown
> !
> interface TokenRing0
> ip address 10.10.9.1 255.255.255.0
> ring-speed 16
> !
> router eigrp 100
> network 10.0.0.0
> !
> ip classless
> !
> access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> !
> line con 0
> line aux 0
> line vty 0 4
> login
> !
> end
>
>
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname db3-4kb
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> ip host ciscoca-ulotra 171.69.54.46
> ip domain-name cisco.com
> ip name-server 171.69.2.132
> ip name-server 198.92.30.32
> !
> cns event-service server
> !
> --More--
!
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key slurpee-machine address 192.168.10.66
> !
> !
> crypto ipsec transform-set PapaBear esp-rfc1829
> crypto ipsec transform-set MamaBear ah-md5-hmac esp-des
> crypto ipsec transform-set BabyBear ah-rfc1828
> !
> !
> crypto map armadillo 10 ipsec-isakmp
> set peer 192.168.10.66
> set transform-set PapaBear MamaBear BabyBear
> match address 101
> !
> !
> process-max-time 200
> !
> interface Tunnel0
> ip address 10.10.49.2 255.255.255.0
> no ip directed-broadcast
> --More--
tunnel source 192.168.10.38
> tunnel destination 192.168.10.66
> crypto map armadillo
> !
> interface Ethernet0
> ip address 10.10.5.1 255.255.255.0
> no ip directed-broadcast
> !
> interface Serial0
> ip address 192.168.10.38 255.255.255.0
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> router eigrp 100
> network 10.0.0.0
> !
> ip classless
> no ip http server
> --More--
!
> access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
> !
> !
> line con 0
> transport input none
> line 1 8
> line aux 0
> line vty 0 4
> login
> !
> end
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:45 GMT-3