From: Michel Bijnsdorp (michel_bijnsdorp@xxxxxxx)
Date: Wed Jan 26 2000 - 19:27:03 GMT-3
Hi wizards
I built a simple encryption setup for the CCIE exam (see below) only the
second part of the ISAKMP
negotiation is going grow. If I perform a "sh crypto isakmp sa" then the
both end point are stuck
in the QM-IDLE state (see also below). Can anyone tell me what I did
wrong here.
Thanks in advantage
Thanks.
lb0:1.1.1.1/32
lb0:2.2.2.2/32
7200 E3/1-------------------------E1 4500
10.1.1.1/24 10.1.1.2/24
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname 4500
!
!
!
!
!
!
ip subnet-zero
!
cns event-service server
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set AAB esp-des esp-md5-hmac
!
!
crypto map to-7200 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set AAB
match address 101
!
!
process-max-time 200
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0
no ip address
shutdown
!
interface Ethernet1
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
media-type 10BaseT
crypto map to-7200
!
interface Serial0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial2
no ip address
no ip directed-broadcast
shutdown
!
interface Serial3
no ip address
no ip directed-broadcast
shutdown
!
interface TokenRing0
no ip address
no ip directed-broadcast
shutdown
!
interface TokenRing1
no ip address
no ip directed-broadcast
shutdown
!
router eigrp 100
passive-interface Ethernet0
network 2.0.0.0
network 10.0.0.0
no auto-summary
!
no ip classless
no ip http server
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
!
line con 0
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
end
4500#sh crypto isakmp sa
dst src state conn-id slot
10.1.1.2 10.1.1.1 QM_IDLE 2 0
10.1.1.1 10.1.1.2 QM_IDLE 1 0
4500#sh crypto isakmp sa
interface: Ethernet1
Crypto map tag: to-7200, local addr. 10.1.1.2
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 10.1.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7
#send errors 2, #recv errors 0
local crypto endpt.: 10.1.1.2, remote crypto endpt.: 10.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 188913E4
inbound esp sas:
spi: 0x1DE00AA1(501222049)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: to-7200
sa timing: remaining key lifetime (k/sec): (4607999/3460)
IV size: 8 bytes
replay detection support: Y
spi: 0x26390240(641270336)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: to-7200
sa timing: remaining key lifetime (k/sec): (4607999/3446)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x188913E4(411636708)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: to-7200
sa timing: remaining key lifetime (k/sec): (4607999/3460)
IV size: 8 bytes
replay detection support: Y
spi: 0x3DA2019(64626713)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: to-7200
sa timing: remaining key lifetime (k/sec): (4608000/3446)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
-----------------------------
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname C7200
!
boot system flash slot0:c7200-js56i-mz_120-5_T1.bin
boot bootldr bootflash:c7200-boot-mz_120-5_T1.bin
!
!
!
!
!
ip subnet-zero
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 10.1.1.2
!
!
crypto ipsec transform-set AAB esp-des esp-md5-hmac
!
!
crypto map to-4500 1 ipsec-isakmp
set peer 10.1.1.2
set transform-set AAB
match address 101
cns event-service server
!
!
!
process-max-time 200
!
interface FastEthernet0/0
no ip address
no ip directed-broadcast
shutdown
media-type MII
!
interface TokenRing1/0
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
!
interface TokenRing1/1
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
!
interface TokenRing1/2
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
!
interface TokenRing1/3
no ip address
no ip directed-broadcast
shutdown
ring-speed 16
!
interface Serial2/0
no ip address
no ip directed-broadcast
shutdown
no fair-queue
!
interface Serial2/1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial2/2
no ip address
no ip directed-broadcast
shutdown
!
interface Serial2/3
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/0
no ip address
shutdown
!
interface Ethernet3/1
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
crypto map to-4500
!
interface Ethernet3/2
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/3
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/4
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/5
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/6
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet3/7
no ip address
no ip directed-broadcast
shutdown
!
router eigrp 100
passive-interface Ethernet3/0
network 10.0.0.0
!
no ip classless
no ip http server
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
!
line con 0
transport input none
line aux 0
line vty 0 4
privilege level 15
no login
!
!
end
C7200#sh crypto isakmp sa
dst src state conn-id slot
10.1.1.2 10.1.1.1 QM_IDLE 1 0
10.1.1.1 10.1.1.2 QM_IDLE 4 0
C7200#sh crypto ipsec sa
interface: Ethernet3/1
Crypto map tag: to-4500, local addr. 10.1.1.1
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 10.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#send errors 1, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 26390240
inbound esp sas:
spi: 0x3DA2019(64626713)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: to-4500
sa timing: remaining key lifetime (k/sec): (4607999/3341)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x26390240(641270336)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: to-4500
sa timing: remaining key lifetime (k/sec): (4607999/3341)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
C7200#sh crypto ipsec transform-set
Transform set AAB: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },
-- Kind Regards,Lucent Technologies, NetCare Professional Services Formerly, International Network Services (INS)
Michel Bijnsdorp Network Systems Engineer,
Hogehilweg 8 1101 CC Amsterdam The Netherlands
begin: vcard fn: bijnsdorp n: ;bijnsdorp email;internet: michel_bijnsdorp@ins.com x-mozilla-cpt: ;0 x-mozilla-html: FALSE version: 2.1 end: vcard
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:46 GMT-3