Re: IPsec question CCIE question

From: Ken (cciecn@xxxxxxxxx)
Date: Fri Jan 28 2000 - 11:33:52 GMT-3

• Next message: Curtis Phillips: "Anyone going to Halifax Feb 15 and 16"
• Previous message: Manjeet Chawla: "Re: SNA and Netbios SAPS"
• Maybe in reply to: Michel Bijnsdorp: "IPsec question CCIE question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
This means your config is fine

Ken

--- Michel Bijnsdorp <michel_bijnsdorp@ins.com> wrote:
> Hi wizards
>
> I built a simple encryption setup for the CCIE exam
> (see below) only the
> second part of the ISAKMP
> negotiation is going grow. If I perform a "sh crypto
> isakmp sa" then the
> both end point are stuck
> in the QM-IDLE state (see also below). Can anyone
> tell me what I did
> wrong here.
>
> Thanks in advantage
>
>
> Thanks.
>
>
> lb0:1.1.1.1/32
> lb0:2.2.2.2/32
> 7200
> E3/1-------------------------E1 4500
> 10.1.1.1/24
> 10.1.1.2/24
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> service udp-small-servers
> service tcp-small-servers
> !
> hostname 4500
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> !
> cns event-service server
> !
> !
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key cisco address 10.1.1.1
> !
> !
> crypto ipsec transform-set AAB esp-des esp-md5-hmac
> !
> !
> crypto map to-7200 1 ipsec-isakmp
> set peer 10.1.1.1
> set transform-set AAB
> match address 101
> !
> !
> process-max-time 200
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.255
> no ip directed-broadcast
> !
> interface Ethernet0
> no ip address
> shutdown
> !
> interface Ethernet1
> ip address 10.1.1.2 255.255.255.0
> no ip directed-broadcast
> media-type 10BaseT
> crypto map to-7200
> !
> interface Serial0
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> shutdown
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial2
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface Serial3
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface TokenRing0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface TokenRing1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> router eigrp 100
> passive-interface Ethernet0
> network 2.0.0.0
> network 10.0.0.0
> no auto-summary
> !
> no ip classless
> no ip http server
> !
> access-list 101 permit ip 10.1.0.0 0.0.255.255
> 10.1.0.0 0.0.255.255
> !
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> privilege level 15
> no login
> !
> end
>
>
> 4500#sh crypto isakmp sa
> dst src state conn-id
> slot
> 10.1.1.2 10.1.1.1 QM_IDLE 2 0
> 10.1.1.1 10.1.1.2 QM_IDLE 1 0
>
> 4500#sh crypto isakmp sa
>
> interface: Ethernet1
> Crypto map tag: to-7200, local addr. 10.1.1.2
>
> local ident (addr/mask/prot/port):
> (10.1.0.0/255.255.0.0/0/0)
> remote ident (addr/mask/prot/port):
> (10.1.0.0/255.255.0.0/0/0)
> current_peer: 10.1.1.1
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 7, #pkts encrypt: 7, #pkts digest
> 7
> #pkts decaps: 7, #pkts decrypt: 7, #pkts verify
> 7
> #send errors 2, #recv errors 0
>
> local crypto endpt.: 10.1.1.2, remote crypto
> endpt.: 10.1.1.1
> path mtu 1500, media mtu 1500
> current outbound spi: 188913E4
>
> inbound esp sas:
> spi: 0x1DE00AA1(501222049)
> transform: esp-des esp-md5-hmac ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 3, crypto map: to-7200
> sa timing: remaining key lifetime (k/sec):
> (4607999/3460)
> IV size: 8 bytes
> replay detection support: Y
> spi: 0x26390240(641270336)
> transform: esp-des esp-md5-hmac ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 5, crypto map: to-7200
> sa timing: remaining key lifetime (k/sec):
> (4607999/3446)
> IV size: 8 bytes
> replay detection support: Y
>
>
> inbound ah sas:
>
>
> outbound esp sas:
> spi: 0x188913E4(411636708)
> transform: esp-des esp-md5-hmac ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 4, crypto map: to-7200
> sa timing: remaining key lifetime (k/sec):
> (4607999/3460)
> IV size: 8 bytes
> replay detection support: Y
> spi: 0x3DA2019(64626713)
> transform: esp-des esp-md5-hmac ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 6, crypto map: to-7200
> sa timing: remaining key lifetime (k/sec):
> (4608000/3446)
> IV size: 8 bytes
> replay detection support: Y
>
>
> outbound ah sas:
>
>
=== message truncated ===> begin: vcard
> fn: bijnsdorp
> n: ;bijnsdorp
> email;internet: michel_bijnsdorp@ins.com
> x-mozilla-cpt: ;0
> x-mozilla-html: FALSE
> version: 2.1
> end: vcard
>
>

• Next message: Curtis Phillips: "Anyone going to Halifax Feb 15 and 16"
• Previous message: Manjeet Chawla: "Re: SNA and Netbios SAPS"
• Maybe in reply to: Michel Bijnsdorp: "IPsec question CCIE question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:46 GMT-3