IPSEC / ISAKMP sample config

From: Padhu@xxxxxxxxxxxx
Date: Wed Aug 09 2000 - 14:53:59 GMT-3

   
I am trying this and it isnt working for me ...My first time.. so obviously
i am overlooking something..Can any one take a look at the
config and comment on it ? thanks.

I have defined telnet to be the only traffic interesting for encryption..

Cheers,Padhu

 <<ipsec.TXT>> <<ipsecdebug.TXT>>
sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R5
!
enable password cisco
!
username R6 password 0 cisco
username spokerouter password 0 cisco
ip subnet-zero
no ip domain-lookup
isdn switch-type basic-ni
!
!
crypto isakmp policy 5
 authentication pre-share
crypto isakmp key cisco address 172.168.100.6
!

crypto ipsec transform-set r5 ah-md5-hmac esp-des
!
!
crypto key pubkey-chain dss
 named-key spoke signature
  serial-number 01515266
  key-string
   0E91F584 0E1DEACF FEED04FE C4DBCC2F 34D441E2 4666B846 9E910389 D6A0FE56
   4554B9DB 04A9B1AB D378C6AC 398F821D F6E412B1 55B6A7B9 102C6545 1A783C5D
  quit
 !
 crypto map vpnfromr5-r6 10 ipsec-isakmp
 set peer 172.168.100.6
 set transform-set r5
 match address 105
!
!
!
interface Ethernet0
 ip address 137.20.20.10 255.255.255.0
 no ip directed-broadcast
 ip ospf cost 1
 no keepalive
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 172.168.200.1 255.255.255.0
 no ip directed-broadcast
 frame-relay interface-dlci 504
!
interface Serial0.2 multipoint
 ip address 172.168.100.5 255.255.255.0
 no ip directed-broadcast
 ip ospf network point-to-multipoint
 ip ospf interface-retry 0
 frame-relay map ip 172.168.100.3 503 broadcast
 frame-relay map ip 172.168.100.6 506 broadcast
crypto map vpnfromr5-r6
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface BRI0
 ip address 172.168.65.2 255.255.255.0
 ip directed-broadcast
 encapsulation ppp
 ip ospf interface-retry 0
 dialer idle-timeout 300
 dialer-group 1
 isdn switch-type basic-ni
 isdn spid1 xxxxxxxxxxxxxxxxxxx
 isdn spid2 xxxxxxxxxxxxxxxxxxxx
 ppp authentication pap
 ppp pap sent-username hubrouter password 7 104D000A0618
!
router ospf 100
 area 10 virtual-link 172.168.30.97
 redistribute igrp 100 metric 20 metric-type 1 subnets
 network 2.2.2.2 0.0.0.0 area 10
 network 137.20.20.10 0.0.0.0 area 0
 network 172.168.65.2 0.0.0.0 area 10
 network 172.168.100.5 0.0.0.0 area 10
!
router igrp 100
 redistribute ospf 100 metric 10000 100 255 1 1500
 passive-interface Ethernet0
 passive-interface Serial0.2
 network 137.20.0.0
 network 172.168.0.0
!
ip classless
!
access-list 1 permit 172.168.200.0 0.0.0.255
access-list 1 permit 172.168.40.0 0.0.0.255
access-list 101 permit ip any any
access-list 103 permit tcp any any eq telnet log
access-list 105 permit tcp any any eq telnet log
access-list 110 permit ip any any log
access-list 110 permit gre any any log
dialer-list 1 protocol ip list 103
!
line con 0
 privilege level 15
 password cisco
 transport input none
line aux 0
line vty 0 4
 password cisco
 no login
!
end

R5#^x
frswitch1#r6
Trying R6 (1.1.1.1, 2002)... Open
 This is the terminal server connection to the lab network
R6#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R6
!
!
username hubrouter password 0 cisco
ip subnet-zero
no ip domain-lookup
isdn switch-type basic-ni
!
!
crypto isakmp policy 6
 authentication pre-share
crypto isakmp key cisco address 172.168.100.5
!
!
crypto ipsec transform-set r6 esp-des esp-md5-hmac
!
crypto key pubkey-chain dss
 named-key hub signature
  serial-number 01514874
  key-string
   3BA44294 953E34DC 586DC9BC 78A0255D 2C5A4D77 E6FD0C2D 9228F8EF 2D976AAA
   D00B7FB8 927FE25F E26D3528 2C7DF793 65BA8724 66F73485 0082AD70 6E40D682
  quit
 !
 crypto map vpnfromr6-r3 10 ipsec-isakmp
 set peer 172.168.100.5
 set transform-set r6
 match address 106
!
!
!
interface Loopback10
 ip address 10.6.1.1 255.255.255.0
 no ip directed-broadcast
!
interface Ethernet0
 ip address 172.168.60.1 255.255.255.0
 no ip directed-broadcast
 ip ospf interface-retry 0
 no keepalive
!
interface Serial0
 ip address 172.168.100.6 255.255.255.0
 no ip directed-broadcast
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 ip ospf interface-retry 0
 no ip mroute-cache
 frame-relay map ip 172.168.100.5 605 broadcast
 frame-relay lmi-type ansi
 crypto map vpnfromr6-r3
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
interface BRI0
 ip address 172.168.65.1 255.255.255.0
 ip directed-broadcast
 encapsulation ppp
 ip ospf interface-retry 0
 dialer idle-timeout 300
 dialer map ip 172.168.65.2 name R5 broadcast xxxxxxxxx
 dialer load-threshold 5 either
 dialer-group 2
 isdn switch-type basic-ni
 isdn spid1 xxxxxxxxxxxxxxxxxxxxxxx
 isdn spid2 xxxxxxxxxxxxxxxxxxxxxxx
 ppp authentication pap
 ppp pap sent-username spokerouter password 7 110A1016141D
!
router ospf 100
 router-id 172.168.100.6
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 10
 network 172.168.60.1 0.0.0.0 area 10
 network 172.168.65.1 0.0.0.0 area 10
 network 172.168.100.6 0.0.0.0 area 10
!
ip classless
!
access-list 101 permit icmp any any log
access-list 101 permit ip any any
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq telnet log
access-list 102 permit tcp any any eq telnet log
access-list 106 permit tcp any any eq telnet
access-list 110 permit ip any any log
access-list 110 permit gre any any log
dialer-list 1 protocol ip list 101
dialer-list 2 protocol ip list 102
!
!
line con 0
 privilege level 15
 transport input none
line aux 0
line vty 0 4
 login
!
end
R6#
R6#
R6#telnet 172.168.100.5
Trying 172.168.100.5 ...
00:34:53: %SEC-6-IPACCESSLOGP: list 106 permitted tcp 172.168.100.6(11005) -> 1
72.168.100.5(23), 1 packet
00:34:53: IPSEC(sa_request): ,
  (key eng. msg.) src= 172.168.100.6, dest= 172.168.100.5,
    src_proxy= 172.168.100.0/255.255.255.0/6/0 (type=4),
    dest_proxy= 172.168.100.0/255.255.255.0/6/23 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
00:34:53: ISAKMP (6): beginning Main Mode exchange
00:34:53: ISAKMP (6): sending packet to 172.168.100.5 (I) MM_NO_STATE
00:34:55: ISAKMP (6): received packet from 172.168.100.5 (I) MM_NO_STATE
00:34:55: ISAKMP (6): processing SA payload. message ID = 0
00:34:55: ISAKMP (6): Checking ISAKMP transform 1 against priority 6 policy
00:34:55: ISAKMP: encryption DES-CBC
00:34:55: ISAKMP: hash SHA
00:34:55: ISAKMP: default group 1
00:34:55: ISAKMP: auth pre-share
00:34:55: ISAKMP (6): atts are acceptable. Next payload is 0
00:34:56: ISAKMP (6): SA is doing pre-shared key authentication using id type I
D_IPV4_ADDR
00:34:56: ISAKMP (6): sending packet to 172.168.100.5 (I) MM_SA_SETUP
00:34:58: ISAKMP (6): received packet from 172.168.100.5 (I) MM_SA_SETUP
00:34:58: ISAKMP (6): processing KE payload. message ID = 0
00:35:00: ISAKMP (6): processing NONCE payload. message ID = 0
00:35:00: ISAKMP (6): SKEYID state generated
00:35:00: ISAKMP (6): processing vendor id payload
00:35:00: ISAKMP (6): speaking to another IOS box!
00:35:00: ISAKMP (6): ID payload
        next-payload : 8
        type : 1
        protocol : 17
        port : 500
        length : 8
00:35:00: ISAKMP (6): Total payload length: 12
00:35:00: ISAKMP (6): sending packet to 172.168.100.5 (I) MM_KEY_EXCH
00:35:00: ISAKMP (6): received packet from 172.168.100.5 (I) MM_KEY_EXCH
00:35:01: ISAKMP (6): processing ID payload. message ID = 0
00:35:01: ISAKMP (6): processing HASH payload. message ID = 0
00:35:01: ISAKMP (6): SA has been authenticated with 172.168.100.5
00:35:01: ISAKMP (6): beginning Quick Mode exchange, M-ID of 956094930
00:35:01: IPSEC(key_engine): got a queue event...
00:35:01: IPSEC(spi_response): getting spi 231933837 for SA
        from 172.168.100.5 to 172.168.100.6 for prot 3
00:35:01: ISAKMP (6): sending packet to 172.168.100.5 (I) QM_IDLE
00:35:01: ISAKMP (6): received packet from 172.168.100.5 (I) QM_IDLE
00:35:01: ISAKMP (6): processing NOTIFY payload 14 protocol 0
        spi 0, message ID = -2032582486
00:35:01: IPSEC(key_engine): got a queue event...
00:35:01: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
00:35:01: IPSEC(key_engine_delete_sas): delete all SAs shared with 172.168.100.
5
00:35:16: ISAKMP (6): retransmitting phase 2...
00:35:16: ISAKMP (6): sending packet to 172.168.100.5 (I) QM_IDLE
00:35:16: ISAKMP (6): received packet from 172.168.100.5 (I) QM_IDLE
00:35:16: ISAKMP (6): processing NOTIFY payload 14 protocol 0
        spi 0, message ID = -1367606663
00:35:16: IPSEC(key_engine): got a queue event...
00:35:16: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
00:35:16: IPSEC(key_engine_delete_sas): delete all SAs shared with 172.168.100.
5
% Connection timed out; remote host not responding

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:23 GMT-3