RE: IPSec

From: Alan Basinger (abasinge@xxxxxxxxxx)
Date: Sat Feb 10 2001 - 14:16:19 GMT-3

• Next message: mikey: "Re: BGP LOCAL PREF: Explain me this."
• Previous message: Michael Le: "RE: BGP LOCAL PREF: Explain me this."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Have been reviewing IPSec and tunnels with IKE. I created a tunnel across my
ATM and then applied IPSec to the tunnel when I try to ping it looks as if
it makes it past phase 1 negotiation but not phase 2 ?? I have included a
copy of the config and the debug of isakmp at the failure?

Alan

r6#r
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r6
!
logging buffered 4096 debugging
enable secret 5 $1$GAxn$NQDQomSVw0/MZdzhirlXE/
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ipx routing 0006.0006.0006
ipx internal-network 66666666
cns event-service server
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key test address 11.11.11.2
!
!
crypto ipsec transform-set cisco esp-des
crypto ipsec transform-set ccie ah-md5-hmac esp-des
!
!
crypto map test 1 ipsec-isakmp
 set peer 11.11.11.2
 set transform-set cisco ccie
 match address 101
!
!
!
!
!
!
interface Loopback0
 ip address 172.30.6.6 255.255.255.0
 no ip directed-broadcast
 ipx network 30006
 ipx type-20-propagation
!
interface Tunnel0
 ip address 11.11.11.1 255.255.255.0
 no ip directed-broadcast
 tunnel source 172.30.200.6
 tunnel destination 172.30.200.9
 crypto map test
!
interface Ethernet0/0
 ip address 172.30.104.6 255.255.255.0
 no ip directed-broadcast
 ip mobile arp access-group 1
 ip ospf authentication-key lab
 ipx input-sap-filter ipx-saps
 ipx network 30104
 ipx output-gns-filter ipx-saps
 ipx type-20-propagation
 bridge-group 1
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Hssi1/0
 no ip address
 no ip directed-broadcast
 shutdown
!
interface ATM2/0
 ip address 172.30.200.6 255.255.255.0
 no ip directed-broadcast
 atm clock INTERNAL
 no atm ilmi-keepalive
 pvc 0/35
  protocol ip 172.30.200.9 broadcast
  encapsulation aal5snap
 !
!
router ospf 6
 area 2 authentication
 area 2 range 172.30.2.0 255.255.255.0
 area 2 range 172.30.6.0 255.255.255.0
 area 2 range 172.30.104.0 255.255.255.0
 area 2 range 172.30.112.0 255.255.255.0
 area 2 range 172.30.120.0 255.255.255.0
 redistribute mobile metric 10 subnets
 redistribute rip metric 150 subnets tag 100 route-map rip-in
 network 172.30.2.0 0.0.0.255 area 2
 network 172.30.6.0 0.0.0.255 area 2
 network 172.30.104.0 0.0.0.255 area 2
 network 172.30.112.0 0.0.0.255 area 2
 network 172.30.120.0 0.0.0.255 area 2
!
router rip
 redistribute ospf 6 metric 4 route-map ospf-in
 passive-interface Ethernet0/0
 network 172.30.0.0
!
ip classless
no ip http server
!
!
ip access-list standard ospf-in
 permit any
ip access-list standard rip-in
 permit 172.30.200.0 0.0.0.255
 permit 192.168.9.0 0.0.0.255
 permit 192.168.99.0 0.0.0.255
access-list 1 permit 192.168.192.0 0.0.0.255
access-list 101 permit ip any any log
route-map ospf-in permit 10
 match ip address ospf-in
!
route-map rip-in permit 10
 match ip address rip-in
!
!
!
!
ipx sap 7 pserver6 30006.0000.0000.0001 5000 1
!
!
ipx access-list sap ipx-saps
 deny 8 4
 deny FFFFFFFF 4
 deny FFFFFFFF 7 pserver1
 permit FFFFFFFF
bridge 1 protocol ieee
alias exec s show ip route
alias exec sx sh ipx route
alias exec so sh ip ospf
alias exec son sh ip ospf nei
alias exec sb sh ip bgp
alias exec sbn sh ip bgp nei
alias exec w wr mem
alias exec r sh run
alias exec u undebug all
alias exec ct config t
alias exec cb clear ip bgp *
alias exec c clear ip route *
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password cisco
 length 42
 transport input none
line aux 0
 exec-timeout 0 0
 script dialer myscript
 modem Host
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco
 no login
 length 42
!
end

r6#

Current configuration : 2201 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r9
!
logging buffered 4096 debugging
enable secret 5 $1$aO36$vrM6j7a1SdHlAMCXHKw5//
!
!
!
!
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key test address 11.11.11.1
!
!
crypto ipsec transform-set cisco esp-des
crypto ipsec transform-set ccie ah-md5-hmac esp-des
!
crypto map test 1 ipsec-isakmp
 set peer 11.11.11.1
 set transform-set cisco ccie
 match address 101
!
!
!
!
voice-port 0/0/0
 connection plar 5555
!
voice-port 0/0/1
 connection plar 5500
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice class codec 1
 codec preference 1 g728
!
!
dial-peer voice 1 pots
 destination-pattern ....
 port 0/0/0
!
dial-peer voice 2 pots
 destination-pattern ....
 port 0/0/1
!
dial-peer voice 3 voip
 destination-pattern 5500
 session target ipv4:172.30.5.5
!
dial-peer voice 4 voip
 destination-pattern 5555
 codec g711ulaw
 session target ipv4:172.30.5.5
!
!
interface Tunnel0
 ip address 11.11.11.2 255.255.255.0
 tunnel source 172.30.200.9
 tunnel destination 172.30.200.6
 crypto map test
!
interface ATM1/0
 ip address 172.30.200.9 255.255.255.0
 no atm ilmi-keepalive
 pvc 0/35
  protocol ip 172.30.200.6 broadcast
  encapsulation aal5snap
 !
!
router rip
 network 172.30.0.0
 network 192.168.9.0
 network 192.168.99.0
 network 192.168.199.0
!
ip classless
ip http server
!
access-list 101 permit ip any any log
!
!
alias exec s show ip route
alias exec sx sh ipx route
alias exec so sh ip ospf
alias exec son sh ip ospf nei
alias exec sb sh ip bgp
alias exec sbn sh ip bgp nei
alias exec w wr mem
alias exec r sh run
alias exec u undebug all
alias exec ct config t
alias exec cb clear ip bgp *
alias exec c clear ip route *
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password cisco
 length 42
 transport input none
line aux 0
 exec-timeout 0 0
 script dialer myscript
 modem Host
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password cisco
 no login
 length 42
!
end

r9#

00:28:15: ISAKMP (0:1): beginning Main Mode exchange
00:28:15: ISAKMP (1): sending packet to 11.11.11.2 (I) MM_NO_STATE
00:28:15: ISAKMP (1): received packet from 11.11.11.2 (I) MM_NO_STATE
00:28:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
failed w
ith peer at 11.11.11.2

• Next message: mikey: "Re: BGP LOCAL PREF: Explain me this."
• Previous message: Michael Le: "RE: BGP LOCAL PREF: Explain me this."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:44 GMT-3