Re: IPSec

From: Kevin Baumgartner (kbaumgar@xxxxxxxxx)
Date: Sat Feb 10 2001 - 15:04:50 GMT-3

   
 So I believe the peer ip addresses you are using for isakmp and ipsec are
wrong. It should be the destination address of the tunnel. ie. 172.30.200.9

 Also I would add the crypto map to the interface the tunnel is going
across. I have seen that this is required for IPSEC to work.

 See below for changes required.

 Also make the required changes to the other router and it should work.

 Kevin

>
> Have been reviewing IPSec and tunnels with IKE. I created a tunnel across my
> ATM and then applied IPSec to the tunnel when I try to ping it looks as if
> it makes it past phase 1 negotiation but not phase 2 ?? I have included a
> copy of the config and the debug of isakmp at the failure?
>
> Alan
>
>
>
> r6#r
> Building configuration...
>
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r6
> !
> logging buffered 4096 debugging
> enable secret 5 $1$GAxn$NQDQomSVw0/MZdzhirlXE/
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> ip audit notify log
> ip audit po max-events 100
> ipx routing 0006.0006.0006
> ipx internal-network 66666666
> cns event-service server
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key test address 11.11.11.2

  crypto isakmp key test address 172.30.200.9

> !
> !
> crypto ipsec transform-set cisco esp-des
> crypto ipsec transform-set ccie ah-md5-hmac esp-des
> !
> !
> crypto map test 1 ipsec-isakmp
> set peer 11.11.11.2

   set peer 172.30.200.9

> set transform-set cisco ccie
> match address 101
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 172.30.6.6 255.255.255.0
> no ip directed-broadcast
> ipx network 30006
> ipx type-20-propagation
> !
> interface Tunnel0
> ip address 11.11.11.1 255.255.255.0
> no ip directed-broadcast
> tunnel source 172.30.200.6
> tunnel destination 172.30.200.9
> crypto map test
> !
> interface Ethernet0/0
> ip address 172.30.104.6 255.255.255.0
> no ip directed-broadcast
> ip mobile arp access-group 1
> ip ospf authentication-key lab
> ipx input-sap-filter ipx-saps
> ipx network 30104
> ipx output-gns-filter ipx-saps
> ipx type-20-propagation
> bridge-group 1
> !
> interface Serial0/0
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> shutdown
> no fair-queue
> !
> interface Hssi1/0
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface ATM2/0
> ip address 172.30.200.6 255.255.255.0
> no ip directed-broadcast

   crypto map test

> atm clock INTERNAL
> no atm ilmi-keepalive
> pvc 0/35
> protocol ip 172.30.200.9 broadcast
> encapsulation aal5snap
> !
> !
> router ospf 6
> area 2 authentication
> area 2 range 172.30.2.0 255.255.255.0
> area 2 range 172.30.6.0 255.255.255.0
> area 2 range 172.30.104.0 255.255.255.0
> area 2 range 172.30.112.0 255.255.255.0
> area 2 range 172.30.120.0 255.255.255.0
> redistribute mobile metric 10 subnets
> redistribute rip metric 150 subnets tag 100 route-map rip-in
> network 172.30.2.0 0.0.0.255 area 2
> network 172.30.6.0 0.0.0.255 area 2
> network 172.30.104.0 0.0.0.255 area 2
> network 172.30.112.0 0.0.0.255 area 2
> network 172.30.120.0 0.0.0.255 area 2
> !
> router rip
> redistribute ospf 6 metric 4 route-map ospf-in
> passive-interface Ethernet0/0
> network 172.30.0.0
> !
> ip classless
> no ip http server
> !
> !
> ip access-list standard ospf-in
> permit any
> ip access-list standard rip-in
> permit 172.30.200.0 0.0.0.255
> permit 192.168.9.0 0.0.0.255
> permit 192.168.99.0 0.0.0.255
> access-list 1 permit 192.168.192.0 0.0.0.255
> access-list 101 permit ip any any log
> route-map ospf-in permit 10
> match ip address ospf-in
> !
> route-map rip-in permit 10
> match ip address rip-in
> !
> !
> !
> !
> ipx sap 7 pserver6 30006.0000.0000.0001 5000 1
> !
> !
> ipx access-list sap ipx-saps
> deny 8 4
> deny FFFFFFFF 4
> deny FFFFFFFF 7 pserver1
> permit FFFFFFFF
> bridge 1 protocol ieee
> alias exec s show ip route
> alias exec sx sh ipx route
> alias exec so sh ip ospf
> alias exec son sh ip ospf nei
> alias exec sb sh ip bgp
> alias exec sbn sh ip bgp nei
> alias exec w wr mem
> alias exec r sh run
> alias exec u undebug all
> alias exec ct config t
> alias exec cb clear ip bgp *
> alias exec c clear ip route *
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> password cisco
> length 42
> transport input none
> line aux 0
> exec-timeout 0 0
> script dialer myscript
> modem Host
> transport input all
> speed 38400
> flowcontrol hardware
> line vty 0 4
> exec-timeout 0 0
> privilege level 15
> password cisco
> no login
> length 42
> !
> end
>
> r6#
>
>
> Current configuration : 2201 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r9
> !
> logging buffered 4096 debugging
> enable secret 5 $1$aO36$vrM6j7a1SdHlAMCXHKw5//
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip finger
> no ip domain-lookup
> !
> ip audit notify log
> ip audit po max-events 100
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key test address 11.11.11.1
> !
> !
> crypto ipsec transform-set cisco esp-des
> crypto ipsec transform-set ccie ah-md5-hmac esp-des
> !
> crypto map test 1 ipsec-isakmp
> set peer 11.11.11.1
> set transform-set cisco ccie
> match address 101
> !
> !
> !
> !
> voice-port 0/0/0
> connection plar 5555
> !
> voice-port 0/0/1
> connection plar 5500
> !
> voice-port 0/1/0
> !
> voice-port 0/1/1
> !
> voice class codec 1
> codec preference 1 g728
> !
> !
> dial-peer voice 1 pots
> destination-pattern ....
> port 0/0/0
> !
> dial-peer voice 2 pots
> destination-pattern ....
> port 0/0/1
> !
> dial-peer voice 3 voip
> destination-pattern 5500
> session target ipv4:172.30.5.5
> !
> dial-peer voice 4 voip
> destination-pattern 5555
> codec g711ulaw
> session target ipv4:172.30.5.5
> !
> !
> interface Tunnel0
> ip address 11.11.11.2 255.255.255.0
> tunnel source 172.30.200.9
> tunnel destination 172.30.200.6
> crypto map test
> !
> interface ATM1/0
> ip address 172.30.200.9 255.255.255.0
> no atm ilmi-keepalive
> pvc 0/35
> protocol ip 172.30.200.6 broadcast
> encapsulation aal5snap
> !
> !
> router rip
> network 172.30.0.0
> network 192.168.9.0
> network 192.168.99.0
> network 192.168.199.0
> !
> ip classless
> ip http server
> !
> access-list 101 permit ip any any log
> !
> !
> alias exec s show ip route
> alias exec sx sh ipx route
> alias exec so sh ip ospf
> alias exec son sh ip ospf nei
> alias exec sb sh ip bgp
> alias exec sbn sh ip bgp nei
> alias exec w wr mem
> alias exec r sh run
> alias exec u undebug all
> alias exec ct config t
> alias exec cb clear ip bgp *
> alias exec c clear ip route *
> !
> line con 0
> exec-timeout 0 0
> privilege level 15
> password cisco
> length 42
> transport input none
> line aux 0
> exec-timeout 0 0
> script dialer myscript
> modem Host
> transport input all
> speed 38400
> flowcontrol hardware
> line vty 0 4
> exec-timeout 0 0
> privilege level 15
> password cisco
> no login
> length 42
> !
> end
>
> r9#
>
>
>
> 00:28:15: ISAKMP (0:1): beginning Main Mode exchange
> 00:28:15: ISAKMP (1): sending packet to 11.11.11.2 (I) MM_NO_STATE
> 00:28:15: ISAKMP (1): received packet from 11.11.11.2 (I) MM_NO_STATE
> 00:28:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
> failed w
> ith peer at 11.11.11.2
>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:44 GMT-3