Re: IPSec

From: John Kaberna (jkaberna@xxxxxxxxxxxx)
Date: Sat Feb 10 2001 - 16:28:16 GMT-3

   
Kevin you've got a couple of problems. First your encr is missing from your
crypto isakmp. I also don't think you need to put the hash in there. None
of my working configs have it and I know for sure that without the encr
statement there it doesn't work. You would think it would at the transform
set for both of those paramaters but it doesnt. See if you get any better
results.

crypto isakmp policy 1
encr des
authentication pre-share

----- Original Message -----
From: Kevin Baumgartner <kbaumgar@cisco.com>
To: <abasinge@swbell.net>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, February 10, 2001 10:04 AM
Subject: Re: IPSec

> So I believe the peer ip addresses you are using for isakmp and ipsec are
> wrong. It should be the destination address of the tunnel. ie.
172.30.200.9
>
> Also I would add the crypto map to the interface the tunnel is going
> across. I have seen that this is required for IPSEC to work.
>
> See below for changes required.
>
> Also make the required changes to the other router and it should work.
>
> Kevin
>
> >
> > Have been reviewing IPSec and tunnels with IKE. I created a tunnel
across my
> > ATM and then applied IPSec to the tunnel when I try to ping it looks as
if
> > it makes it past phase 1 negotiation but not phase 2 ?? I have included
a
> > copy of the config and the debug of isakmp at the failure?
> >
> > Alan
> >
> >
> >
> > r6#r
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r6
> > !
> > logging buffered 4096 debugging
> > enable secret 5 $1$GAxn$NQDQomSVw0/MZdzhirlXE/
> > !
> > !
> > !
> > !
> > !
> > ip subnet-zero
> > no ip domain-lookup
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > ipx routing 0006.0006.0006
> > ipx internal-network 66666666
> > cns event-service server
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key test address 11.11.11.2
>
> crypto isakmp key test address 172.30.200.9
>
> > !
> > !
> > crypto ipsec transform-set cisco esp-des
> > crypto ipsec transform-set ccie ah-md5-hmac esp-des
> > !
> > !
> > crypto map test 1 ipsec-isakmp
> > set peer 11.11.11.2
>
> set peer 172.30.200.9
>
> > set transform-set cisco ccie
> > match address 101
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 172.30.6.6 255.255.255.0
> > no ip directed-broadcast
> > ipx network 30006
> > ipx type-20-propagation
> > !
> > interface Tunnel0
> > ip address 11.11.11.1 255.255.255.0
> > no ip directed-broadcast
> > tunnel source 172.30.200.6
> > tunnel destination 172.30.200.9
> > crypto map test
> > !
> > interface Ethernet0/0
> > ip address 172.30.104.6 255.255.255.0
> > no ip directed-broadcast
> > ip mobile arp access-group 1
> > ip ospf authentication-key lab
> > ipx input-sap-filter ipx-saps
> > ipx network 30104
> > ipx output-gns-filter ipx-saps
> > ipx type-20-propagation
> > bridge-group 1
> > !
> > interface Serial0/0
> > no ip address
> > no ip directed-broadcast
> > no ip mroute-cache
> > shutdown
> > no fair-queue
> > !
> > interface Hssi1/0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface ATM2/0
> > ip address 172.30.200.6 255.255.255.0
> > no ip directed-broadcast
>
> crypto map test
>
> > atm clock INTERNAL
> > no atm ilmi-keepalive
> > pvc 0/35
> > protocol ip 172.30.200.9 broadcast
> > encapsulation aal5snap
> > !
> > !
> > router ospf 6
> > area 2 authentication
> > area 2 range 172.30.2.0 255.255.255.0
> > area 2 range 172.30.6.0 255.255.255.0
> > area 2 range 172.30.104.0 255.255.255.0
> > area 2 range 172.30.112.0 255.255.255.0
> > area 2 range 172.30.120.0 255.255.255.0
> > redistribute mobile metric 10 subnets
> > redistribute rip metric 150 subnets tag 100 route-map rip-in
> > network 172.30.2.0 0.0.0.255 area 2
> > network 172.30.6.0 0.0.0.255 area 2
> > network 172.30.104.0 0.0.0.255 area 2
> > network 172.30.112.0 0.0.0.255 area 2
> > network 172.30.120.0 0.0.0.255 area 2
> > !
> > router rip
> > redistribute ospf 6 metric 4 route-map ospf-in
> > passive-interface Ethernet0/0
> > network 172.30.0.0
> > !
> > ip classless
> > no ip http server
> > !
> > !
> > ip access-list standard ospf-in
> > permit any
> > ip access-list standard rip-in
> > permit 172.30.200.0 0.0.0.255
> > permit 192.168.9.0 0.0.0.255
> > permit 192.168.99.0 0.0.0.255
> > access-list 1 permit 192.168.192.0 0.0.0.255
> > access-list 101 permit ip any any log
> > route-map ospf-in permit 10
> > match ip address ospf-in
> > !
> > route-map rip-in permit 10
> > match ip address rip-in
> > !
> > !
> > !
> > !
> > ipx sap 7 pserver6 30006.0000.0000.0001 5000 1
> > !
> > !
> > ipx access-list sap ipx-saps
> > deny 8 4
> > deny FFFFFFFF 4
> > deny FFFFFFFF 7 pserver1
> > permit FFFFFFFF
> > bridge 1 protocol ieee
> > alias exec s show ip route
> > alias exec sx sh ipx route
> > alias exec so sh ip ospf
> > alias exec son sh ip ospf nei
> > alias exec sb sh ip bgp
> > alias exec sbn sh ip bgp nei
> > alias exec w wr mem
> > alias exec r sh run
> > alias exec u undebug all
> > alias exec ct config t
> > alias exec cb clear ip bgp *
> > alias exec c clear ip route *
> > !
> > line con 0
> > exec-timeout 0 0
> > privilege level 15
> > password cisco
> > length 42
> > transport input none
> > line aux 0
> > exec-timeout 0 0
> > script dialer myscript
> > modem Host
> > transport input all
> > speed 38400
> > flowcontrol hardware
> > line vty 0 4
> > exec-timeout 0 0
> > privilege level 15
> > password cisco
> > no login
> > length 42
> > !
> > end
> >
> > r6#
> >
> >
> > Current configuration : 2201 bytes
> > !
> > version 12.1
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r9
> > !
> > logging buffered 4096 debugging
> > enable secret 5 $1$aO36$vrM6j7a1SdHlAMCXHKw5//
> > !
> > !
> > !
> > !
> > !
> > ip subnet-zero
> > no ip finger
> > no ip domain-lookup
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > crypto isakmp key test address 11.11.11.1
> > !
> > !
> > crypto ipsec transform-set cisco esp-des
> > crypto ipsec transform-set ccie ah-md5-hmac esp-des
> > !
> > crypto map test 1 ipsec-isakmp
> > set peer 11.11.11.1
> > set transform-set cisco ccie
> > match address 101
> > !
> > !
> > !
> > !
> > voice-port 0/0/0
> > connection plar 5555
> > !
> > voice-port 0/0/1
> > connection plar 5500
> > !
> > voice-port 0/1/0
> > !
> > voice-port 0/1/1
> > !
> > voice class codec 1
> > codec preference 1 g728
> > !
> > !
> > dial-peer voice 1 pots
> > destination-pattern ....
> > port 0/0/0
> > !
> > dial-peer voice 2 pots
> > destination-pattern ....
> > port 0/0/1
> > !
> > dial-peer voice 3 voip
> > destination-pattern 5500
> > session target ipv4:172.30.5.5
> > !
> > dial-peer voice 4 voip
> > destination-pattern 5555
> > codec g711ulaw
> > session target ipv4:172.30.5.5
> > !
> > !
> > interface Tunnel0
> > ip address 11.11.11.2 255.255.255.0
> > tunnel source 172.30.200.9
> > tunnel destination 172.30.200.6
> > crypto map test
> > !
> > interface ATM1/0
> > ip address 172.30.200.9 255.255.255.0
> > no atm ilmi-keepalive
> > pvc 0/35
> > protocol ip 172.30.200.6 broadcast
> > encapsulation aal5snap
> > !
> > !
> > router rip
> > network 172.30.0.0
> > network 192.168.9.0
> > network 192.168.99.0
> > network 192.168.199.0
> > !
> > ip classless
> > ip http server
> > !
> > access-list 101 permit ip any any log
> > !
> > !
> > alias exec s show ip route
> > alias exec sx sh ipx route
> > alias exec so sh ip ospf
> > alias exec son sh ip ospf nei
> > alias exec sb sh ip bgp
> > alias exec sbn sh ip bgp nei
> > alias exec w wr mem
> > alias exec r sh run
> > alias exec u undebug all
> > alias exec ct config t
> > alias exec cb clear ip bgp *
> > alias exec c clear ip route *
> > !
> > line con 0
> > exec-timeout 0 0
> > privilege level 15
> > password cisco
> > length 42
> > transport input none
> > line aux 0
> > exec-timeout 0 0
> > script dialer myscript
> > modem Host
> > transport input all
> > speed 38400
> > flowcontrol hardware
> > line vty 0 4
> > exec-timeout 0 0
> > privilege level 15
> > password cisco
> > no login
> > length 42
> > !
> > end
> >
> > r9#
> >
> >
> >
> > 00:28:15: ISAKMP (0:1): beginning Main Mode exchange
> > 00:28:15: ISAKMP (1): sending packet to 11.11.11.2 (I) MM_NO_STATE
> > 00:28:15: ISAKMP (1): received packet from 11.11.11.2 (I) MM_NO_STATE
> > 00:28:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
> > failed w
> > ith peer at 11.11.11.2
> >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:44 GMT-3