From: Aamir Waheed (awaheed@xxxxxxxxx)
Date: Sat Feb 10 2001 - 17:38:15 GMT-3
Hi Allen,
Firstly, on the R9 you donot have a crypto map applied to any of the physical
interfaces (its a must) secondly i would suggest using esp-md5-hmac on both the
sides rather then ah-md5-hmac (it sometimes gives problems in this way) moreove
r
its not a good practice to deifne any any as the intersting traffic for the
IPSec tunnel, so what i would suggest is to put the inside networks of both the
sides as the intersting traffic here and hopefully it should work :-)
Hope this helps,
Regards,
Aamir
John Kaberna wrote:
> Kevin you've got a couple of problems. First your encr is missing from your
> crypto isakmp. I also don't think you need to put the hash in there. None
> of my working configs have it and I know for sure that without the encr
> statement there it doesn't work. You would think it would at the transform
> set for both of those paramaters but it doesnt. See if you get any better
> results.
>
> crypto isakmp policy 1
> encr des
> authentication pre-share
>
> ----- Original Message -----
> From: Kevin Baumgartner <kbaumgar@cisco.com>
> To: <abasinge@swbell.net>
> Cc: <ccielab@groupstudy.com>
> Sent: Saturday, February 10, 2001 10:04 AM
> Subject: Re: IPSec
>
> > So I believe the peer ip addresses you are using for isakmp and ipsec are
> > wrong. It should be the destination address of the tunnel. ie.
> 172.30.200.9
> >
> > Also I would add the crypto map to the interface the tunnel is going
> > across. I have seen that this is required for IPSEC to work.
> >
> > See below for changes required.
> >
> > Also make the required changes to the other router and it should work.
> >
> > Kevin
> >
> > >
> > > Have been reviewing IPSec and tunnels with IKE. I created a tunnel
> across my
> > > ATM and then applied IPSec to the tunnel when I try to ping it looks as
> if
> > > it makes it past phase 1 negotiation but not phase 2 ?? I have included
> a
> > > copy of the config and the debug of isakmp at the failure?
> > >
> > > Alan
> > >
> > >
> > >
> > > r6#r
> > > Building configuration...
> > >
> > > Current configuration:
> > > !
> > > version 12.0
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname r6
> > > !
> > > logging buffered 4096 debugging
> > > enable secret 5 $1$GAxn$NQDQomSVw0/MZdzhirlXE/
> > > !
> > > !
> > > !
> > > !
> > > !
> > > ip subnet-zero
> > > no ip domain-lookup
> > > !
> > > ip audit notify log
> > > ip audit po max-events 100
> > > ipx routing 0006.0006.0006
> > > ipx internal-network 66666666
> > > cns event-service server
> > > !
> > > !
> > > crypto isakmp policy 1
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key test address 11.11.11.2
> >
> > crypto isakmp key test address 172.30.200.9
> >
> > > !
> > > !
> > > crypto ipsec transform-set cisco esp-des
> > > crypto ipsec transform-set ccie ah-md5-hmac esp-des
> > > !
> > > !
> > > crypto map test 1 ipsec-isakmp
> > > set peer 11.11.11.2
> >
> > set peer 172.30.200.9
> >
> > > set transform-set cisco ccie
> > > match address 101
> > > !
> > > !
> > > !
> > > !
> > > !
> > > !
> > > interface Loopback0
> > > ip address 172.30.6.6 255.255.255.0
> > > no ip directed-broadcast
> > > ipx network 30006
> > > ipx type-20-propagation
> > > !
> > > interface Tunnel0
> > > ip address 11.11.11.1 255.255.255.0
> > > no ip directed-broadcast
> > > tunnel source 172.30.200.6
> > > tunnel destination 172.30.200.9
> > > crypto map test
> > > !
> > > interface Ethernet0/0
> > > ip address 172.30.104.6 255.255.255.0
> > > no ip directed-broadcast
> > > ip mobile arp access-group 1
> > > ip ospf authentication-key lab
> > > ipx input-sap-filter ipx-saps
> > > ipx network 30104
> > > ipx output-gns-filter ipx-saps
> > > ipx type-20-propagation
> > > bridge-group 1
> > > !
> > > interface Serial0/0
> > > no ip address
> > > no ip directed-broadcast
> > > no ip mroute-cache
> > > shutdown
> > > no fair-queue
> > > !
> > > interface Hssi1/0
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > interface ATM2/0
> > > ip address 172.30.200.6 255.255.255.0
> > > no ip directed-broadcast
> >
> > crypto map test
> >
> > > atm clock INTERNAL
> > > no atm ilmi-keepalive
> > > pvc 0/35
> > > protocol ip 172.30.200.9 broadcast
> > > encapsulation aal5snap
> > > !
> > > !
> > > router ospf 6
> > > area 2 authentication
> > > area 2 range 172.30.2.0 255.255.255.0
> > > area 2 range 172.30.6.0 255.255.255.0
> > > area 2 range 172.30.104.0 255.255.255.0
> > > area 2 range 172.30.112.0 255.255.255.0
> > > area 2 range 172.30.120.0 255.255.255.0
> > > redistribute mobile metric 10 subnets
> > > redistribute rip metric 150 subnets tag 100 route-map rip-in
> > > network 172.30.2.0 0.0.0.255 area 2
> > > network 172.30.6.0 0.0.0.255 area 2
> > > network 172.30.104.0 0.0.0.255 area 2
> > > network 172.30.112.0 0.0.0.255 area 2
> > > network 172.30.120.0 0.0.0.255 area 2
> > > !
> > > router rip
> > > redistribute ospf 6 metric 4 route-map ospf-in
> > > passive-interface Ethernet0/0
> > > network 172.30.0.0
> > > !
> > > ip classless
> > > no ip http server
> > > !
> > > !
> > > ip access-list standard ospf-in
> > > permit any
> > > ip access-list standard rip-in
> > > permit 172.30.200.0 0.0.0.255
> > > permit 192.168.9.0 0.0.0.255
> > > permit 192.168.99.0 0.0.0.255
> > > access-list 1 permit 192.168.192.0 0.0.0.255
> > > access-list 101 permit ip any any log
> > > route-map ospf-in permit 10
> > > match ip address ospf-in
> > > !
> > > route-map rip-in permit 10
> > > match ip address rip-in
> > > !
> > > !
> > > !
> > > !
> > > ipx sap 7 pserver6 30006.0000.0000.0001 5000 1
> > > !
> > > !
> > > ipx access-list sap ipx-saps
> > > deny 8 4
> > > deny FFFFFFFF 4
> > > deny FFFFFFFF 7 pserver1
> > > permit FFFFFFFF
> > > bridge 1 protocol ieee
> > > alias exec s show ip route
> > > alias exec sx sh ipx route
> > > alias exec so sh ip ospf
> > > alias exec son sh ip ospf nei
> > > alias exec sb sh ip bgp
> > > alias exec sbn sh ip bgp nei
> > > alias exec w wr mem
> > > alias exec r sh run
> > > alias exec u undebug all
> > > alias exec ct config t
> > > alias exec cb clear ip bgp *
> > > alias exec c clear ip route *
> > > !
> > > line con 0
> > > exec-timeout 0 0
> > > privilege level 15
> > > password cisco
> > > length 42
> > > transport input none
> > > line aux 0
> > > exec-timeout 0 0
> > > script dialer myscript
> > > modem Host
> > > transport input all
> > > speed 38400
> > > flowcontrol hardware
> > > line vty 0 4
> > > exec-timeout 0 0
> > > privilege level 15
> > > password cisco
> > > no login
> > > length 42
> > > !
> > > end
> > >
> > > r6#
> > >
> > >
> > > Current configuration : 2201 bytes
> > > !
> > > version 12.1
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname r9
> > > !
> > > logging buffered 4096 debugging
> > > enable secret 5 $1$aO36$vrM6j7a1SdHlAMCXHKw5//
> > > !
> > > !
> > > !
> > > !
> > > !
> > > ip subnet-zero
> > > no ip finger
> > > no ip domain-lookup
> > > !
> > > ip audit notify log
> > > ip audit po max-events 100
> > > !
> > > !
> > > crypto isakmp policy 1
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key test address 11.11.11.1
> > > !
> > > !
> > > crypto ipsec transform-set cisco esp-des
> > > crypto ipsec transform-set ccie ah-md5-hmac esp-des
> > > !
> > > crypto map test 1 ipsec-isakmp
> > > set peer 11.11.11.1
> > > set transform-set cisco ccie
> > > match address 101
> > > !
> > > !
> > > !
> > > !
> > > voice-port 0/0/0
> > > connection plar 5555
> > > !
> > > voice-port 0/0/1
> > > connection plar 5500
> > > !
> > > voice-port 0/1/0
> > > !
> > > voice-port 0/1/1
> > > !
> > > voice class codec 1
> > > codec preference 1 g728
> > > !
> > > !
> > > dial-peer voice 1 pots
> > > destination-pattern ....
> > > port 0/0/0
> > > !
> > > dial-peer voice 2 pots
> > > destination-pattern ....
> > > port 0/0/1
> > > !
> > > dial-peer voice 3 voip
> > > destination-pattern 5500
> > > session target ipv4:172.30.5.5
> > > !
> > > dial-peer voice 4 voip
> > > destination-pattern 5555
> > > codec g711ulaw
> > > session target ipv4:172.30.5.5
> > > !
> > > !
> > > interface Tunnel0
> > > ip address 11.11.11.2 255.255.255.0
> > > tunnel source 172.30.200.9
> > > tunnel destination 172.30.200.6
> > > crypto map test
> > > !
> > > interface ATM1/0
> > > ip address 172.30.200.9 255.255.255.0
> > > no atm ilmi-keepalive
> > > pvc 0/35
> > > protocol ip 172.30.200.6 broadcast
> > > encapsulation aal5snap
> > > !
> > > !
> > > router rip
> > > network 172.30.0.0
> > > network 192.168.9.0
> > > network 192.168.99.0
> > > network 192.168.199.0
> > > !
> > > ip classless
> > > ip http server
> > > !
> > > access-list 101 permit ip any any log
> > > !
> > > !
> > > alias exec s show ip route
> > > alias exec sx sh ipx route
> > > alias exec so sh ip ospf
> > > alias exec son sh ip ospf nei
> > > alias exec sb sh ip bgp
> > > alias exec sbn sh ip bgp nei
> > > alias exec w wr mem
> > > alias exec r sh run
> > > alias exec u undebug all
> > > alias exec ct config t
> > > alias exec cb clear ip bgp *
> > > alias exec c clear ip route *
> > > !
> > > line con 0
> > > exec-timeout 0 0
> > > privilege level 15
> > > password cisco
> > > length 42
> > > transport input none
> > > line aux 0
> > > exec-timeout 0 0
> > > script dialer myscript
> > > modem Host
> > > transport input all
> > > speed 38400
> > > flowcontrol hardware
> > > line vty 0 4
> > > exec-timeout 0 0
> > > privilege level 15
> > > password cisco
> > > no login
> > > length 42
> > > !
> > > end
> > >
> > > r9#
> > >
> > >
> > >
> > > 00:28:15: ISAKMP (0:1): beginning Main Mode exchange
> > > 00:28:15: ISAKMP (1): sending packet to 11.11.11.2 (I) MM_NO_STATE
> > > 00:28:15: ISAKMP (1): received packet from 11.11.11.2 (I) MM_NO_STATE
> > > 00:28:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
> > > failed w
> > > ith peer at 11.11.11.2
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:44 GMT-3