Re: IPSec config...

From: Nigel Taylor (nigel_taylor@xxxxxxxxxxx)
Date: Fri Apr 20 2001 - 00:49:29 GMT-3

• Next message: Brian Dennis: "RE: IPSec config..."
• Previous message: simplimarvelous: "source-bridging in dlsw"
• Maybe in reply to: Steven Weber: "IPSec config..."
• Next in thread: Brian Dennis: "RE: IPSec config..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hey Steven...
                            A lot of stuff to look at in your configs..! I
was wondering when doing a -

debug crypto ispec
debug crypto engine

What are you seeing while trying to make the connection. Also when doing so
run "sh crypto isakmp sa"
QM_IDLE means that the tunnel is being built. As well what does the "sh
crypto engine conn ac" show...

Typical procedure is to ping with out the crypto map and see if everything
works, then apply the crypto map to one side and watch the debugs... that
should show you that one side is receiving un-encrypted packets.. then turn
one the other side...

The isakmp policy, transform-set and crypto map all look good... although I
was wondering if you wanted to encrypt the tunnel so all traffic that passes
through would be encrypted.. What are you trying to accomplish...?

Here's a couple good links that gave me some answers when I needed them....

http://www.cisco.com/pcgi-bin/Support/PSP/index.pl?i=Technologies#IP-Routing
_Protocols

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:GRE

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:IPSe
c

HTH

Nigel..

----- Original Message -----
From: Steven Weber <itweber@earthlink.net>
To: GROUPSTUDY <ccielab@groupstudy.com>
Sent: Thursday, April 19, 2001 10:45 PM
Subject: IPSec config...

> can someone please take a look a this IPSec config, it isn't working, I
don't
> know why, and I don't know where to start troubleshooting it.Please let me
> know where I went wrong.
> TIA
> Steve
>
> Current configuration : 2526 bytes
> !
> version 12.1
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r5
> !
> no logging rate-limit
> no logging console
> !
> ip subnet-zero
> no ip finger
> ip tcp synwait-time 5
> no ip domain-lookup
> !
> clns routing
> cns event-service server
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key 1234 address 172.16.10.1
> !
> !
> crypto ipsec transform-set CCIE esp-des
> !
> crypto map ECP1 local-address Loopback7
> crypto map ECP1 2 ipsec-isakmp
> set peer 172.16.10.1
> set transform-set CCIE
> match address 100
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.50.29 255.255.255.252
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback1
> ip address 172.16.50.26 255.255.255.252
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback2
> ip address 172.16.50.33 255.255.255.252
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback3
> ip address 172.16.253.5 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback4
> ip address 157.10.1.211 255.255.255.240
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback5
> ip address 1.1.2.101 255.255.255.0
> ip router isis
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback6
> ip address 172.16.15.1 255.255.255.0
> ip router isis
> no ip route-cache
> no ip mroute-cache
> !
> interface Loopback7
> ip address 5.5.5.5 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> !
> interface Tunnel0
> ip address 10.10.10.5 255.255.255.0
> tunnel source 172.16.15.1
> tunnel destination 172.16.10.1
> crypto map ECP1
> !
> interface Ethernet0
> ip address 172.16.160.5 255.255.252.0
> ip router isis
> no ip route-cache
> no ip mroute-cache
> crypto map ECP1
> !
> interface Serial0
> no ip address
> no ip route-cache
> no ip mroute-cache
> shutdown
> !
> interface Serial1
> no ip address
> no ip route-cache
> no ip mroute-cache
> shutdown
> !
> interface TokenRing0
> no ip address
> no ip route-cache
> no ip mroute-cache
> shutdown
> !
> router ospf 1
> log-adjacency-changes
> network 5.5.5.0 0.0.0.255 area 105
> network 10.10.10.0 0.0.0.255 area 0
> !
> router isis
> net 49.0002.5555.5555.5555.00
> is-type level-1
> !
> ip kerberos source-interface any
> ip classless
> no ip http server
> !
> access-list 100 permit ip host 172.16.15.1 host 172.16.10.1
> !
>
>
> Current configuration : 4193 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r1
> !
> no logging console
> !
> username r2 password 0 cisco
> username ipx2 password 0 cisco
> !
> !
> !
> !
> ip subnet-zero
> no ip finger
> ip tcp synwait-time 5
> no ip domain-lookup
> !
> ip multicast-routing
> clns routing
> ipx routing 0001.0001.0001
> isdn switch-type basic-dms100
> cns event-service server
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> crypto isakmp key 1234 address 172.16.15.1
> !
> !
> crypto ipsec transform-set CCIE esp-des
> !
> crypto map ECP1 local-address Loopback1
> crypto map ECP1 2 ipsec-isakmp
> set peer 172.16.15.1
> set transform-set CCIE
> match address 100
> !
> !
> !
> !
> interface Loopback0
> ip address 172.16.249.1 255.255.255.0
> ip pim sparse-dense-mode
> ip igmp join-group 226.6.6.6
> ip igmp join-group 225.5.5.5
> !
> interface Loopback1
> ip address 172.16.10.1 255.255.255.0
> ip router isis
> !
> interface Loopback2
> ip address 2.2.2.1 255.255.255.0
> !
> interface Tunnel0
> no ip address
> ipx network 112A
> tunnel source 172.16.249.1
> tunnel destination 172.16.250.2
> !
> interface Tunnel1
> no ip address
> ipx network 13A
> tunnel source 172.16.249.1
> tunnel destination 172.16.251.3
> !
> interface Tunnel2
> no ip address
> ipx network 14A
> tunnel source 172.16.249.1
> tunnel destination 172.16.252.4
> !
> interface Tunnel3
> ip address 10.10.10.1 255.255.255.0
> tunnel source 172.16.10.1
> tunnel destination 172.16.15.1
> crypto map ECP1
> !
> interface Ethernet0
> no ip address
> no keepalive
> shutdown
> !
> interface Serial0
> no ip address
> encapsulation frame-relay
> no fair-queue
> !
> interface Serial0.1 multipoint
> ip address 172.16.100.1 255.255.255.0
> ip router isis
> ip pim nbma-mode
> ip pim sparse-dense-mode
> ip ospf network point-to-multipoint
> ip ospf priority 10
> no ip mroute-cache
> ip policy route-map R2
> frame-relay map clns 102 broadcast
> frame-relay map clns 103 broadcast
> frame-relay map ipx 123A.0002.0002.0002 102 broadcast
> frame-relay map ipx 123A.0003.0003.0003 103 broadcast
> frame-relay map ip 172.16.100.2 102 broadcast
> frame-relay map ip 172.16.100.3 103 broadcast
> crypto map ECP1
> !
> interface Serial0.2 point-to-point
> ip address 172.16.200.1 255.255.255.0
> ip pim nbma-mode
> ip pim sparse-dense-mode
> ip ospf network point-to-multipoint
> no ip mroute-cache
> frame-relay interface-dlci 104
> !
> interface Serial1
> no ip address
> shutdown
> !
> interface BRI0
> no ip address
> encapsulation ppp
> dialer pool-member 1
> isdn switch-type basic-dms100
> isdn spid1 3840 ppp callback accept
> ppp authentication chap
> !
> interface Dialer0
> ip address 172.16.12.1 255.255.255.0
> encapsulation ppp
> dialer pool 1
> dialer remote-name r2
> dialer string 384020 class CALLME
> dialer-group 1
> ppp authentication chap
> ppp chap hostname r1
> !
> interface Dialer1
> no ip address
> encapsulation ppp
> dialer pool 1
> dialer remote-name ipx2
> dialer string 384020
> dialer-group 2
> ipx network 12A
> snapshot server 5
> ppp authentication chap
> ppp chap hostname ipx1
> !
> router ospf 1
> log-adjacency-changes
> network 2.2.2.0 0.0.0.255 area 100
> network 10.10.10.0 0.0.0.255 area 0
> !
> router isis
> net 49.0001.1111.1111.1111.00
> !
> ip classless
> ip default-network 140.10.0.0
> no ip http server
> ip as-path access-list 3 permit _450$
> ip pim send-rp-announce Serial0.1 scope 16 group-list 10
> ip pim send-rp-discovery scope 16
> !
> !
> map-class dialer CALLME
> dialer callback-server username
> access-list 1 permit 172.16.20.1
> access-list 10 permit 225.5.5.5
> access-list 100 permit ip host 172.16.10.1 host 172.16.15.1
> dialer-list 1 protocol ip permit
> dialer-list 2 protocol ipx permit
> route-map PREF permit 10
> match as-path 3
> set local-preference 200
> !
> route-map PREF permit 20
> !
> route-map R2 permit 10
> match ip address 1
> set interface Ethernet0
> !
> route-map R2 permit 20
> !
> !
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Brian Dennis: "RE: IPSec config..."
• Previous message: simplimarvelous: "source-bridging in dlsw"
• Maybe in reply to: Steven Weber: "IPSec config..."
• Next in thread: Brian Dennis: "RE: IPSec config..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:52 GMT-3