From: garry baker (fallow46@xxxxxxxxx)
Date: Mon May 28 2001 - 09:05:42 GMT-3
Nigel,
I have had a look at the links that have been
supplied, thanks guys, but i am still having trouble.
essentially hwat i have done is set up a tunnel using
physical interfaces as the source and dest, there is a
router in the middle, i have set up the crypto map
peers etc to peer to the far end physical int that the
tunnel is using and i get the following debugs, hope
it is not too long. perhaps i need to get some sleep
and hit it again tomorrow.
thanks for your help.
01:20:00: IPSEC(key_engine): request timer fired:
count = 1,
(identity) local= 64.108.1.34, remote= 64.108.9.2,
local_proxy= 64.108.1.34/255.255.255.255/47/0
(type=1),
remote_proxy= 64.108.9.2/255.255.255.255/47/0
(type=1)
01:20:00: IPSEC(sa_request): ,
(key eng. msg.) src= 64.108.1.34, dest= 64.108.9.2,
src_proxy= 64.108.1.34/255.255.255.255/47/0
(type=1),
dest_proxy= 64.108.9.2/255.255.255.255/47/0
(type=1),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
01:20:00: ISAKMP (41): retransmitting phase 1...
01:20:00: ISAKMP (41): sending packet to 64.108.9.2
(I) MM_NO_STATE
r8#
01:20:15: ISAKMP (41): deleting SA
r8#
01:20:19: ISADB: reaper checking SA, conn_id = 41
DELETE IT!
01:20:19: ISADB: reaper checking SA, conn_id = 40
DELETE IT!
01:20:19: ISADB: reaper checking SA, conn_id = 39
DELETE IT!
r8#
01:20:24: IPSEC(encapsulate): invalid conn id 0
01:20:24: IPSEC(encapsulate): error in encapsulation
crypto_ip_encrypt
r8#
01:20:30: IPSEC(key_engine): request timer fired:
count = 2,
(identity) local= 64.108.1.34, remote= 64.108.9.2,
local_proxy= 64.108.1.34/255.255.255.255/47/0
(type=1),
remote_proxy= 64.108.9.2/255.255.255.255/47/0
(type=1)
01:20:31: IPSEC(sa_request): ,
(key eng. msg.) src= 64.108.1.34, dest= 64.108.9.2,
src_proxy= 64.108.1.34/255.255.255.255/47/0
(type=1),
dest_proxy= 64.108.9.2/255.255.255.255/47/0
(type=1),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
01:20:31: ISAKMP (42): beginning Main Mode exchange
01:20:31: ISAKMP (42): sending packet to 64.108.9.2
(I) MM_NO_STATE
r8#
01:20:46: ISAKMP (42): retransmitting phase 1...
01:20:46: ISAKMP (42): sending packet to 64.108.9.2
(I) MM_NO_STATE
r8#
--- Nigel Taylor <nigel_taylor@hotmail.com> wrote:
> Gary,
>
> In order to get the traffic between the two
> end-points to work you
> must identify that traffic in the tunnel
> itself will encrypted. I was just wondering what
> did your "debug crypto
> isa" "debug crypto ipsec" showed
>
> Anyway here's a good link that should help you get
> things working
>
> http://www.cisco.com/warp/public/707/ipsec_gre.html
>
>
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:GRE&;
> s=Implementation_and_Configuration#Samples_%26_Tips
>
>
> HTH
>
> Nigel..
>
> ----- Original Message -----
> From: garry baker <fallow46@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, May 28, 2001 1:15 AM
> Subject: help!! ipsec tunnel
>
>
> > Guys,
> >
> > i am trying to get a ipsec to work over a gre
> tunnel,
> > the tunnel works fine but when i add the ipsec i
> am
> > unable to ping the other end of the tunnel. all i
> am
> > trying to achieve is to be able to ping the other
> end
> > of the tunnel. i went through the post from last
> week
> > that was similar but still could not fix my
> problem.
> >
> > i have three routers connected with the outer two
> > acting as the tunnel endpoints. i have pasted the
> > relevant config details. could someone point me in
> the
> > right direction?
> >
> > Garry
> >
> > r6
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key 123456 address 64.108.4.9
> > crypto isakmp key 12345 address 64.108.68.8
> >
> > crypto map test local-address Tunnel0
> > crypto map test 10 ipsec-isakmp
> > set peer 64.180.68.8
> > set transform-set test
> > match address 150
> > !
> >
> > interface Tunnel0
> > ip address 64.108.68.6 255.255.255.0
> > no ip directed-broadcast
> > no ip route-cache
> > no ip mroute-cache
> > tunnel source 64.108.9.2
> > tunnel destination 64.108.1.34
> > crypto map test
> >
> > interface Serial0/1
> > ip address 64.108.9.2 255.255.255.240
> > no ip directed-broadcast
> > ip pim sparse-mode
> > encapsulation ppp
> > ip ospf interface-retry 0
> > ip igmp join-group 226.10.10.1
> > ip igmp join-group 226.1.1.10
> > crypto map test
> >
> > access-list 150 permit ip host 64.108.68.6 host
> > 64.108.68.8
> >
> > r8
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key 12345 address 64.108.68.6
> > !
> > !
> > crypto ipsec transform-set test esp-des
> > !
> > !
> > crypto map test local-address Tunnel0
> > crypto map test 10 ipsec-isakmp
> > set peer 64.108.68.6
> > set transform-set test
> > match address 150
> >
> > interface Tunnel0
> > ip address 64.108.68.8 255.255.255.0
> > no ip directed-broadcast
> > no ip route-cache
> > no ip mroute-cache
> > tunnel source 64.108.1.34
> > tunnel destination 64.108.9.2
> > crypto map test
> > !
> > interface Ethernet0/0
> > ip address 64.108.1.34 255.255.255.224
> > no ip directed-broadcast
> > ip pim sparse-mode
> > crypto map test
> >
> > access-list 150 permit ip host 64.108.68.8 host
> > 64.108.68.6
> >
> >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:55 GMT-3