From: michael robertson (michael_w_2ca@xxxxxxxx)
Date: Thu Oct 18 2001 - 03:59:44 GMT-3
hi, who has done fatkid 394. IT seems that fatkid
always has some problem, not well designed.
for fatkid 394, teh sceario is at
http://www.fatkid.com/html/394_ipsec-nat.html
I have configured vpn between R5 and R3, I still can't
ping from R3 to R5 or vice versa.
The solution give R5's VPN peer as R3's global
address, is this correct??
It seems that R2's default route to 10.2.0.0 via
10.1.1.5 is totally wrong?
anybody has done this, it will be great to get your
help. The following are the debug while I ping from
one side to the other.
Thanks and regards
michael
22r1#debug cry ip
Crypto IPSEC debugging is on
22r1#debug cry isa
Crypto ISAKMP debugging is on
22r1#ping 10.2.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.3, timeout is
2 seconds:
10:20:57: IPSEC(sa_request): ,
(key eng. msg.) src= 10.1.1.5, dest= 207.122.2.3,
src_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
dest_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4),
protocol= AH, transform= ah-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x5E264A3F(1579567679), conn_id= 0, keysize=
0, flags= 0x4004
10:20:57: IPSEC(sa_request): ,
(key eng. msg.) src= 10.1.1.5, dest= 207.122.2.3,
src_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
dest_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x85CE227D(2244878973), conn_id= 0, keysize=
0, flags= 0x4004
10:20:57: ISAKMP: received ke message (1/2)
10:20:57: ISAKMP (0:1): beginning Main Mode exchange
10:20:57: ISAKMP (0:1): sending packet to 207.122.2.3
(I) MM_NO_STATE
10:20:57: ISAKMP (0:1): received packet from
207.122.2.3 (I) MM_NO_STATE
10:20:57: ISAKMP (0:1): processing SA payload. message
ID = 0
10:20:57: ISAKMP (0:1): found peer pre-shared key
matching 207.122.2.3
10:20:57: ISAKMP (0:1): Checking ISAKMP transform 1
against priority 1 policy
10:20:57: ISAKMP: encryption DES-CBC
10:20:57: ISAKMP: hash MD5
10:20:57: ISAKMP: default group 1
10:20:57: ISAKMP: auth pre-share
10:20:57: ISAKMP (0:1): atts are acceptable. Next
payload is 0
10:20:57: ISAKMP (0:1): SA is doing pre-shared key
authentication using id type
ID_IPV4_ADDR
10:20:57: ISAKMP (0:1): sending packet to 207.122.2.3
(I) MM_SA_SETUP
10:20:58: ISAKMP (0:1): received packet from
207.122.2.3 (I) MM_SA_SETUP
10:20:58: ISAKMP (0:1): processing KE payload. message
ID = 0
10:20:58: ISAKMP (0:1): processing. NONCE payload.
message ID = 0
10:20:58: ISAKMP (0:1): found peer pre-shared key
matching 207.122.2.3
10:20:58: ISAKMP (0:1): SKEYID state generated
10:20:58: ISAKMP (0:1): processing vendor id payload
10:20:58: ISAKMP (0:1): speaking to another IOS box!
10:20:58: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
10:20:58: ISAKMP (1): Total payload length: 12
10:20:58: ISAKMP (0:1): sending packet to 207.122.2.3
(I) MM_KEY_EXCH
10:20:58: ISAKMP (0:1): received packet from
207.122.2.3 (I) MM_KEY_EXCH
10:20:58: ISAKMP (0:1): processing ID payload. message
ID = 0
10:20:58: ISAKMP (0:1): processing HASH payload.
message ID = 0
10:20:58: ISAKMP (0:1): SA has been authenticated with
207.122.2.3
10:20:58: ISAKMP (0:1): beginning Quick Mode exchange,
M-ID of 998060358
10:20:58: ISAKMP (0:1): sending packet to 207.122.2.3
(I) QM_IDLE
10:20:58: ISAKMP (0:1): received packet from
207.122.2.3 (I) QM_IDLE
10:20:58: ISAKMP (0:1): processing HASH payload.
message ID = -422158728
10:20:58: ISAKMP (0:1): processing NOTIFY
PROPOSAL_NOT_CHOSEN protocol 0
spi 0, message ID = -422158728
10:20:58: ISAKMP (0:1): deleting node -422158728 error
FALSE reason "information
al (in) state 1"
10:20:58: IPSEC(key_engine): got a queue event...
10:20:58: IPSEC(key_engine_delete_sas): rec'd delete
notify from ISAKMP
10:20:58: IPSEC(key_engine_delete_sas): delete all SAs
shared with 207.122.2.3
....
Success rate is 0 percent (0/5)
22r1#
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:21 GMT-3