From: michael robertson (michael_w_2ca@xxxxxxxx)
Date: Thu Oct 18 2001 - 18:03:13 GMT-3
Hi, group, The following shows my configs for the
IPSEC 394 (FATKID), I think that the solution gives
two useless default router for R2 and R4, so I delete
it in my config:
-----------------------------------------------
R1
interface Serial0/0
ip address 207.122.1.1 255.255.255.240
no fair-queue
clockrate 2000000
!
interface Serial0/1
ip address 207.122.2.1 255.255.255.240
clockrate 2000000
-------------
R2
interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial1/0
ip address 207.122.1.2 255.255.255.240
ip nat outside
no fair-queue
!
interface FastEthernet1/1
no ip address
shutdown
--More--
ip route 0.0.0.0 0.0.0.0 207.122.1.1
no ip http server
!
!
-----------------------
R3
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 207.122.1.5
!
!
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto map tor5 10 ipsec-isakmp
set peer 207.122.1.5
set transform-set myset1
match address 101
!
!
!
!
!
interface Loopback0
ip address 10.2.2.3 255.255.255.0
nterface TokenRing0/0
ip address 10.2.1.3 255.255.255.0
ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.2.1.4
no ip http server
!
access-list 101 permit ip 10.2.0.0 0.0.255.255
10.1.0.0 0.0.255.255
access-list 101 permit ip host 207.122.1.5 10.1.0.0
0.0.255.255
!
!
------------------------------------
R4
interface Serial1/0
ip address 207.122.2.4 255.255.255.240
ip nat outside
no fair-queue
!
interface TokenRing1/0
ip address 10.2.1.4 255.255.255.0
ip nat inside
interface Serial1/1
no ip address
shutdown
clockrate 2000000
!
ip nat inside source static 10.2.1.3 207.122.2.3
ip classless
ip route 0.0.0.0 0.0.0.0 207.122.2.1
no ip http server
!
!
----------------
R5
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 207.122.2.3
!
!
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
!
crypto map tor3 10 ipsec-isakmp
set peer 207.122.2.3
set transform-set myset1
match address 101
!
!
!
!
!
interface Loopback0
ip address 10.1.2.5 255.255.255.0
interface FastEthernet1/0
ip address 10.1.1.5 255.255.255.0
duplex auto
speed auto
crypto map tor3
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
!
access-list 101 permit ip 10.1.0.0 0.0.255.255
10.2.0.0 0.0.255.255
!
!
------------------------------------------
--- "Rogell, Dennis" <Dennis_Rogell@milgo.com> wrote:
> Michael
> Can you post your configs so the group can help
>
> Dennis Rogell CNE, CCNP
> nextira
> Formally Milgo Solutions
> Email : dennis_rogell@milgo.com
> Phone: (954) 846-5128
>
> > -----Original Message-----
> > From: michael robertson
> [SMTP:michael_w_2ca@yahoo.ca]
> > Sent: Thursday, October 18, 2001 00:00
> > To: ccielab@groupstudy.com
> > Subject: GET STUCKED AT FATKID 394 IPSEC-NAT
> >
> > hi, who has done fatkid 394. IT seems that fatkid
> > always has some problem, not well designed.
> >
> > for fatkid 394, teh sceario is at
> > http://www.fatkid.com/html/394_ipsec-nat.html
> >
> > I have configured vpn between R5 and R3, I still
> can't
> > ping from R3 to R5 or vice versa.
> >
> > The solution give R5's VPN peer as R3's global
> > address, is this correct??
> >
> > It seems that R2's default route to 10.2.0.0 via
> > 10.1.1.5 is totally wrong?
> >
> > anybody has done this, it will be great to get
> your
> > help. The following are the debug while I ping
> from
> > one side to the other.
> >
> >
> >
> > Thanks and regards
> >
> >
> > michael
> >
> >
> >
> >
> >
> >
> >
> >
> > 22r1#debug cry ip
> > Crypto IPSEC debugging is on
> > 22r1#debug cry isa
> > Crypto ISAKMP debugging is on
> > 22r1#ping 10.2.2.3
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 10.2.2.3,
> timeout is
> > 2 seconds:
> >
> > 10:20:57: IPSEC(sa_request): ,
> > (key eng. msg.) src= 10.1.1.5, dest=
> 207.122.2.3,
> > src_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
> > dest_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4),
> > protocol= AH, transform= ah-md5-hmac ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0x5E264A3F(1579567679), conn_id= 0,
> keysize=
> > 0, flags= 0x4004
> > 10:20:57: IPSEC(sa_request): ,
> > (key eng. msg.) src= 10.1.1.5, dest=
> 207.122.2.3,
> > src_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
> > dest_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4),
> > protocol= ESP, transform= esp-des ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0x85CE227D(2244878973), conn_id= 0,
> keysize=
> > 0, flags= 0x4004
> > 10:20:57: ISAKMP: received ke message (1/2)
> > 10:20:57: ISAKMP (0:1): beginning Main Mode
> exchange
> > 10:20:57: ISAKMP (0:1): sending packet to
> 207.122.2.3
> > (I) MM_NO_STATE
> > 10:20:57: ISAKMP (0:1): received packet from
> > 207.122.2.3 (I) MM_NO_STATE
> > 10:20:57: ISAKMP (0:1): processing SA payload.
> message
> > ID = 0
> > 10:20:57: ISAKMP (0:1): found peer pre-shared key
> > matching 207.122.2.3
> > 10:20:57: ISAKMP (0:1): Checking ISAKMP transform
> 1
> > against priority 1 policy
> > 10:20:57: ISAKMP: encryption DES-CBC
> > 10:20:57: ISAKMP: hash MD5
> > 10:20:57: ISAKMP: default group 1
> > 10:20:57: ISAKMP: auth pre-share
> > 10:20:57: ISAKMP (0:1): atts are acceptable. Next
> > payload is 0
> > 10:20:57: ISAKMP (0:1): SA is doing pre-shared key
> > authentication using id type
> > ID_IPV4_ADDR
> > 10:20:57: ISAKMP (0:1): sending packet to
> 207.122.2.3
> > (I) MM_SA_SETUP
> > 10:20:58: ISAKMP (0:1): received packet from
> > 207.122.2.3 (I) MM_SA_SETUP
> > 10:20:58: ISAKMP (0:1): processing KE payload.
> message
> > ID = 0
> > 10:20:58: ISAKMP (0:1): processing. NONCE payload.
> > message ID = 0
> > 10:20:58: ISAKMP (0:1): found peer pre-shared key
> > matching 207.122.2.3
> > 10:20:58: ISAKMP (0:1): SKEYID state generated
> > 10:20:58: ISAKMP (0:1): processing vendor id
> payload
> > 10:20:58: ISAKMP (0:1): speaking to another IOS
> box!
> > 10:20:58: ISAKMP (1): ID payload
> > next-payload : 8
> > type : 1
> > protocol : 17
> > port : 500
> > length : 8
> > 10:20:58: ISAKMP (1): Total payload length: 12
> > 10:20:58: ISAKMP (0:1): sending packet to
> 207.122.2.3
> > (I) MM_KEY_EXCH
> > 10:20:58: ISAKMP (0:1): received packet from
> > 207.122.2.3 (I) MM_KEY_EXCH
> > 10:20:58: ISAKMP (0:1): processing ID payload.
> message
> > ID = 0
> > 10:20:58: ISAKMP (0:1): processing HASH payload.
> > message ID = 0
> > 10:20:58: ISAKMP (0:1): SA has been authenticated
> with
> > 207.122.2.3
> > 10:20:58: ISAKMP (0:1): beginning Quick Mode
> exchange,
> > M-ID of 998060358
> > 10:20:58: ISAKMP (0:1): sending packet to
> 207.122.2.3
> > (I) QM_IDLE
> > 10:20:58: ISAKMP (0:1): received packet from
> > 207.122.2.3 (I) QM_IDLE
> > 10:20:58: ISAKMP (0:1): processing HASH payload.
> > message ID = -422158728
> > 10:20:58: ISAKMP (0:1): processing NOTIFY
> > PROPOSAL_NOT_CHOSEN protocol 0
> > spi 0, message ID = -422158728
> > 10:20:58: ISAKMP (0:1): deleting node -422158728
> error
> > FALSE reason "information
> > al (in) state 1"
> > 10:20:58: IPSEC(key_engine): got a queue event...
> > 10:20:58: IPSEC(key_engine_delete_sas): rec'd
> delete
> > notify from ISAKMP
> > 10:20:58: IPSEC(key_engine_delete_sas): delete all
> SAs
> > shared with 207.122.2.3
> > ....
> > Success rate is 0 percent (0/5)
> > 22r1#
> >
> >
>
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:21 GMT-3