RE: GET STUCKED AT FATKID 394 IPSEC-NAT (with configuration)

From: Ron Royston (ccie6824@xxxxxxxxxxx)
Date: Thu Oct 18 2001 - 19:00:39 GMT-3

• Next message: Benjamin Hickey: "RE: CAT OS or native IOS on Catalyst ?"
• Previous message: Jon Tucker: "RE: Custom Queueing - Please check my math..."
• Maybe in reply to: michael robertson: "RE: GET STUCKED AT FATKID 394 IPSEC-NAT (with configuration)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You don't have a crypto-map applied to an interface on R3, or you don't show
it to us. Your ACL in the crypto-map is what decides what gets
tunneled/encrypted. If you are using IPSec only (as opposed to IPSec w/ GRE
tunneling), the ACL should permit network-to-network traffic. If this ACL
is different on the peer, i.e., if it's not a mirror image, the IPSec will
probably fail.

>From: michael robertson <michael_w_2ca@yahoo.ca>
>Reply-To: michael robertson <michael_w_2ca@yahoo.ca>
>To: "Rogell, Dennis" <Dennis_Rogell@milgo.com>
>CC: ccielab@groupstudy.com
>Subject: RE: GET STUCKED AT FATKID 394 IPSEC-NAT (with configuration)
>Date: Thu, 18 Oct 2001 17:03:13 -0400 (EDT)
>
>Hi, group, The following shows my configs for the
>IPSEC 394 (FATKID), I think that the solution gives
>two useless default router for R2 and R4, so I delete
>it in my config:
>
>
>-----------------------------------------------
>R1
>
>
>
>interface Serial0/0
> ip address 207.122.1.1 255.255.255.240
> no fair-queue
> clockrate 2000000
>!
>
>
>interface Serial0/1
> ip address 207.122.2.1 255.255.255.240
> clockrate 2000000
>
>
>
>-------------
>R2
>
>
>interface FastEthernet1/0
> ip address 10.1.1.2 255.255.255.0
> ip nat inside
> duplex auto
> speed auto
>!
>interface Serial1/0
> ip address 207.122.1.2 255.255.255.240
> ip nat outside
> no fair-queue
>!
>interface FastEthernet1/1
> no ip address
> shutdown
> --More--
>
>ip route 0.0.0.0 0.0.0.0 207.122.1.1
>no ip http server
>!
>!
>-----------------------
>
>R3
>
>crypto isakmp policy 1
> authentication pre-share
>crypto isakmp key cisco address 207.122.1.5
>!
>!
>crypto ipsec transform-set myset1 esp-des esp-md5-hmac
>!
>crypto map tor5 10 ipsec-isakmp
> set peer 207.122.1.5
> set transform-set myset1
> match address 101
>!
>!
>!
>!
>!
>interface Loopback0
> ip address 10.2.2.3 255.255.255.0
> nterface TokenRing0/0
> ip address 10.2.1.3 255.255.255.0
> ring-speed 16
>
>
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 10.2.1.4
>no ip http server
>!
>access-list 101 permit ip 10.2.0.0 0.0.255.255
>10.1.0.0 0.0.255.255
>access-list 101 permit ip host 207.122.1.5 10.1.0.0
>0.0.255.255
>!
>!
>
>------------------------------------
>
>
>
>R4
>
>
>interface Serial1/0
> ip address 207.122.2.4 255.255.255.240
> ip nat outside
> no fair-queue
>!
>interface TokenRing1/0
> ip address 10.2.1.4 255.255.255.0
> ip nat inside
>
>
>interface Serial1/1
> no ip address
> shutdown
> clockrate 2000000
>!
>ip nat inside source static 10.2.1.3 207.122.2.3
>ip classless
>ip route 0.0.0.0 0.0.0.0 207.122.2.1
>no ip http server
>!
>!
>
>
>
>----------------
>
>R5
>
>
>!
>crypto isakmp policy 1
> authentication pre-share
>crypto isakmp key cisco address 207.122.2.3
>!
>!
>crypto ipsec transform-set myset1 esp-des esp-md5-hmac
>!
>crypto map tor3 10 ipsec-isakmp
> set peer 207.122.2.3
> set transform-set myset1
> match address 101
>!
>!
>!
>!
>!
>interface Loopback0
> ip address 10.1.2.5 255.255.255.0
>
>
>interface FastEthernet1/0
> ip address 10.1.1.5 255.255.255.0
> duplex auto
> speed auto
> crypto map tor3
>!
>
>ip classless
>ip route 0.0.0.0 0.0.0.0 10.1.1.2
>no ip http server
>!
>access-list 101 permit ip 10.1.0.0 0.0.255.255
>10.2.0.0 0.0.255.255
>!
>!
>
>------------------------------------------
>
>
>
>
>
>
>
>
>
>
>
>
>--- "Rogell, Dennis" <Dennis_Rogell@milgo.com> wrote:
> > Michael
> > Can you post your configs so the group can help
> >
> > Dennis Rogell CNE, CCNP
> > nextira
> > Formally Milgo Solutions
> > Email : dennis_rogell@milgo.com
> > Phone: (954) 846-5128
> >
> > > -----Original Message-----
> > > From: michael robertson
> > [SMTP:michael_w_2ca@yahoo.ca]
> > > Sent: Thursday, October 18, 2001 00:00
> > > To: ccielab@groupstudy.com
> > > Subject: GET STUCKED AT FATKID 394 IPSEC-NAT
> > >
> > > hi, who has done fatkid 394. IT seems that fatkid
> > > always has some problem, not well designed.
> > >
> > > for fatkid 394, teh sceario is at
> > > http://www.fatkid.com/html/394_ipsec-nat.html
> > >
> > > I have configured vpn between R5 and R3, I still
> > can't
> > > ping from R3 to R5 or vice versa.
> > >
> > > The solution give R5's VPN peer as R3's global
> > > address, is this correct??
> > >
> > > It seems that R2's default route to 10.2.0.0 via
> > > 10.1.1.5 is totally wrong?
> > >
> > > anybody has done this, it will be great to get
> > your
> > > help. The following are the debug while I ping
> > from
> > > one side to the other.
> > >
> > >
> > >
> > > Thanks and regards
> > >
> > >
> > > michael
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > 22r1#debug cry ip
> > > Crypto IPSEC debugging is on
> > > 22r1#debug cry isa
> > > Crypto ISAKMP debugging is on
> > > 22r1#ping 10.2.2.3
> > >
> > > Type escape sequence to abort.
> > > Sending 5, 100-byte ICMP Echos to 10.2.2.3,
> > timeout is
> > > 2 seconds:
> > >
> > > 10:20:57: IPSEC(sa_request): ,
> > > (key eng. msg.) src= 10.1.1.5, dest=
> > 207.122.2.3,
> > > src_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
> > > dest_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4),
> > > protocol= AH, transform= ah-md5-hmac ,
> > > lifedur= 3600s and 4608000kb,
> > > spi= 0x5E264A3F(1579567679), conn_id= 0,
> > keysize=
> > > 0, flags= 0x4004
> > > 10:20:57: IPSEC(sa_request): ,
> > > (key eng. msg.) src= 10.1.1.5, dest=
> > 207.122.2.3,
> > > src_proxy= 10.1.0.0/255.255.0.0/0/0 (type=4),
> > > dest_proxy= 10.2.0.0/255.255.0.0/0/0 (type=4),
> > > protocol= ESP, transform= esp-des ,
> > > lifedur= 3600s and 4608000kb,
> > > spi= 0x85CE227D(2244878973), conn_id= 0,
> > keysize=
> > > 0, flags= 0x4004
> > > 10:20:57: ISAKMP: received ke message (1/2)
> > > 10:20:57: ISAKMP (0:1): beginning Main Mode
> > exchange
> > > 10:20:57: ISAKMP (0:1): sending packet to
> > 207.122.2.3
> > > (I) MM_NO_STATE
> > > 10:20:57: ISAKMP (0:1): received packet from
> > > 207.122.2.3 (I) MM_NO_STATE
> > > 10:20:57: ISAKMP (0:1): processing SA payload.
> > message
> > > ID = 0
> > > 10:20:57: ISAKMP (0:1): found peer pre-shared key
> > > matching 207.122.2.3
> > > 10:20:57: ISAKMP (0:1): Checking ISAKMP transform
> > 1
> > > against priority 1 policy
> > > 10:20:57: ISAKMP: encryption DES-CBC
> > > 10:20:57: ISAKMP: hash MD5
> > > 10:20:57: ISAKMP: default group 1
> > > 10:20:57: ISAKMP: auth pre-share
> > > 10:20:57: ISAKMP (0:1): atts are acceptable. Next
> > > payload is 0
> > > 10:20:57: ISAKMP (0:1): SA is doing pre-shared key
> > > authentication using id type
> > > ID_IPV4_ADDR
> > > 10:20:57: ISAKMP (0:1): sending packet to
> > 207.122.2.3
> > > (I) MM_SA_SETUP
> > > 10:20:58: ISAKMP (0:1): received packet from
> > > 207.122.2.3 (I) MM_SA_SETUP
> > > 10:20:58: ISAKMP (0:1): processing KE payload.
> > message
> > > ID = 0
> > > 10:20:58: ISAKMP (0:1): processing. NONCE payload.
> > > message ID = 0
> > > 10:20:58: ISAKMP (0:1): found peer pre-shared key
> > > matching 207.122.2.3
> > > 10:20:58: ISAKMP (0:1): SKEYID state generated
> > > 10:20:58: ISAKMP (0:1): processing vendor id
> > payload
> > > 10:20:58: ISAKMP (0:1): speaking to another IOS
> > box!
> > > 10:20:58: ISAKMP (1): ID payload
> > > next-payload : 8
> > > type : 1
> > > protocol : 17
> > > port : 500
> > > length : 8
> > > 10:20:58: ISAKMP (1): Total payload length: 12
> > > 10:20:58: ISAKMP (0:1): sending packet to
> > 207.122.2.3
> > > (I) MM_KEY_EXCH
> > > 10:20:58: ISAKMP (0:1): received packet from
> > > 207.122.2.3 (I) MM_KEY_EXCH
> > > 10:20:58: ISAKMP (0:1): processing ID payload.
> > message
> > > ID = 0
> > > 10:20:58: ISAKMP (0:1): processing HASH payload.
> > > message ID = 0
> > > 10:20:58: ISAKMP (0:1): SA has been authenticated
> > with
> > > 207.122.2.3
> > > 10:20:58: ISAKMP (0:1): beginning Quick Mode
> > exchange,
> > > M-ID of 998060358
> > > 10:20:58: ISAKMP (0:1): sending packet to
> > 207.122.2.3
> > > (I) QM_IDLE
> > > 10:20:58: ISAKMP (0:1): received packet from
> > > 207.122.2.3 (I) QM_IDLE
> > > 10:20:58: ISAKMP (0:1): processing HASH payload.
> > > message ID = -422158728
> > > 10:20:58: ISAKMP (0:1): processing NOTIFY
> > > PROPOSAL_NOT_CHOSEN protocol 0
> > > spi 0, message ID = -422158728
> > > 10:20:58: ISAKMP (0:1): deleting node -422158728
> > error
> > > FALSE reason "information
> > > al (in) state 1"
> > > 10:20:58: IPSEC(key_engine): got a queue event...
> > > 10:20:58: IPSEC(key_engine_delete_sas): rec'd
> > delete
> > > notify from ISAKMP
> > > 10:20:58: IPSEC(key_engine_delete_sas): delete all
> > SAs
> > > shared with 207.122.2.3
> > > ....
> > > Success rate is 0 percent (0/5)
> > > 22r1#
> > >
> > >
> >

• Next message: Benjamin Hickey: "RE: CAT OS or native IOS on Catalyst ?"
• Previous message: Jon Tucker: "RE: Custom Queueing - Please check my math..."
• Maybe in reply to: michael robertson: "RE: GET STUCKED AT FATKID 394 IPSEC-NAT (with configuration)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:21 GMT-3