From: George Hansen (HansenG@xxxxxxxxxxxxxxxx)
Date: Thu Nov 01 2001 - 20:07:32 GMT-3
I have gotten the "proxy identities not supported" before when my access-lists
weren't mirrored on both routers. Try opening up your access-list 101 and see i
f it works, then you can experiment with the access-list from there.
>>> VAUTRIN Olivier <olivier.vautrin@arche.fr> 11/01/01 01:31PM >>>
Hello everybody,
i am trying to set an IPsec session between 2 routers just for telnet. I am
not able to make it working.
i am using IOS:
R25#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS56I-L), Version 11.3(11b)T1, RELEASE
SOFTWARE (fc2)
And I got the error message with debug crypto isakmp+ipsec:
1d21h: ISAKMP (6): sending packet to 135.25.4.1 (R) QM_IDLE
1d21h: ISAKMP (6): received packet from 135.25.4.1 (R) QM_IDLE
1d21h: ISAKMP (6): processing SA payload. message ID = 419961472
1d21h: ISAKMP (6): Checking IPSec proposal 1
1d21h: ISAKMP: transform 1, ESP_DES_IV64
1d21h: ISAKMP: attributes in transform:
1d21h: ISAKMP: encaps is 1
1d21h: ISAKMP: SA life type in seconds
1d21h: ISAKMP: SA life duration (basic) of 3600
1d21h: ISAKMP: SA life type in kilobytes
1d21h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
1d21h: ISAKMP (6): atts are acceptable.
1d21h: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 135.25.3.1, src= 135.25.4.1,
dest_proxy= 135.25.3.1/255.255.255.255/6/23 (type=1),
src_proxy= 135.25.4.1/255.255.255.255/6/0 (type=1),
protocol= ESP, transform= esp-rfc1829 ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
1d21h: IPSEC(validate_transform_proposal): proxy identities not supported
<-------???????????????
1d21h: ISAKMP: IPSec policy invalidated proposal
1d21h: ISAKMP (6): SA not acceptable!
Any ideas?
Here you have both configuration:
R25#s
Building configuration...
Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R25
!
enable secret 5 $1$a1kU$LBH8YNjxpZnX2lZc6g4Wq1
!
ip subnet-zero
ip telnet source-interface Loopback0
no ip domain-lookup
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 135.25.4.1
!
!
crypto ipsec transform-set lab1 ah-rfc1828
crypto ipsec transform-set labalgo esp-des
crypto ipsec transform-set encr-only esp-rfc1829
!
!
crypto map toto 20 ipsec-isakmp
set peer 135.25.4.1
set transform-set lab1
match address 101
crypto map lab1 10 ipsec-isakmp
set peer 135.25.4.1
set transform-set labalgo
match address 101
crypto map peer-router26 local-address Loopback0
crypto map peer-router26 10 ipsec-isakmp
set peer 135.25.4.1
set transform-set encr-only
match address 101
!
!
process-max-time 200
!
interface Loopback0
ip address 135.25.3.1 255.255.255.255
!
interface Ethernet0
ip address 135.25.12.1 255.255.255.0
no keepalive
!
interface Serial0
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
!
interface Serial0.1 point-to-point
ip address 135.25.11.1 255.255.255.252
no arp frame-relay
frame-relay interface-dlci 100
crypto map peer-router26
!
interface Serial0.2 point-to-point
ip address 135.25.11.5 255.255.255.252
no arp frame-relay
frame-relay interface-dlci 200
!
interface Serial1
ip address 135.25.9.2 255.255.255.252
clockrate 800000
!
interface BRI0
no ip address
shutdown
!
router ospf 64
network 135.0.0.0 0.255.255.255 area 0
!
ip classless
!
access-list 100 permit tcp host 135.25.4.1 any eq telnet
access-list 100 permit tcp host 135.25.5.1 any eq telnet
access-list 101 permit tcp host 135.25.3.1 host 135.25.4.1 eq telnet
alias exec s show run
alias exec b show ip int brief
alias exec r show ip route
alias exec c conf t
!
line con 0
exec-timeout 0 0
password c
logging synchronous
login
line aux 0
exec-timeout 0 0
password c
logging synchronous
login
line vty 0 4
access-class 100 in
exec-timeout 0 0
password c
logging synchronous
login
!
end
R26#s
Building configuration...
Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R26
!
enable secret 5 $1$bU3k$7ZpRT3NGGBHGJyqXVVrDj.
!
ip subnet-zero
ip telnet source-interface Loopback0
no ip domain-lookup
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 135.25.3.1
!
!
crypto ipsec transform-set lab1 ah-rfc1828
crypto ipsec transform-set labalgo esp-des
crypto ipsec transform-set encr-only esp-rfc1829
!
!
crypto map toto 10 ipsec-isakmp
set peer 135.25.3.1
set transform-set lab1
match address 101
crypto map lab1 10 ipsec-isakmp
set peer 135.25.3.1
set transform-set labalgo
match address 101
crypto map peer-router25 local-address Loopback0
crypto map peer-router25 10 ipsec-isakmp
set peer 135.25.3.1
set transform-set encr-only
match address 101
crypto map peer-router 25
!
!
process-max-time 200
!
interface Loopback0
ip address 135.25.4.1 255.255.255.255
!
interface Loopback1
ip address 135.25.11.9 255.255.255.252
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 135.25.11.2 255.255.255.252
encapsulation frame-relay
ip ospf network point-to-point
no ip mroute-cache
no fair-queue
crypto map peer-router25
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router ospf 64
redistribute igrp 1 subnets
network 135.0.0.0 0.255.255.255 area 0
!
router igrp 1
network 10.0.0.0
!
ip classless
!
access-list 100 permit tcp host 135.25.3.1 any eq telnet
access-list 100 permit tcp host 135.25.5.1 any eq telnet
access-list 101 permit tcp host 135.25.4.1 host 135.25.3.1 eq telnet
alias exec s show run
alias exec b show ip int brief
alias exec r show ip route
alias exec c conf t
!
line con 0
exec-timeout 0 0
password c
logging synchronous
login
line aux 0
exec-timeout 0 0
password c
logging synchronous
login
line vty 0 4
exec-timeout 0 0
password c
logging synchronous
login
!
end
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:00 GMT-3