Re: Lab 15 IPSec

From: Keith Leonard (kleonard@xxxxxxxxxxx)
Date: Tue Nov 06 2001 - 20:08:25 GMT-3

• Next message: CCIE Candidate: "Re: Lab 15 IPSec"
• Previous message: Thomas Larus: "Re: Advice needed on Lab setup"
• Maybe in reply to: CCIE Candidate: "Lab 15 IPSec"
• Next in thread: CCIE Candidate: "Re: Lab 15 IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You don't have the crypto map on the ethernet interface on R11.

>>> CCIE Candidate <ccie2001ca@yahoo.ca> 11/07/01 09:44am >>>
Hi Everyone:

I am working on Bootcamp Lab 15, and have faced the
following problem. (not able to ping other end).
I am attaching both router's configuration and
debug/show output as well.

Thanks in advance
KJ

================================================
5:42:56: ISAKMP: authenticator is HMAC-SHA
05:42:56: ISAKMP (115): atts not acceptable. Next
payload is 0
05:42:56: ISAKMP (115): SA not acceptable!
===============================================
r11#show crypto isakmp sa
    dst src state conn-id
slot
160.200.77.122 150.100.50.42 MM_NO_STATE 122
 0 (deleted)
160.200.77.122 150.100.50.42 MM_NO_STATE 123
 0 (deleted)
160.200.77.122 150.100.50.42 MM_NO_STATE 126
 0 (deleted)
160.200.77.122 150.100.50.42 QM_IDLE 127
 0
160.200.77.122 150.100.50.42 MM_NO_STATE 125
 0 (deleted)
160.200.77.122 150.100.50.42 MM_NO_STATE 124
 0 (deleted)
=================================================

hostname r8
!
enable secret 5 $1$s57V$RwlYYU2oYignqjFWdfy9o0
!
ip subnet-zero
no ip domain-lookup
!
!
!
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp key cisco address 160.200.77.122
!
!
crypto ipsec transform-set myTS ah-sha-hmac esp-des
esp-sha-hmac
!
 !
 crypto map myMAP 10 ipsec-isakmp
 set peer 160.200.77.122
 set transform-set myTS
 match address 101
!
!
!
!
interface Tunnel0
 ip address 10.4.1.1 255.255.255.0
 ip directed-broadcast
 tunnel source 150.100.50.42
 tunnel destination 160.200.77.122
 crypto map myMAP
!
interface Ethernet0/0
 ip address 10.6.1.2 255.255.255.252
 no ip directed-broadcast
 ip nat inside
!
interface Serial0/0
 ip address 150.100.50.42 255.255.255.248
 ip directed-broadcast
 ip nat outside
 no ip mroute-cache
 no fair-queue
 crypto map myMAP
!
interface Ethernet0/1
 no ip address
 no ip directed-broadcast
 shutdown
!
router rip
 version 2
 passive-interface Serial0/0
 network 10.0.0.0
 no auto-summary
!
ip nat inside source list 1 interface Serial0/0
overload
ip classless
ip route 0.0.0.0 0.0.0.0 150.100.50.41
no ip http server
!
access-list 1 permit 10.5.0.0 0.0.255.255
access-list 1 permit 10.6.0.0 0.0.255.255
access-list 101 permit ip host 150.100.50.42 host
160.200.77.122 log
!
alias exec ip show ip route
alias exec ipx show ipx route
alias exec oi show ip ospf int
alias exec b show ip bgp
alias exec bn show ip bgp ne
alias exec br show ip int brief
alias exec on show ip ospf ne
!
line con 0
 exec-timeout 0 0
 password en
 transport input none
line aux 0
line vty 0 4
 password cisco
 login
!
end
===========================================
hostname r11
!
enable secret 5 $1$oL.f$ZqEJTz7aZGdpDA8zTjurn1
!
memory-size iomem 20
ip subnet-zero
no ip domain-lookup
!
!
!
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp key cisco address 150.100.50.42
!
!
crypto ipsec transform-set myTS ah-sha-hmac esp-des
esp-sha-hmac
!
 !
 crypto map myMAP 10 ipsec-isakmp
 set peer 150.100.50.42
 set transform-set myTS
 match address 101
!
!
!
!
interface Loopback0
 ip address 10.5.8.1 255.255.255.0
 no ip directed-broadcast
!
interface Tunnel0
 ip address 10.4.1.2 255.255.255.0
 ip directed-broadcast
 tunnel source 160.200.77.122
 tunnel destination 150.100.50.42
 crypto map myMAP
!
interface Ethernet0/0
 ip address 160.200.77.122 255.255.255.248
 ip directed-broadcast
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface Ethernet0/1
 no ip address
 no ip directed-broadcast
 shutdown
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 160.200.77.121
no ip http server
!
access-list 101 permit ip host 160.200.77.122 host
150.100.50.42 log
alias exec ip show ip route
alias exec ipx show ipx route
alias exec oi show ip ospf int
alias exec b show ip bgp
alias exec bn show ip bgp ne
alias exec br show ip int brief
alias exec on show ip ospf ne
!
line con 0
 password en
 transport input none
line aux 0
line vty 0 4
 password cisco
 login
!
end

r11#

• Next message: CCIE Candidate: "Re: Lab 15 IPSec"
• Previous message: Thomas Larus: "Re: Advice needed on Lab setup"
• Maybe in reply to: CCIE Candidate: "Lab 15 IPSec"
• Next in thread: CCIE Candidate: "Re: Lab 15 IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:06 GMT-3