IPSEC - Tunnel Endpoint Discovery

From: Jon Carmichael (jonc@xxxxxxxxxxx)
Date: Mon Jan 07 2002 - 17:30:29 GMT-3

   
I've been trying to get Tunnel Endpoint Discover working since yesterday.
I've been thru several iterations. I'm following variations of the
following two examples on CCO.

http://www.cisco.com/warp/public/707/tedpreshare.html

and

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
t/120t5/ted.htm

I'm not getting the same result from my debugs that they show in both
examples, I will paste one of my debugs and one of my configs. If anyone
can interpret this debug or config to tell me why it's failing I would sure
appreciate.

JONC

JCLab5d-R5#
JCLab5d-R5#
JCLab5d-R5#sho run | begin crypto
crypto isakmp policy 10
 authentication pre-share
 lifetime 180
crypto isakmp key R4R5-key address 0.0.0.0
!
!
crypto ipsec transform-set ENC ah-sha-hmac esp-des esp-md5-hmac
!
crypto dynamic-map TED-DMAP 10
 set transform-set ENC
 match address 111
!
!
crypto map TEDTAG 10 ipsec-isakmp dynamic TED-DMAP discover
!
!
JCLab5d-R5#
JCLab5d-R5#sho access-list 111
Extended IP access list 111
    permit tcp 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (814 matches)
    permit ip 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (12 matches)
JCLab5d-R5#
JCLab5d-R5#
JCLab5d-R5#sho log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 1953 messages logged
    Trap logging: level informational, 66 message lines logged

Log Buffer (4096 bytes):

    lifedur= 3600s and 4608000kb,
    spi= 0x15AD0C8C(363662476), conn_id= 2006, keysize= 0, flags= 0x4
Jan 7 12:16:24: IPSEC(initialize_sas): ,
  (key eng. msg.) src= 172.16.99.1, dest= 172.16.99.2,
    src_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x156F07B7(359598007), conn_id= 2007, keysize= 0, flags= 0x4
Jan 7 12:16:24: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.99.1, sa_prot= 51,
    sa_spi= 0x21630610(560137744),
    sa_trans= ah-sha-hmac , sa_conn_id= 2004
Jan 7 12:16:24: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.99.2, sa_prot= 51,
    sa_spi= 0xD4C2288(223093384),
    sa_trans= ah-sha-hmac , sa_conn_id= 2005
Jan 7 12:16:24: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.99.1, sa_prot= 50,
    sa_spi= 0x15AD0C8C(363662476),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2006
Jan 7 12:16:24: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.99.2, sa_prot= 50,
    sa_spi= 0x156F07B7(359598007),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2007
Jan 7 12:16:24: IPSEC(add_sa): peer asks for new SAs -- expire current in
120 sec.,
  (sa) sa_dest= 172.16.99.2, sa_prot= 50,
    sa_spi= 0xCEB0AB0(216730288),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003,
  (identity) local= 172.16.99.1, remote= 172.16.99.2,
    local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
Jan 7 12:16:40: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:17:13: ISAKMP (0:2): purging node -1847150921
Jan 7 12:18:28: IPSEC(sa_aging): lifetime expiring,
  (sa) sa_dest= 172.16.99.1, sa_prot= 51,
    sa_spi= 0x21C90079(566820985),
    sa_trans= ah-sha-hmac , sa_conn_id= 2000,
  (identity) local= 172.16.99.1, remote= 172.16.99.2,
    local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.16.99.1, sa_prot= 51,
    sa_spi= 0x21C90079(566820985),
    sa_trans= ah-sha-hmac , sa_conn_id= 2000
Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.16.99.2, sa_prot= 51,
    sa_spi= 0x26C600E2(650510562),
    sa_trans= ah-sha-hmac , sa_conn_id= 2001
Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.16.99.1, sa_prot= 50,
    sa_spi= 0x99319EC(160635372),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002
Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.16.99.2, sa_prot= 50,
    sa_spi= 0xCEB0AB0(216730288),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003
Jan 7 12:18:28: ISAKMP: received ke message (3/2)
Jan 7 12:18:28: CryptoEngine0: generate hmac context for conn id 2
Jan 7 12:18:28: ISAKMP (2): sending packet to 172.16.99.2 (R) QM_IDLE
Jan 7 12:18:28: ISAKMP (0:2): purging node 441531424
Jan 7 12:19:10: ISAKMP (0:2): peer does not do paranoid keepalives.

Jan 7 12:19:10: ISAKMP (0:2): deleting SA reason "IKE SA Lifetime Exceeded"
state (R) QM_IDLE (peer 172.16.99.2) input queue 0
Jan 7 12:19:10: CryptoEngine0: generate hmac context for conn id 2
Jan 7 12:19:10: ISAKMP (2): sending packet to 172.16.99.2 (R) MM_NO_STATE
Jan 7 12:19:10: ISAKMP (0:2): purging node -159029524
Jan 7 12:20:10: ISAKMP (0:2): purging SA.
Jan 7 12:20:10: CryptoEngine0: delete connection 2
Jan 7 12:21:15: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:21:17: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:21:21: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:21:29: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:25:12: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:26:46: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:26:48: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:26:52: IPSEC(sa_initiate): ACL = deny; sa request ignored
Jan 7 12:27:00: IPSEC(sa_initiate): ACL = deny; sa request ignored
JCLab5d-R5#
JCLab5d-R5#

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:19 GMT-3