Re: IPSEC - Tunnel Endpoint Discovery

From: tom cheung (tkc9789@xxxxxxxxxxx)
Date: Mon Jan 07 2002 - 19:05:49 GMT-3

• Next message: Asbjorn Hojmark: "RE: Topics to cover"
• Previous message: Palacios, Gonzalo: "RE: ospf over nbma"
• Maybe in reply to: Jon Carmichael: "IPSEC - Tunnel Endpoint Discovery"
• Next in thread: Jon Carmichael: "RE: IPSEC - Tunnel Endpoint Discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Jon,
Although I'm no expert in VPN, but I don't see any tunnel discovery request
message in your debug. One requirement for TED to work is that both peers
will have to be TED enabled. Wonder if this requirement is met?

Tom

>From: Jon Carmichael <jonc@pacbell.net>
>Reply-To: Jon Carmichael <jonc@pacbell.net>
>To: CCIE Study <studyccie@hotmail.com>, ccielab@groupstudy.com
>Subject: IPSEC - Tunnel Endpoint Discovery
>Date: Mon, 07 Jan 2002 12:30:29 -0800
>
>I've been trying to get Tunnel Endpoint Discover working since yesterday.
>I've been thru several iterations. I'm following variations of the
>following two examples on CCO.
>
>http://www.cisco.com/warp/public/707/tedpreshare.html
>
>and
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
>t/120t5/ted.htm
>
>I'm not getting the same result from my debugs that they show in both
>examples, I will paste one of my debugs and one of my configs. If anyone
>can interpret this debug or config to tell me why it's failing I would sure
>appreciate.
>
>JONC
>
>
>JCLab5d-R5#
>JCLab5d-R5#
>JCLab5d-R5#sho run | begin crypto
>crypto isakmp policy 10
> authentication pre-share
> lifetime 180
>crypto isakmp key R4R5-key address 0.0.0.0
>!
>!
>crypto ipsec transform-set ENC ah-sha-hmac esp-des esp-md5-hmac
>!
>crypto dynamic-map TED-DMAP 10
> set transform-set ENC
> match address 111
>!
>!
>crypto map TEDTAG 10 ipsec-isakmp dynamic TED-DMAP discover
>!
>!
>JCLab5d-R5#
>JCLab5d-R5#sho access-list 111
>Extended IP access list 111
> permit tcp 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (814 matches)
> permit ip 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (12 matches)
>JCLab5d-R5#
>JCLab5d-R5#
>JCLab5d-R5#sho log
>Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
> Console logging: disabled
> Monitor logging: level debugging, 0 messages logged
> Buffer logging: level debugging, 1953 messages logged
> Trap logging: level informational, 66 message lines logged
>
>Log Buffer (4096 bytes):
>
> lifedur= 3600s and 4608000kb,
> spi= 0x15AD0C8C(363662476), conn_id= 2006, keysize= 0, flags= 0x4
>Jan 7 12:16:24: IPSEC(initialize_sas): ,
> (key eng. msg.) src= 172.16.99.1, dest= 172.16.99.2,
> src_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> dest_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4),
> protocol= ESP, transform= esp-des esp-md5-hmac ,
> lifedur= 3600s and 4608000kb,
> spi= 0x156F07B7(359598007), conn_id= 2007, keysize= 0, flags= 0x4
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> sa_spi= 0x21630610(560137744),
> sa_trans= ah-sha-hmac , sa_conn_id= 2004
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.2, sa_prot= 51,
> sa_spi= 0xD4C2288(223093384),
> sa_trans= ah-sha-hmac , sa_conn_id= 2005
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.1, sa_prot= 50,
> sa_spi= 0x15AD0C8C(363662476),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2006
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> sa_spi= 0x156F07B7(359598007),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2007
>Jan 7 12:16:24: IPSEC(add_sa): peer asks for new SAs -- expire current in
>120 sec.,
> (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> sa_spi= 0xCEB0AB0(216730288),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003,
> (identity) local= 172.16.99.1, remote= 172.16.99.2,
> local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
>Jan 7 12:16:40: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:17:13: ISAKMP (0:2): purging node -1847150921
>Jan 7 12:18:28: IPSEC(sa_aging): lifetime expiring,
> (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> sa_spi= 0x21C90079(566820985),
> sa_trans= ah-sha-hmac , sa_conn_id= 2000,
> (identity) local= 172.16.99.1, remote= 172.16.99.2,
> local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> sa_spi= 0x21C90079(566820985),
> sa_trans= ah-sha-hmac , sa_conn_id= 2000
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.2, sa_prot= 51,
> sa_spi= 0x26C600E2(650510562),
> sa_trans= ah-sha-hmac , sa_conn_id= 2001
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.1, sa_prot= 50,
> sa_spi= 0x99319EC(160635372),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> sa_spi= 0xCEB0AB0(216730288),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003
>Jan 7 12:18:28: ISAKMP: received ke message (3/2)
>Jan 7 12:18:28: CryptoEngine0: generate hmac context for conn id 2
>Jan 7 12:18:28: ISAKMP (2): sending packet to 172.16.99.2 (R) QM_IDLE
>Jan 7 12:18:28: ISAKMP (0:2): purging node 441531424
>Jan 7 12:19:10: ISAKMP (0:2): peer does not do paranoid keepalives.
>
>Jan 7 12:19:10: ISAKMP (0:2): deleting SA reason "IKE SA Lifetime
>Exceeded"
>state (R) QM_IDLE (peer 172.16.99.2) input queue 0
>Jan 7 12:19:10: CryptoEngine0: generate hmac context for conn id 2
>Jan 7 12:19:10: ISAKMP (2): sending packet to 172.16.99.2 (R) MM_NO_STATE
>Jan 7 12:19:10: ISAKMP (0:2): purging node -159029524
>Jan 7 12:20:10: ISAKMP (0:2): purging SA.
>Jan 7 12:20:10: CryptoEngine0: delete connection 2
>Jan 7 12:21:15: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:21:17: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:21:21: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:21:29: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:25:12: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:26:46: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:26:48: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:26:52: IPSEC(sa_initiate): ACL = deny; sa request ignored
>Jan 7 12:27:00: IPSEC(sa_initiate): ACL = deny; sa request ignored
>JCLab5d-R5#
>JCLab5d-R5#

• Next message: Asbjorn Hojmark: "RE: Topics to cover"
• Previous message: Palacios, Gonzalo: "RE: ospf over nbma"
• Maybe in reply to: Jon Carmichael: "IPSEC - Tunnel Endpoint Discovery"
• Next in thread: Jon Carmichael: "RE: IPSEC - Tunnel Endpoint Discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:19 GMT-3