RE: IPSEC - Tunnel Endpoint Discovery

From: Richard Geiger (geiger_rich@xxxxxxxxxxx)
Date: Tue Jan 08 2002 - 05:49:03 GMT-3

• Next message: Steven: "Re: distribute list and passive-interface"
• Previous message: Richard Geiger: "Re: distribute list and passive-interface"
• Maybe in reply to: Jon Carmichael: "IPSEC - Tunnel Endpoint Discovery"
• Next in thread: Ola Aiyegbusi: "Re: IPSEC - Tunnel Endpoint Discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
look at :
>Jan 7 12:18:28: CryptoEngine0: generate hmac context for conn id 2 Jan 7
>12:18:28: ISAKMP (2): sending packet to 172.16.99.2 (R) QM_IDLE Jan 7
>12:18:28: ISAKMP (0:2): purging node 441531424 Jan 7 12:19:10: ISAKMP
>(0:2): peer does not do paranoid keepalives.
>
>Jan 7 12:19:10: ISAKMP (0:2): deleting SA reason "IKE SA Lifetime
>Exceeded" state (R) QM_IDLE (peer 172.16.99.2) input queue 0 Jan 7
>12:19:10: CryptoEngine0: generate hmac context for conn id 2 Jan 7
>12:19:10: ISAKMP (2): sending packet to 172.16.99.2 (R)
MM_NO_STATE
>Jan 7 12:19:10: ISAKMP (0:2): purging node -159029524 Jan 7 12:20:10:
>ISAKMP (0:2): purging SA. Jan 7 12:20:10: CryptoEngine0: delete connection
>2

It looks like the tunnel is being destroyed because of your defined sa
lifetime, but the packets for renegotiation are being set to the tunnel
interface instead of the procy interface.

I agree you should look at PFS, and review the time-out settings there might
be something in there....-rich

>From: "tom cheung" <tkc9789@hotmail.com>
>Reply-To: "tom cheung" <tkc9789@hotmail.com>
>To: jonc@pacbell.net, studyccie@hotmail.com, ccielab@groupstudy.com
>Subject: RE: IPSEC - Tunnel Endpoint Discovery
>Date: Mon, 07 Jan 2002 17:46:35 -0600
>
>Jon,
>I also noticed that during IPSEC tunnel negotiation, R4 is requesting new
>SA. So did you define PFS on R4? If so, try either taking it out or turn
>on PFS on R5 as well.
>
>Tom
>
>>From: Jon Carmichael <jonc@pacbell.net>
>>To: tom cheung <tkc9789@hotmail.com>, studyccie@hotmail.com,
>>ccielab@groupstudy.com
>>Subject: RE: IPSEC - Tunnel Endpoint Discovery
>>Date: Mon, 07 Jan 2002 15:18:50 -0800
>>
>>I appreciate your close look at the debugs to determine what's
>>missing, --but what I can't figure out is what's missing in the config to
>>make it work. I can't find anything.
>>
>>JONC
>>
>>
>>-----Original Message-----
>>From: tom cheung [mailto:tkc9789@hotmail.com]
>>Sent: Monday, January 07, 2002 2:06 PM
>>To: jonc@pacbell.net; studyccie@hotmail.com; ccielab@groupstudy.com
>>Subject: Re: IPSEC - Tunnel Endpoint Discovery
>>
>>
>>Jon,
>>Although I'm no expert in VPN, but I don't see any tunnel discovery
>>request
>>message in your debug. One requirement for TED to work is that both peers
>>will have to be TED enabled. Wonder if this requirement is met?
>>
>>Tom
>>
>>
>> >From: Jon Carmichael <jonc@pacbell.net>
>> >Reply-To: Jon Carmichael <jonc@pacbell.net>
>> >To: CCIE Study <studyccie@hotmail.com>, ccielab@groupstudy.com
>> >Subject: IPSEC - Tunnel Endpoint Discovery
>> >Date: Mon, 07 Jan 2002 12:30:29 -0800
>> >
>> >I've been trying to get Tunnel Endpoint Discover working since
>>yesterday.
>> >I've been thru several iterations. I'm following variations of the
>> >following two examples on CCO.
>> >
>> >http://www.cisco.com/warp/public/707/tedpreshare.html
>> >
>> >and
>> >
>> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/12
>>0
>> >t/120t5/ted.htm
>> >
>> >I'm not getting the same result from my debugs that they show in both
>> >examples, I will paste one of my debugs and one of my configs. If
>>anyone
>> >can interpret this debug or config to tell me why it's failing I would
>>sure
>> >appreciate.
>> >
>> >JONC
>> >
>> >
>> >JCLab5d-R5#
>> >JCLab5d-R5#
>> >JCLab5d-R5#sho run | begin crypto
>> >crypto isakmp policy 10
>> > authentication pre-share
>> > lifetime 180
>> >crypto isakmp key R4R5-key address 0.0.0.0
>> >!
>> >!
>> >crypto ipsec transform-set ENC ah-sha-hmac esp-des esp-md5-hmac
>> >!
>> >crypto dynamic-map TED-DMAP 10
>> > set transform-set ENC
>> > match address 111
>> >!
>> >!
>> >crypto map TEDTAG 10 ipsec-isakmp dynamic TED-DMAP discover
>> >!
>> >!
>> >JCLab5d-R5#
>> >JCLab5d-R5#sho access-list 111
>> >Extended IP access list 111
>> > permit tcp 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (814 matches)
>> > permit ip 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (12 matches)
>> >JCLab5d-R5#
>> >JCLab5d-R5#
>> >JCLab5d-R5#sho log
>> >Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
>> > Console logging: disabled
>> > Monitor logging: level debugging, 0 messages logged
>> > Buffer logging: level debugging, 1953 messages logged
>> > Trap logging: level informational, 66 message lines logged
>> >
>> >Log Buffer (4096 bytes):
>> >
>> > lifedur= 3600s and 4608000kb,
>> > spi= 0x15AD0C8C(363662476), conn_id= 2006, keysize= 0, flags= 0x4
>> >Jan 7 12:16:24: IPSEC(initialize_sas): ,
>> > (key eng. msg.) src= 172.16.99.1, dest= 172.16.99.2,
>> > src_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
>> > dest_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4),
>> > protocol= ESP, transform= esp-des esp-md5-hmac ,
>> > lifedur= 3600s and 4608000kb,
>> > spi= 0x156F07B7(359598007), conn_id= 2007, keysize= 0, flags= 0x4
>> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
>> > (sa) sa_dest= 172.16.99.1, sa_prot= 51,
>> > sa_spi= 0x21630610(560137744),
>> > sa_trans= ah-sha-hmac , sa_conn_id= 2004
>> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
>> > (sa) sa_dest= 172.16.99.2, sa_prot= 51,
>> > sa_spi= 0xD4C2288(223093384),
>> > sa_trans= ah-sha-hmac , sa_conn_id= 2005
>> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
>> > (sa) sa_dest= 172.16.99.1, sa_prot= 50,
>> > sa_spi= 0x15AD0C8C(363662476),
>> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2006
>> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
>> > (sa) sa_dest= 172.16.99.2, sa_prot= 50,
>> > sa_spi= 0x156F07B7(359598007),
>> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2007
>> >Jan 7 12:16:24: IPSEC(add_sa): peer asks for new SAs -- expire current
>>in
>> >120 sec.,
>> > (sa) sa_dest= 172.16.99.2, sa_prot= 50,
>> > sa_spi= 0xCEB0AB0(216730288),
>> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003,
>> > (identity) local= 172.16.99.1, remote= 172.16.99.2,
>> > local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
>> > remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
>> >Jan 7 12:16:40: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:17:13: ISAKMP (0:2): purging node -1847150921
>> >Jan 7 12:18:28: IPSEC(sa_aging): lifetime expiring,
>> > (sa) sa_dest= 172.16.99.1, sa_prot= 51,
>> > sa_spi= 0x21C90079(566820985),
>> > sa_trans= ah-sha-hmac , sa_conn_id= 2000,
>> > (identity) local= 172.16.99.1, remote= 172.16.99.2,
>> > local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
>> > remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
>> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
>> > (sa) sa_dest= 172.16.99.1, sa_prot= 51,
>> > sa_spi= 0x21C90079(566820985),
>> > sa_trans= ah-sha-hmac , sa_conn_id= 2000
>> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
>> > (sa) sa_dest= 172.16.99.2, sa_prot= 51,
>> > sa_spi= 0x26C600E2(650510562),
>> > sa_trans= ah-sha-hmac , sa_conn_id= 2001
>> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
>> > (sa) sa_dest= 172.16.99.1, sa_prot= 50,
>> > sa_spi= 0x99319EC(160635372),
>> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002
>> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
>> > (sa) sa_dest= 172.16.99.2, sa_prot= 50,
>> > sa_spi= 0xCEB0AB0(216730288),
>> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003
>> >Jan 7 12:18:28: ISAKMP: received ke message (3/2)
>> >Jan 7 12:18:28: CryptoEngine0: generate hmac context for conn id 2
>> >Jan 7 12:18:28: ISAKMP (2): sending packet to 172.16.99.2 (R) QM_IDLE
>> >Jan 7 12:18:28: ISAKMP (0:2): purging node 441531424
>> >Jan 7 12:19:10: ISAKMP (0:2): peer does not do paranoid keepalives.
>> >
>> >Jan 7 12:19:10: ISAKMP (0:2): deleting SA reason "IKE SA Lifetime
>> >Exceeded"
>> >state (R) QM_IDLE (peer 172.16.99.2) input queue 0
>> >Jan 7 12:19:10: CryptoEngine0: generate hmac context for conn id 2
>> >Jan 7 12:19:10: ISAKMP (2): sending packet to 172.16.99.2 (R)
>>MM_NO_STATE
>> >Jan 7 12:19:10: ISAKMP (0:2): purging node -159029524
>> >Jan 7 12:20:10: ISAKMP (0:2): purging SA.
>> >Jan 7 12:20:10: CryptoEngine0: delete connection 2
>> >Jan 7 12:21:15: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:21:17: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:21:21: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:21:29: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:25:12: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:26:46: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:26:48: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:26:52: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >Jan 7 12:27:00: IPSEC(sa_initiate): ACL = deny; sa request ignored
>> >JCLab5d-R5#
>> >JCLab5d-R5#

• Next message: Steven: "Re: distribute list and passive-interface"
• Previous message: Richard Geiger: "Re: distribute list and passive-interface"
• Maybe in reply to: Jon Carmichael: "IPSEC - Tunnel Endpoint Discovery"
• Next in thread: Ola Aiyegbusi: "Re: IPSEC - Tunnel Endpoint Discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:20 GMT-3