From: Ola Aiyegbusi (ola@xxxxxxxxxxx)
Date: Tue Jan 08 2002 - 10:13:52 GMT-3
I am trying to configure IPSec Tunnel End-point Discovery. The configs for
both routers are as follows:
R4#sh run
Building configuration...
Current configuration : 1085 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
ip subnet-zero
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set encr-only esp-des esp-md5-hmac
!
crypto dynamic-map TED 10
set transform-set encr-only
match address 101
!
crypto map Global 10 ipsec-isakmp dynamic TED discover
!
interface Ethernet0
ip address 135.25.3.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 135.25.1.1 255.255.255.0
crypto map Global
!
interface Serial1
no ip address
shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 135.25.1.2
!
access-list 101 permit ip 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255
access-list 101 permit icmp 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
R1#sh run
Building configuration...
Current configur-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
ip subnet-zero
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set encr-only esp-des esp-md5-hmac
!
crypto dynamic-map TED 10
set transform-set encr-only
match address 101
!
crypto map Global 10 ipsec-isakmp dynamic TED discover
!
interface Serial0
ip address 135.25.1.2 255.255.255.0
no ip mroute-cache
clockrate 1000000
crypto map Global
!
interface TokenRing0
ip address 135.25.4.1 255.255.255.0
ring-speed 4
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 135.25.1.1
no ip http server
!
access-list 101 permit ip 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255
access-list 101 permit icmp 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255
!
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
R1#
I enabled debug crypto isakmp, debug crypto ipsec, and debug crypto engine.
When I do an extended ping from 135.25.3.1 (R4-E0) to 135.25.4.1 (R1-To0), I
get the following response:
R4#ping
Protocol [ip]:
Target IP address: 135.25.4.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 135.25.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 135.25.4.1, timeout is 2 seconds:
12:27:12: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:14: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:16: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:18: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:20: IPSEC(sa_initiate): ACL = deny; sa request ignored.
Success rate is 0 percent (0/5)
R4#
I have searched all over CCO for an answer and I'm still stuck. Does anyone
see anything that I don't. Please let me know. Thanks.
Ola Aiyegbusi
Turnkey Networks, Inc.
ola@keynets.com
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:20 GMT-3