Re: IPSEC - Tunnel Endpoint Discovery

From: Ola Aiyegbusi (ola@xxxxxxxxxxx)
Date: Tue Jan 08 2002 - 13:51:25 GMT-3

   
Hmm, that's interesting. On the router that is trying to establish the
tunnel, I'm running 12.2.1; on the receiving end, I'm running 12.0. But even
when I try in the other direction, I get the same problem.

Ola
----- Original Message -----
From: Menga, Justin <Justin.Menga@compaq.com>
To: Jon Carmichael <jonc@pacbell.net>; tom cheung <tkc9789@hotmail.com>;
<studyccie@hotmail.com>; <ccielab@groupstudy.com>
Sent: Monday, January 07, 2002 10:39 PM
Subject: RE: IPSEC - Tunnel Endpoint Discovery

> Hi
>
> What IOS are you running? I found issues with 12.2, went back to 12.0T
> or 12.1T (can't remember) and it worked fine.
>
> Justin Menga CCIE#6640 CCDP CCNP+Voice+ATM CSS1 MCSE+I CCSE
> Network Solutions Architect
> Wireless and E-Infrastructure
> Compaq Computer NZ
>
> *+64-9-918-9381
> fax +64-9-918-9592
> * http://www.compaq.co.nz
>
>
> -----Original Message-----
> From: Jon Carmichael [mailto:jonc@pacbell.net]
> Sent: Tuesday, 8 January 2002 12:19 p.m.
> To: tom cheung; studyccie@hotmail.com; ccielab@groupstudy.com
> Subject: RE: IPSEC - Tunnel Endpoint Discovery
>
>
> I appreciate your close look at the debugs to determine what's missing,
> --but what I can't figure out is what's missing in the config to make it
> work. I can't find anything.
>
> JONC
>
>
> -----Original Message-----
> From: tom cheung [mailto:tkc9789@hotmail.com]
> Sent: Monday, January 07, 2002 2:06 PM
> To: jonc@pacbell.net; studyccie@hotmail.com; ccielab@groupstudy.com
> Subject: Re: IPSEC - Tunnel Endpoint Discovery
>
>
> Jon,
> Although I'm no expert in VPN, but I don't see any tunnel discovery
> request message in your debug. One requirement for TED to work is that
> both peers will have to be TED enabled. Wonder if this requirement is
> met?
>
> Tom
>
>
> >From: Jon Carmichael <jonc@pacbell.net>
> >Reply-To: Jon Carmichael <jonc@pacbell.net>
> >To: CCIE Study <studyccie@hotmail.com>, ccielab@groupstudy.com
> >Subject: IPSEC - Tunnel Endpoint Discovery
> >Date: Mon, 07 Jan 2002 12:30:29 -0800
> >
> >I've been trying to get Tunnel Endpoint Discover working since
> >yesterday. I've been thru several iterations. I'm following variations
>
> >of the following two examples on CCO.
> >
> >http://www.cisco.com/warp/public/707/tedpreshare.html
> >
> >and
> >
> >http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newf
> >t/12
> 0
> >t/120t5/ted.htm
> >
> >I'm not getting the same result from my debugs that they show in both
> >examples, I will paste one of my debugs and one of my configs. If
> anyone
> >can interpret this debug or config to tell me why it's failing I would
> >sure appreciate.
> >
> >JONC
> >
> >
> >JCLab5d-R5#
> >JCLab5d-R5#
> >JCLab5d-R5#sho run | begin crypto
> >crypto isakmp policy 10
> > authentication pre-share
> > lifetime 180
> >crypto isakmp key R4R5-key address 0.0.0.0
> >!
> >!
> >crypto ipsec transform-set ENC ah-sha-hmac esp-des esp-md5-hmac !
> >crypto dynamic-map TED-DMAP 10
> > set transform-set ENC
> > match address 111
> >!
> >!
> >crypto map TEDTAG 10 ipsec-isakmp dynamic TED-DMAP discover
> >!
> >!
> >JCLab5d-R5#
> >JCLab5d-R5#sho access-list 111
> >Extended IP access list 111
> > permit tcp 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (814
> matches)
> > permit ip 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (12 matches)
> >JCLab5d-R5#
> >JCLab5d-R5#
> >JCLab5d-R5#sho log
> >Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
> > Console logging: disabled
> > Monitor logging: level debugging, 0 messages logged
> > Buffer logging: level debugging, 1953 messages logged
> > Trap logging: level informational, 66 message lines logged
> >
> >Log Buffer (4096 bytes):
> >
> > lifedur= 3600s and 4608000kb,
> > spi= 0x15AD0C8C(363662476), conn_id= 2006, keysize= 0, flags= 0x4
> >Jan 7 12:16:24: IPSEC(initialize_sas): ,
> > (key eng. msg.) src= 172.16.99.1, dest= 172.16.99.2,
> > src_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> > dest_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4),
> > protocol= ESP, transform= esp-des esp-md5-hmac ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0x156F07B7(359598007), conn_id= 2007, keysize= 0, flags= 0x4
> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
> > (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> > sa_spi= 0x21630610(560137744),
> > sa_trans= ah-sha-hmac , sa_conn_id= 2004
> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
> > (sa) sa_dest= 172.16.99.2, sa_prot= 51,
> > sa_spi= 0xD4C2288(223093384),
> > sa_trans= ah-sha-hmac , sa_conn_id= 2005
> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
> > (sa) sa_dest= 172.16.99.1, sa_prot= 50,
> > sa_spi= 0x15AD0C8C(363662476),
> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2006
> >Jan 7 12:16:24: IPSEC(create_sa): sa created,
> > (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> > sa_spi= 0x156F07B7(359598007),
> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2007
> >Jan 7 12:16:24: IPSEC(add_sa): peer asks for new SAs -- expire current
>
> >in 120 sec.,
> > (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> > sa_spi= 0xCEB0AB0(216730288),
> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003,
> > (identity) local= 172.16.99.1, remote= 172.16.99.2,
> > local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
> >Jan 7 12:16:40: IPSEC(sa_initiate): ACL = deny; sa request ignored Jan
>
> >7 12:17:13: ISAKMP (0:2): purging node -1847150921 Jan 7 12:18:28:
> >IPSEC(sa_aging): lifetime expiring,
> > (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> > sa_spi= 0x21C90079(566820985),
> > sa_trans= ah-sha-hmac , sa_conn_id= 2000,
> > (identity) local= 172.16.99.1, remote= 172.16.99.2,
> > local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> > (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> > sa_spi= 0x21C90079(566820985),
> > sa_trans= ah-sha-hmac , sa_conn_id= 2000
> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> > (sa) sa_dest= 172.16.99.2, sa_prot= 51,
> > sa_spi= 0x26C600E2(650510562),
> > sa_trans= ah-sha-hmac , sa_conn_id= 2001
> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> > (sa) sa_dest= 172.16.99.1, sa_prot= 50,
> > sa_spi= 0x99319EC(160635372),
> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002
> >Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> > (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> > sa_spi= 0xCEB0AB0(216730288),
> > sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003
> >Jan 7 12:18:28: ISAKMP: received ke message (3/2)
> >Jan 7 12:18:28: CryptoEngine0: generate hmac context for conn id 2 Jan
>
> >7 12:18:28: ISAKMP (2): sending packet to 172.16.99.2 (R) QM_IDLE Jan
> >7 12:18:28: ISAKMP (0:2): purging node 441531424 Jan 7 12:19:10:
> >ISAKMP (0:2): peer does not do paranoid keepalives.
> >
> >Jan 7 12:19:10: ISAKMP (0:2): deleting SA reason "IKE SA Lifetime
> >Exceeded"
> >state (R) QM_IDLE (peer 172.16.99.2) input queue 0
> >Jan 7 12:19:10: CryptoEngine0: generate hmac context for conn id 2 Jan
>
> >7 12:19:10: ISAKMP (2): sending packet to 172.16.99.2 (R) MM_NO_STATE
> >Jan 7 12:19:10: ISAKMP (0:2): purging node -159029524 Jan 7 12:20:10:
>
> >ISAKMP (0:2): purging SA. Jan 7 12:20:10: CryptoEngine0: delete
> >connection 2 Jan 7 12:21:15: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:21:17: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:21:21: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:21:29: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:25:12: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:26:46: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:26:48: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:26:52: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored Jan 7 12:27:00: IPSEC(sa_initiate): ACL = deny; sa
> >request ignored JCLab5d-R5#
> >JCLab5d-R5#

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:20 GMT-3