From: Jon Carmichael (jonc@xxxxxxxxxxx)
Date: Tue Jan 08 2002 - 21:21:01 GMT-3
I'm running 12.1(11), --I was thinking that I might try a different IOS to
make this work, --we will see, I'm offering a few folks remote access thru
the net to my rack to see if they can kick this around and make it work.
JONC
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Menga, Justin
Sent: Monday, January 07, 2002 7:39 PM
To: Jon Carmichael; tom cheung; studyccie@hotmail.com;
ccielab@groupstudy.com
Subject: RE: IPSEC - Tunnel Endpoint Discovery
Hi
What IOS are you running? I found issues with 12.2, went back to 12.0T
or 12.1T (can't remember) and it worked fine.
Justin Menga CCIE#6640 CCDP CCNP+Voice+ATM CSS1 MCSE+I CCSE
Network Solutions Architect
Wireless and E-Infrastructure
Compaq Computer NZ
*+64-9-918-9381
fax +64-9-918-9592
* http://www.compaq.co.nz
-----Original Message-----
From: Jon Carmichael [mailto:jonc@pacbell.net]
Sent: Tuesday, 8 January 2002 12:19 p.m.
To: tom cheung; studyccie@hotmail.com; ccielab@groupstudy.com
Subject: RE: IPSEC - Tunnel Endpoint Discovery
I appreciate your close look at the debugs to determine what's missing,
--but what I can't figure out is what's missing in the config to make it
work. I can't find anything.
JONC
-----Original Message-----
From: tom cheung [mailto:tkc9789@hotmail.com]
Sent: Monday, January 07, 2002 2:06 PM
To: jonc@pacbell.net; studyccie@hotmail.com; ccielab@groupstudy.com
Subject: Re: IPSEC - Tunnel Endpoint Discovery
Jon,
Although I'm no expert in VPN, but I don't see any tunnel discovery
request message in your debug. One requirement for TED to work is that
both peers will have to be TED enabled. Wonder if this requirement is
met?
Tom
>From: Jon Carmichael <jonc@pacbell.net>
>Reply-To: Jon Carmichael <jonc@pacbell.net>
>To: CCIE Study <studyccie@hotmail.com>, ccielab@groupstudy.com
>Subject: IPSEC - Tunnel Endpoint Discovery
>Date: Mon, 07 Jan 2002 12:30:29 -0800
>
>I've been trying to get Tunnel Endpoint Discover working since
>yesterday. I've been thru several iterations. I'm following variations
>of the following two examples on CCO.
>
>http://www.cisco.com/warp/public/707/tedpreshare.html
>
>and
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newf
>t/12
0
>t/120t5/ted.htm
>
>I'm not getting the same result from my debugs that they show in both
>examples, I will paste one of my debugs and one of my configs. If
anyone
>can interpret this debug or config to tell me why it's failing I would
>sure appreciate.
>
>JONC
>
>
>JCLab5d-R5#
>JCLab5d-R5#
>JCLab5d-R5#sho run | begin crypto
>crypto isakmp policy 10
> authentication pre-share
> lifetime 180
>crypto isakmp key R4R5-key address 0.0.0.0
>!
>!
>crypto ipsec transform-set ENC ah-sha-hmac esp-des esp-md5-hmac !
>crypto dynamic-map TED-DMAP 10
> set transform-set ENC
> match address 111
>!
>!
>crypto map TEDTAG 10 ipsec-isakmp dynamic TED-DMAP discover
>!
>!
>JCLab5d-R5#
>JCLab5d-R5#sho access-list 111
>Extended IP access list 111
> permit tcp 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (814
matches)
> permit ip 192.168.20.0 0.0.0.255 10.14.0.0 0.0.0.255 (12 matches)
>JCLab5d-R5#
>JCLab5d-R5#
>JCLab5d-R5#sho log
>Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
> Console logging: disabled
> Monitor logging: level debugging, 0 messages logged
> Buffer logging: level debugging, 1953 messages logged
> Trap logging: level informational, 66 message lines logged
>
>Log Buffer (4096 bytes):
>
> lifedur= 3600s and 4608000kb,
> spi= 0x15AD0C8C(363662476), conn_id= 2006, keysize= 0, flags= 0x4
>Jan 7 12:16:24: IPSEC(initialize_sas): ,
> (key eng. msg.) src= 172.16.99.1, dest= 172.16.99.2,
> src_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> dest_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4),
> protocol= ESP, transform= esp-des esp-md5-hmac ,
> lifedur= 3600s and 4608000kb,
> spi= 0x156F07B7(359598007), conn_id= 2007, keysize= 0, flags= 0x4
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> sa_spi= 0x21630610(560137744),
> sa_trans= ah-sha-hmac , sa_conn_id= 2004
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.2, sa_prot= 51,
> sa_spi= 0xD4C2288(223093384),
> sa_trans= ah-sha-hmac , sa_conn_id= 2005
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.1, sa_prot= 50,
> sa_spi= 0x15AD0C8C(363662476),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2006
>Jan 7 12:16:24: IPSEC(create_sa): sa created,
> (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> sa_spi= 0x156F07B7(359598007),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2007
>Jan 7 12:16:24: IPSEC(add_sa): peer asks for new SAs -- expire current
>in 120 sec.,
> (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> sa_spi= 0xCEB0AB0(216730288),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003,
> (identity) local= 172.16.99.1, remote= 172.16.99.2,
> local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
>Jan 7 12:16:40: IPSEC(sa_initiate): ACL = deny; sa request ignored Jan
>7 12:17:13: ISAKMP (0:2): purging node -1847150921 Jan 7 12:18:28:
>IPSEC(sa_aging): lifetime expiring,
> (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> sa_spi= 0x21C90079(566820985),
> sa_trans= ah-sha-hmac , sa_conn_id= 2000,
> (identity) local= 172.16.99.1, remote= 172.16.99.2,
> local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 10.14.0.0/255.255.255.0/6/0 (type=4)
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.1, sa_prot= 51,
> sa_spi= 0x21C90079(566820985),
> sa_trans= ah-sha-hmac , sa_conn_id= 2000
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.2, sa_prot= 51,
> sa_spi= 0x26C600E2(650510562),
> sa_trans= ah-sha-hmac , sa_conn_id= 2001
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.1, sa_prot= 50,
> sa_spi= 0x99319EC(160635372),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2002
>Jan 7 12:18:28: IPSEC(delete_sa): deleting SA,
> (sa) sa_dest= 172.16.99.2, sa_prot= 50,
> sa_spi= 0xCEB0AB0(216730288),
> sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2003
>Jan 7 12:18:28: ISAKMP: received ke message (3/2)
>Jan 7 12:18:28: CryptoEngine0: generate hmac context for conn id 2 Jan
>7 12:18:28: ISAKMP (2): sending packet to 172.16.99.2 (R) QM_IDLE Jan
>7 12:18:28: ISAKMP (0:2): purging node 441531424 Jan 7 12:19:10:
>ISAKMP (0:2): peer does not do paranoid keepalives.
>
>Jan 7 12:19:10: ISAKMP (0:2): deleting SA reason "IKE SA Lifetime
>Exceeded"
>state (R) QM_IDLE (peer 172.16.99.2) input queue 0
>Jan 7 12:19:10: CryptoEngine0: generate hmac context for conn id 2 Jan
>7 12:19:10: ISAKMP (2): sending packet to 172.16.99.2 (R) MM_NO_STATE
>Jan 7 12:19:10: ISAKMP (0:2): purging node -159029524 Jan 7 12:20:10:
>ISAKMP (0:2): purging SA. Jan 7 12:20:10: CryptoEngine0: delete
>connection 2 Jan 7 12:21:15: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:21:17: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:21:21: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:21:29: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:25:12: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:26:46: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:26:48: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:26:52: IPSEC(sa_initiate): ACL = deny; sa
>request ignored Jan 7 12:27:00: IPSEC(sa_initiate): ACL = deny; sa
>request ignored JCLab5d-R5#
>JCLab5d-R5#
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:20 GMT-3