From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Wed Jan 09 2002 - 17:22:36 GMT-3
>From your config I see you're running 12.2 IOS, try 12.0T or 12.1, I've
had issues with 12.2
Regards,
Justin Menga CCIE#6640 CCDP CCNP+Voice+ATM CSS1 MCSE+I CCSE
Network Solutions Architect
Wireless and E-Infrastructure
Compaq Computer NZ
*+64-9-918-9381
fax +64-9-918-9592
* http://www.compaq.co.nz
-----Original Message-----
From: Ola Aiyegbusi [mailto:ola@keynets.com]
Sent: Wednesday, 9 January 2002 2:14 a.m.
To: ccielab@groupstudy.com
Subject: IPSec Tunnel End-point Discovery
I am trying to configure IPSec Tunnel End-point Discovery. The configs
for both routers are as follows:
R4#sh run
Building configuration...
Current configuration : 1085 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
ip subnet-zero
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set encr-only esp-des esp-md5-hmac
!
crypto dynamic-map TED 10
set transform-set encr-only
match address 101
!
crypto map Global 10 ipsec-isakmp dynamic TED discover
!
interface Ethernet0
ip address 135.25.3.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 135.25.1.1 255.255.255.0
crypto map Global
!
interface Serial1
no ip address
shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 135.25.1.2
!
access-list 101 permit ip 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255
access-list 101 permit icmp 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255 !
line con 0 transport input none line aux 0 line vty 0 4 login ! end
R1#sh run
Building configuration...
Current configur-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
ip subnet-zero
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set encr-only esp-des esp-md5-hmac
!
crypto dynamic-map TED 10
set transform-set encr-only
match address 101
!
crypto map Global 10 ipsec-isakmp dynamic TED discover
!
interface Serial0
ip address 135.25.1.2 255.255.255.0
no ip mroute-cache
clockrate 1000000
crypto map Global
!
interface TokenRing0
ip address 135.25.4.1 255.255.255.0
ring-speed 4
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 135.25.1.1
no ip http server
!
access-list 101 permit ip 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255
access-list 101 permit icmp 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255 !
! line con 0 transport input none line aux 0 line vty 0 4 login ! end
R1#
I enabled debug crypto isakmp, debug crypto ipsec, and debug crypto
engine. When I do an extended ping from 135.25.3.1 (R4-E0) to 135.25.4.1
(R1-To0), I get the following response:
R4#ping
Protocol [ip]:
Target IP address: 135.25.4.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 135.25.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 135.25.4.1, timeout is 2 seconds:
12:27:12: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:14: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:16: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:18: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:20: IPSEC(sa_initiate): ACL = deny; sa request ignored. Success
rate is 0 percent (0/5) R4#
I have searched all over CCO for an answer and I'm still stuck. Does
anyone see anything that I don't. Please let me know. Thanks.
Ola Aiyegbusi
Turnkey Networks, Inc.
ola@keynets.com
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:22 GMT-3