From: Keyur Shah (kshah@xxxxxxxxxxxxxxxxxx)
Date: Wed Jan 09 2002 - 18:42:42 GMT-3
Are you able to ping without applying crypto map on serial? It seems you
should be. Double check that though.
Otherwise, it looks like correct config to me.
-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com
Toll-Free: 1.877.794.3556
Fremont: 510.795.6815
Santa Clara: 408.496.0801
Europe: +(44)20 7900 3011
Fax: 510.291.2250
-----Original Message-----
From: Ola Aiyegbusi [mailto:ola@keynets.com]
Sent: Tuesday, January 08, 2002 5:14 AM
To: ccielab@groupstudy.com
Subject: IPSec Tunnel End-point Discovery
I am trying to configure IPSec Tunnel End-point Discovery. The configs for
both routers are as follows:
R4#sh run
Building configuration...
Current configuration : 1085 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
ip subnet-zero
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set encr-only esp-des esp-md5-hmac
!
crypto dynamic-map TED 10
set transform-set encr-only
match address 101
!
crypto map Global 10 ipsec-isakmp dynamic TED discover
!
interface Ethernet0
ip address 135.25.3.1 255.255.255.0
no keepalive
!
interface Serial0
ip address 135.25.1.1 255.255.255.0
crypto map Global
!
interface Serial1
no ip address
shutdown
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 135.25.1.2
!
access-list 101 permit ip 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255
access-list 101 permit icmp 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255 ! line
con 0 transport input none line aux 0 line vty 0 4 login ! end
R1#sh run
Building configuration...
Current configur-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
ip subnet-zero
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set encr-only esp-des esp-md5-hmac
!
crypto dynamic-map TED 10
set transform-set encr-only
match address 101
!
crypto map Global 10 ipsec-isakmp dynamic TED discover
!
interface Serial0
ip address 135.25.1.2 255.255.255.0
no ip mroute-cache
clockrate 1000000
crypto map Global
!
interface TokenRing0
ip address 135.25.4.1 255.255.255.0
ring-speed 4
!
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 135.25.1.1
no ip http server
!
access-list 101 permit ip 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255
access-list 101 permit icmp 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255 ! !
line con 0 transport input none line aux 0 line vty 0 4 login ! end
R1#
I enabled debug crypto isakmp, debug crypto ipsec, and debug crypto engine.
When I do an extended ping from 135.25.3.1 (R4-E0) to 135.25.4.1 (R1-To0), I
get the following response:
R4#ping
Protocol [ip]:
Target IP address: 135.25.4.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 135.25.3.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 135.25.4.1, timeout is 2 seconds:
12:27:12: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:14: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:16: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:18: IPSEC(sa_initiate): ACL = deny; sa request ignored.
12:27:20: IPSEC(sa_initiate): ACL = deny; sa request ignored. Success rate
is 0 percent (0/5) R4#
I have searched all over CCO for an answer and I'm still stuck. Does anyone
see anything that I don't. Please let me know. Thanks.
Ola Aiyegbusi
Turnkey Networks, Inc.
ola@keynets.com
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:22 GMT-3