IPSEC PROBLEM...HELP

From: zapeta zape (zzapeta@xxxxxxxxxxx)
Date: Sat Jan 12 2002 - 12:02:49 GMT-3

   
Hi,
I spent all day yesterday try to set up ipsec.
I have 4 routers running ISIS over frame relay, I can ping all the way
through, ISIS is working fine.

r8------r9----r7 -------r2
R9 is the hub and we have 3 spokes bythe way R7 is connected to r2 via
ethernet

These are the config

r8
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 500
crypto isakmp key cisco address 172.16.104.1
!
!
crypto ipsec transform-set doom esp-des
!
!
crypto map yahoo local-address Loopback0
crypto map yahoo 10 ipsec-isakmp
set peer 172.16.104.1
set transform-set doom
match address 101
!
!
!
!
interface Loopback0
ip address 172.16.102.1 255.255.255.0
no ip directed-broadcast
ip router isis
!

!
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
tunnel source 172.16.102.1
tunnel destination 172.16.104.1
crypto map yahoo
!

!
interface BRI0/0
ip address 172.16.12.2 255.255.255.0
no ip directed-broadcast
encapsulation ppp
ip ospf demand-circuit
ip ospf database-filter all out
shutdown
dialer idle-timeout 40
dialer map ipx 12.0001.0001.0001 name r9 broadcast 7704324217
dialer-group 1
isdn switch-type basic-ni
isdn spid1 77043242400101 4324240
no cdp enable
ppp authentication chap
!
interface Serial0/0
ip address 172.16.123.2 255.255.255.0
no ip directed-broadcast
ip router isis
encapsulation frame-relay
ip ospf network point-to-multipoint
no ip mroute-cache
isis circuit-type level-1
frame-relay map clns 809 broadcast
frame-relay map ip 172.16.123.1 809 broadcast
frame-relay map ip 172.16.123.2 809 broadcast
frame-relay map ip 172.16.123.3 809 broadcast
frame-relay lmi-type cisco
crypto map yahoo

!
router isis
net 49.0001.0002.0002.0002.00
!
ip classless
!
access-list 101 permit ip host 10.1.1.1 host 10.1.1.2

r2
clns routing
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 500
crypto isakmp key cisco address 172.16.102.1
!
!
crypto ipsec transform-set doom esp-des
!
!
crypto map kaier local-address Loopback0
crypto map kaiser 10 ipsec-isakmp
set peer 172.16.102.1
set transform-set doom
match address 101
!
!
!
interface Loopback0
ip address 172.16.104.1 255.255.255.0
no ip directed-broadcast
ip router isis

!
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
tunnel source 172.16.104.1
tunnel destination 172.16.102.1
crypto map yahoo
!
interface Ethernet0
ip address 172.16.43.4 255.255.255.0
no ip directed-broadcast
ip router isis
isis circuit-type level-1
crypto map yahoo
!
interface Serial0
ip address 172.16.14.4 255.255.255.0
no ip directed-broadcast
ip router isis
encapsulation frame-relay
no ip mroute-cache
frame-relay map clns 209 broadcast
frame-relay map ip 172.16.14.1 209 broadcast
frame-relay map ip 172.16.14.4 209 broadcast
crypto map yahoo
!

router isis
net 49.0002.0004.0004.0004.00
!
ip classless
!
access-list 101 permit ip host 10.1.1.2 host 10.1.1.1

When I do deb crypto IPsec on r8 this is what I get:

ar 1 00:01:55: IPSEC(key_engine): got a queue event...
*Mar 1 00:01:55: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 00:01:55: IPSEC(key_engine_delete_sas): delete all SAs shared with
172.16.104.1
r8#
*Mar 1 00:02:04: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 172.16.102.1, remote= 172.16.104.1,
    local_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1)
*Mar 1 00:02:04: IPSEC(sa_request): ,
  (key eng. msg.) src= 172.16.102.1, dest= 172.16.104.1,
    src_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
    dest_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
*Mar 1 00:02:05: IPSEC(key_engine): got a queue event...
*Mar 1 00:02:05: IPSEC(spi_response): getting spi 373362238 for SA
        from 172.16.104.1 to 172.16.102.1 for prot 3
*Mar 1 00:02:06: IPSEC(key_engine): got a queue event...
*Mar 1 00:02:06: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 00:02:06: IPSEC(key_engine_delete_sas): delete all SAs shared with
172.16.104.1
r8#
*Mar 1 00:02:10: IPSEC(key_engine): got a queue event...
*Mar 1 00:02:10: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 00:02:10: IPSEC(key_engine_delete_sas): delete all SAs shared with
172.16.104.1

When I do deb crypto IPsec on r2 this is what I get:
*Mar 1 11:59:37: IPSEC(sa_request): ,
  (key eng. msg.) src= 10.1.1.2, dest= 172.16.102.1,
    src_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1),
    dest_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
*Mar 1 11:59:38: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational
mode failed with peer at 172.16.102.1

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:26 GMT-3