RE: IPSEC PROBLEM...HELP

From: Greg Shonting (gshonting@xxxxxxxxxxxxxxxxxxx)
Date: Sat Jan 12 2002 - 14:56:18 GMT-3

• Next message: Waters, Kivas (UK72): "RE: DLSW mac-address filter"
• Previous message: alain faure: "avoid null0 with eigrp manual summarization"
• Maybe in reply to: zapeta zape: "IPSEC PROBLEM...HELP"
• Next in thread: Greg Shonting: "RE: IPSEC PROBLEM...HELP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Issue 1-
In order to get traffic through the tunnel (without ipsec) you need to have rou
ting setup properly.

Route to remote network that you want to go through the tunnel should point to
the tunnel
example- on r8 ip route 172.16.43.4 255.255.255.0 tunnel0

You must also have a route to the tunnel destination (be careful no make a recu
rsive route)
example- on r8 ip route 172.16.104.1 255.255.255.0 <wan ip address of R9>

These can be static or dynamic routes, just make sure you have them. I usually
 use static, but thats up to you. I always setup the tunnel first, then add the
 encryption.

Issue 2- adding encryption-
There must be a route to the peer (from the crypto map) across the wan
example- on r8 ip route 172.16.104.1 255.255.255.0 <wan ip address of R9>

I think your problem is the crypto map access list.
Your are using access-list 101 permit ip host 10.1.1.1 host 10.1.1.2
This says to the crypto engine "Encrypt all IP traffic from 10.1.1.1 to 10.1.1.
2" When traffic goes through a tunnel the source address is the ip address from
 the tunnel source x.x.x.x command, in your case loopback0. Also the traffic is
 not IP, it is GRE.

Try this as your access list
on r8- accesss 101 permit gre host 172.16.102.1 host 172.16.104.1

r2 should have a mirror image access list
on r2- accesss 101 permit gre host 172.16.104.1 host 172.16.102.1

Good Luck
Greg Shonting
Senior Network Engineer
InfoSys Networks
gshonting@infosysnetworks.com

Taking the lab exam Monday!!

-----Original Message-----
From: zapeta zape [mailto:zzapeta@hotmail.com]
Sent: Saturday, January 12, 2002 10:03 AM
To: ccielab@groupstudy.com
Subject: IPSEC PROBLEM...HELP

Hi,
I spent all day yesterday try to set up ipsec.
I have 4 routers running ISIS over frame relay, I can ping all the way
through, ISIS is working fine.

r8------r9----r7 -------r2
R9 is the hub and we have 3 spokes bythe way R7 is connected to r2 via
ethernet

These are the config

r8
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 500
crypto isakmp key cisco address 172.16.104.1
!
!
crypto ipsec transform-set doom esp-des
!
!
crypto map yahoo local-address Loopback0
crypto map yahoo 10 ipsec-isakmp
set peer 172.16.104.1
set transform-set doom
match address 101
!
!
!
!
interface Loopback0
ip address 172.16.102.1 255.255.255.0
no ip directed-broadcast
ip router isis
!

!
interface Tunnel0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
tunnel source 172.16.102.1
tunnel destination 172.16.104.1
crypto map yahoo
!

!
interface BRI0/0
ip address 172.16.12.2 255.255.255.0
no ip directed-broadcast
encapsulation ppp
ip ospf demand-circuit
ip ospf database-filter all out
shutdown
dialer idle-timeout 40
dialer map ipx 12.0001.0001.0001 name r9 broadcast 7704324217
dialer-group 1
isdn switch-type basic-ni
isdn spid1 77043242400101 4324240
no cdp enable
ppp authentication chap
!
interface Serial0/0
ip address 172.16.123.2 255.255.255.0
no ip directed-broadcast
ip router isis
encapsulation frame-relay
ip ospf network point-to-multipoint
no ip mroute-cache
isis circuit-type level-1
frame-relay map clns 809 broadcast
frame-relay map ip 172.16.123.1 809 broadcast
frame-relay map ip 172.16.123.2 809 broadcast
frame-relay map ip 172.16.123.3 809 broadcast
frame-relay lmi-type cisco
crypto map yahoo

!
router isis
net 49.0001.0002.0002.0002.00
!
ip classless
!
access-list 101 permit ip host 10.1.1.1 host 10.1.1.2

r2
clns routing
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 500
crypto isakmp key cisco address 172.16.102.1
!
!
crypto ipsec transform-set doom esp-des
!
!
crypto map kaier local-address Loopback0
crypto map kaiser 10 ipsec-isakmp
set peer 172.16.102.1
set transform-set doom
match address 101
!
!
!
interface Loopback0
ip address 172.16.104.1 255.255.255.0
no ip directed-broadcast
ip router isis

!
interface Tunnel0
ip address 10.1.1.2 255.255.255.0
no ip directed-broadcast
tunnel source 172.16.104.1
tunnel destination 172.16.102.1
crypto map yahoo
!
interface Ethernet0
ip address 172.16.43.4 255.255.255.0
no ip directed-broadcast
ip router isis
isis circuit-type level-1
crypto map yahoo
!
interface Serial0
ip address 172.16.14.4 255.255.255.0
no ip directed-broadcast
ip router isis
encapsulation frame-relay
no ip mroute-cache
frame-relay map clns 209 broadcast
frame-relay map ip 172.16.14.1 209 broadcast
frame-relay map ip 172.16.14.4 209 broadcast
crypto map yahoo
!

router isis
net 49.0002.0004.0004.0004.00
!
ip classless
!
access-list 101 permit ip host 10.1.1.2 host 10.1.1.1

When I do deb crypto IPsec on r8 this is what I get:

ar 1 00:01:55: IPSEC(key_engine): got a queue event...
*Mar 1 00:01:55: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 00:01:55: IPSEC(key_engine_delete_sas): delete all SAs shared with
172.16.104.1
r8#
*Mar 1 00:02:04: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 172.16.102.1, remote= 172.16.104.1,
    local_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1)
*Mar 1 00:02:04: IPSEC(sa_request): ,
  (key eng. msg.) src= 172.16.102.1, dest= 172.16.104.1,
    src_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
    dest_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
*Mar 1 00:02:05: IPSEC(key_engine): got a queue event...
*Mar 1 00:02:05: IPSEC(spi_response): getting spi 373362238 for SA
        from 172.16.104.1 to 172.16.102.1 for prot 3
*Mar 1 00:02:06: IPSEC(key_engine): got a queue event...
*Mar 1 00:02:06: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 00:02:06: IPSEC(key_engine_delete_sas): delete all SAs shared with
172.16.104.1
r8#
*Mar 1 00:02:10: IPSEC(key_engine): got a queue event...
*Mar 1 00:02:10: IPSEC(key_engine_delete_sas): rec'd delete notify from
ISAKMP
*Mar 1 00:02:10: IPSEC(key_engine_delete_sas): delete all SAs shared with
172.16.104.1

When I do deb crypto IPsec on r2 this is what I get:
*Mar 1 11:59:37: IPSEC(sa_request): ,
  (key eng. msg.) src= 10.1.1.2, dest= 172.16.102.1,
    src_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1),
    dest_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
*Mar 1 11:59:38: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational
mode failed with peer at 172.16.102.1

• Next message: Waters, Kivas (UK72): "RE: DLSW mac-address filter"
• Previous message: alain faure: "avoid null0 with eigrp manual summarization"
• Maybe in reply to: zapeta zape: "IPSEC PROBLEM...HELP"
• Next in thread: Greg Shonting: "RE: IPSEC PROBLEM...HELP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:26 GMT-3