From: tom cheung (tkc9789@xxxxxxxxxxx)
Date: Sat Jan 12 2002 - 16:05:46 GMT-3
I believe ACL 101 needs to be modified.
You're using GRE tunnel, the permit statement should be
permit gre host x.x.x.x gre host y.y.y.y where x.x.x.x and y.y.y.y
are the physical end-points not the tunnel address.
>From: "zapeta zape" <zzapeta@hotmail.com>
>Reply-To: "zapeta zape" <zzapeta@hotmail.com>
>To: ccielab@groupstudy.com
>Subject: IPSEC PROBLEM...HELP
>Date: Sat, 12 Jan 2002 10:02:49 -0500
>
>Hi,
>I spent all day yesterday try to set up ipsec.
>I have 4 routers running ISIS over frame relay, I can ping all the way
>through, ISIS is working fine.
>
>r8------r9----r7 -------r2
>R9 is the hub and we have 3 spokes bythe way R7 is connected to r2 via
>ethernet
>
>These are the config
>
>r8
>crypto isakmp policy 1
>hash md5
>authentication pre-share
>lifetime 500
>crypto isakmp key cisco address 172.16.104.1
>!
>!
>crypto ipsec transform-set doom esp-des
>!
>!
>crypto map yahoo local-address Loopback0
>crypto map yahoo 10 ipsec-isakmp
>set peer 172.16.104.1
>set transform-set doom
>match address 101
>!
>!
>!
>!
>interface Loopback0
>ip address 172.16.102.1 255.255.255.0
>no ip directed-broadcast
>ip router isis
>!
>
>!
>interface Tunnel0
>ip address 10.1.1.1 255.255.255.0
>no ip directed-broadcast
>tunnel source 172.16.102.1
>tunnel destination 172.16.104.1
>crypto map yahoo
>!
>
>!
>interface BRI0/0
>ip address 172.16.12.2 255.255.255.0
>no ip directed-broadcast
>encapsulation ppp
>ip ospf demand-circuit
>ip ospf database-filter all out
>shutdown
>dialer idle-timeout 40
>dialer map ipx 12.0001.0001.0001 name r9 broadcast 7704324217
>dialer-group 1
>isdn switch-type basic-ni
>isdn spid1 77043242400101 4324240
>no cdp enable
>ppp authentication chap
>!
>interface Serial0/0
>ip address 172.16.123.2 255.255.255.0
>no ip directed-broadcast
>ip router isis
>encapsulation frame-relay
>ip ospf network point-to-multipoint
>no ip mroute-cache
>isis circuit-type level-1
>frame-relay map clns 809 broadcast
>frame-relay map ip 172.16.123.1 809 broadcast
>frame-relay map ip 172.16.123.2 809 broadcast
>frame-relay map ip 172.16.123.3 809 broadcast
>frame-relay lmi-type cisco
>crypto map yahoo
>
>!
>router isis
>net 49.0001.0002.0002.0002.00
>!
>ip classless
>!
>access-list 101 permit ip host 10.1.1.1 host 10.1.1.2
>
>
>
>r2
>clns routing
>!
>!
>crypto isakmp policy 1
>hash md5
>authentication pre-share
>lifetime 500
>crypto isakmp key cisco address 172.16.102.1
>!
>!
>crypto ipsec transform-set doom esp-des
>!
>!
>crypto map kaier local-address Loopback0
>crypto map kaiser 10 ipsec-isakmp
>set peer 172.16.102.1
>set transform-set doom
>match address 101
>!
>!
>!
>interface Loopback0
>ip address 172.16.104.1 255.255.255.0
>no ip directed-broadcast
>ip router isis
>
>!
>interface Tunnel0
>ip address 10.1.1.2 255.255.255.0
>no ip directed-broadcast
>tunnel source 172.16.104.1
>tunnel destination 172.16.102.1
>crypto map yahoo
>!
>interface Ethernet0
>ip address 172.16.43.4 255.255.255.0
>no ip directed-broadcast
>ip router isis
>isis circuit-type level-1
>crypto map yahoo
>!
>interface Serial0
>ip address 172.16.14.4 255.255.255.0
>no ip directed-broadcast
>ip router isis
>encapsulation frame-relay
>no ip mroute-cache
>frame-relay map clns 209 broadcast
>frame-relay map ip 172.16.14.1 209 broadcast
>frame-relay map ip 172.16.14.4 209 broadcast
>crypto map yahoo
>!
>
>router isis
>net 49.0002.0004.0004.0004.00
>!
>ip classless
>!
>access-list 101 permit ip host 10.1.1.2 host 10.1.1.1
>
>When I do deb crypto IPsec on r8 this is what I get:
>
>ar 1 00:01:55: IPSEC(key_engine): got a queue event...
>*Mar 1 00:01:55: IPSEC(key_engine_delete_sas): rec'd delete notify from
>ISAKMP
>*Mar 1 00:01:55: IPSEC(key_engine_delete_sas): delete all SAs shared with
>172.16.104.1
>r8#
>*Mar 1 00:02:04: IPSEC(key_engine): request timer fired: count = 1,
> (identity) local= 172.16.102.1, remote= 172.16.104.1,
> local_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
> remote_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1)
>*Mar 1 00:02:04: IPSEC(sa_request): ,
> (key eng. msg.) src= 172.16.102.1, dest= 172.16.104.1,
> src_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
> dest_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1),
> protocol= ESP, transform= esp-des ,
> lifedur= 3600s and 4608000kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
>*Mar 1 00:02:05: IPSEC(key_engine): got a queue event...
>*Mar 1 00:02:05: IPSEC(spi_response): getting spi 373362238 for SA
> from 172.16.104.1 to 172.16.102.1 for prot 3
>*Mar 1 00:02:06: IPSEC(key_engine): got a queue event...
>*Mar 1 00:02:06: IPSEC(key_engine_delete_sas): rec'd delete notify from
>ISAKMP
>*Mar 1 00:02:06: IPSEC(key_engine_delete_sas): delete all SAs shared with
>172.16.104.1
>r8#
>*Mar 1 00:02:10: IPSEC(key_engine): got a queue event...
>*Mar 1 00:02:10: IPSEC(key_engine_delete_sas): rec'd delete notify from
>ISAKMP
>*Mar 1 00:02:10: IPSEC(key_engine_delete_sas): delete all SAs shared with
>172.16.104.1
>
>When I do deb crypto IPsec on r2 this is what I get:
>*Mar 1 11:59:37: IPSEC(sa_request): ,
> (key eng. msg.) src= 10.1.1.2, dest= 172.16.102.1,
> src_proxy= 10.1.1.2/255.255.255.255/0/0 (type=1),
> dest_proxy= 10.1.1.1/255.255.255.255/0/0 (type=1),
> protocol= ESP, transform= esp-des ,
> lifedur= 3600s and 4608000kb,
> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
>*Mar 1 11:59:38: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational
>mode failed with peer at 172.16.102.1
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:56:26 GMT-3