IPSec: Simple config not working

From: John Neiberger (neiby@xxxxxxxxxx)
Date: Thu Mar 14 2002 - 01:14:37 GMT-3

• Next message: Hansang Bae: "Re: when do we need to nail the DR priority?"
• Previous message: Todd Carswell: "Re: r6 included -> Re: Translational Bridging is driving me nuts!!! CONFIG"
• Next in thread: Paul Lalonde: "Re: IPSec: Simple config not working"
• Maybe reply: Paul Lalonde: "Re: IPSec: Simple config not working"
• Maybe reply: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Okay, I'm tired of looking at this. I've read more about ipsec
today and yesterday than I care to and I still can't figure out
why this isn't working. I keep getting an error about how the
peer can't do paranoid keepalives. CCO, of course, makes no
mention of paranoid keepalives.

The layout:

R2-----R1----(ipsec)----R4-----R3

I'm only attempting to encrypt ICMP traffic from R3 destined
for the loopback address of R2 and vice versa. R1 and R4 and
the ipsec endpoints.

R1 Config:

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 172.16.14.4
!
!
crypto ipsec transform-set myset esp-des
!
crypto map mymap 1 ipsec-isakmp
 set peer 172.16.4.4
 set transform-set myset
 match address 100
!
interface Serial0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type cisco
!
interface Serial0.1 multipoint
 ip address 172.16.123.1 255.255.255.0
 ip router isis
 frame-relay map clns 102 broadcast
 frame-relay map ip 172.16.123.2 102 broadcast
!
interface Serial0.2 point-to-point
 ip address 172.16.14.1 255.255.255.0
 ip router isis
 frame-relay interface-dlci 104
 crypto map mymap
!
access-list 100 permit icmp host 147.10.1.145 host 172.16.43.3

R4 Config:

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 172.16.14.1
!
!
crypto ipsec transform-set myset esp-des
!
crypto map mymap 1 ipsec-isakmp
 set peer 172.16.14.1
 set transform-set myset
 match address 100
!
interface Serial0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
 ip address 172.16.14.4 255.255.255.0
 ip router isis
 frame-relay interface-dlci 401
 crypto map mymap
!
interface TokenRing0
 ip address 172.16.43.4 255.255.255.0
 ip router isis
 ring-speed 16
!
access-list 100 permit icmp host 172.16.43.3 host 147.10.1.145

Here's the debug output from R4:

01:09:02: IPSEC(sa_request): ,
  (key eng. msg.) src= 172.16.14.4, dest= 172.16.14.1,
    src_proxy= 172.16.43.3/255.255.255.255/1/0 (type=1),
    dest_proxy= 147.10.1.145/255.255.255.255/1/0 (type=1),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0xC14141D(202642461), conn_id= 0, keysize= 0, flags=
0x4004
01:09:02: ISAKMP: received ke message (1/1)
01:09:02: ISAKMP: local port 500, remote port 500
01:09:02: ISAKMP (0:1): beginning Main Mode exchange
01:09:02: ISAKMP (1): sending packet to 172.16.14.1 (I)
MM_NO_STATE
01:09:03: ISAKMP (1): received packet from 172.16.14.1 (I)
MM_NO_STATE
01:09:03: ISAKMP (0:1): processing SA payload. message ID = 0
01:09:03: ISAKMP (0:1): Checking ISAKMP transform 1 against
priority 1 policy
01:09:03: ISAKMP: encryption DES-CBC
01:09:03: ISAKMP: hash MD5
01:09:03: ISAKMP: default group 1
01:09:03: ISAKMP: auth pre-share
01:09:03: ISAKMP (0:1): atts are acceptable. Next payload is 0
01:09:05: ISAKMP (0:1): SA is doing pre-shared key
authentication
01:09:05: ISAKMP (1): SA is doing pre-shared key authentication
using id type ID
_IPV4_ADDR
01:09:05: ISAKMP (1): sending packet to 172.16.14.1 (I)
MM_SA_SETUP
01:09:07: ISAKMP (1): received packet from 172.16.14.1 (I)
MM_SA_SETUP
01:09:07: ISAKMP (0:1): processing KE payload. message ID = 0
01:09:09: ISAKMP (0:1): processing NONCE payload. message ID = 0
01:09:09: ISAKMP (0:1): SKEYID state generated
01:09:09: ISAKMP (0:1): processing vendor id payload
01:09:09: ISAKMP (0:1): speaking to another IOS box!
01:09:09: ISAKMP (1): ID payload
        next-payload : 8
        type : 1
        protocol : 17
        port : 500
        length : 8
01:09:09: ISAKMP (1): Total payload length: 12
01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I)
MM_KEY_EXCH
01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
MM_KEY_EXCH
01:09:09: ISAKMP (0:1): processing ID payload. message ID = 0
01:09:09: ISAKMP (0:1): processing HASH payload. message ID = 0
01:09:09: ISAKMP (0:1): SA has been authenticated with
172.16.14.1
01:09:09: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -
1141343141
01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I) QM_IDLE
01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
QM_IDLE
01:09:09: ISAKMP (1): processing NOTIFY payload 14 protocol 0
        spi 0, message ID = 1136009096
01:09:09: ISAKMP (0:1): peer does not do paranoid keepalives.

01:09:09: ISAKMP (0:1): deleting node 1136009096 error FALSE
reason "information
al (in) state 1"
01:09:09: IPSEC(key_engine): got a queue event...
01:09:09: IPSEC(key_engine_delete_sas): rec'd delete notify
from ISAKMP
01:09:09: IPSEC(key_engine_delete_sas): delete all SAs shared
with 172.16.14.1

I don't even know how to proceed at this point. Any ideas?

Thanks, especially to those who've already been helping me out
with this stuff.

John

• Next message: Hansang Bae: "Re: when do we need to nail the DR priority?"
• Previous message: Todd Carswell: "Re: r6 included -> Re: Translational Bridging is driving me nuts!!! CONFIG"
• Next in thread: Paul Lalonde: "Re: IPSec: Simple config not working"
• Maybe reply: Paul Lalonde: "Re: IPSec: Simple config not working"
• Maybe reply: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:04 GMT-3