Re: IPSec: Simple config not working

From: Paul Lalonde (plalonde2@xxxxxxxxx)
Date: Thu Mar 14 2002 - 02:18:05 GMT-3

• Next message: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Previous message: Hansang Bae: "Re: when do we need to nail the DR priority?"
• Maybe in reply to: John Neiberger: "IPSec: Simple config not working"
• Next in thread: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
John,

Just a guess... but whenever I've worked with IPSEC in the past, I needed to
apply the crypto-map to both the physical interface and the subinterface.
Try applying the crypto-map to your physical frame-relay interface, not just
the subinterface.

Copied the following straight from CCO:

Apply Crypto Map Sets to Interfaces
You need to apply a crypto map set to each interface through which IPSec or
CET traffic will flow. Applying the crypto map set to an interface instructs
the router to evaluate all the interface's traffic against the crypto map
set and to use the specified policy during connection or security
association negotiation on behalf of traffic to be protected by crypto
(either CET or IPSec).

----------------------------------------------------------------------------

----
Note For Frame Relay interfaces, apply the same crypto map to both the
logical and physical interfaces (the Frame Relay sub-interface and the
physical interface).
Hope this helps!
Paul Lalonde
----- Original Message -----
From: "John Neiberger" <neiby@ureach.com>
To: <ccielab@groupstudy.com>
Sent: Wednesday, March 13, 2002 11:14 PM
Subject: IPSec: Simple config not working
> Okay, I'm tired of looking at this.  I've read more about ipsec
> today and yesterday than I care to and I still can't figure out
> why this isn't working.  I keep getting an error about how the
> peer can't do paranoid keepalives.  CCO, of course, makes no
> mention of paranoid keepalives.
>
> The layout:
>
> R2-----R1----(ipsec)----R4-----R3
>
> I'm only attempting to encrypt ICMP traffic from R3 destined
> for the loopback address of R2 and vice versa.  R1 and R4 and
> the ipsec endpoints.
>
> R1 Config:
>
> crypto isakmp policy 1
>  authentication pre-share
> crypto isakmp key cisco address 172.16.14.4
> !
> !
> crypto ipsec transform-set myset esp-des
> !
> crypto map mymap 1 ipsec-isakmp
>  set peer 172.16.4.4
>  set transform-set myset
>  match address 100
> !
> interface Serial0
>  no ip address
>  encapsulation frame-relay
>  frame-relay lmi-type cisco
> !
> interface Serial0.1 multipoint
>  ip address 172.16.123.1 255.255.255.0
>  ip router isis
>  frame-relay map clns 102 broadcast
>  frame-relay map ip 172.16.123.2 102 broadcast
> !
> interface Serial0.2 point-to-point
>  ip address 172.16.14.1 255.255.255.0
>  ip router isis
>  frame-relay interface-dlci 104
>  crypto map mymap
> !
> access-list 100 permit icmp host 147.10.1.145 host 172.16.43.3
>
> R4 Config:
>
> crypto isakmp policy 1
>  authentication pre-share
> crypto isakmp key cisco address 172.16.14.1
> !
> !
> crypto ipsec transform-set myset esp-des
> !
> crypto map mymap 1 ipsec-isakmp
>  set peer 172.16.14.1
>  set transform-set myset
>  match address 100
> !
> interface Serial0
>  no ip address
>  encapsulation frame-relay
>  frame-relay lmi-type cisco
> !
> interface Serial0.1 point-to-point
>  ip address 172.16.14.4 255.255.255.0
>  ip router isis
>  frame-relay interface-dlci 401
>  crypto map mymap
> !
> interface TokenRing0
>  ip address 172.16.43.4 255.255.255.0
>  ip router isis
>  ring-speed 16
> !
> access-list 100 permit icmp host 172.16.43.3 host 147.10.1.145
>
> Here's the debug output from R4:
>
> 01:09:02: IPSEC(sa_request): ,
>   (key eng. msg.) src= 172.16.14.4, dest= 172.16.14.1,
>     src_proxy= 172.16.43.3/255.255.255.255/1/0 (type=1),
>     dest_proxy= 147.10.1.145/255.255.255.255/1/0 (type=1),
>     protocol= ESP, transform= esp-des ,
>     lifedur= 3600s and 4608000kb,
>     spi= 0xC14141D(202642461), conn_id= 0, keysize= 0, flags=
> 0x4004
> 01:09:02: ISAKMP: received ke message (1/1)
> 01:09:02: ISAKMP: local port 500, remote port 500
> 01:09:02: ISAKMP (0:1): beginning Main Mode exchange
> 01:09:02: ISAKMP (1): sending packet to 172.16.14.1 (I)
> MM_NO_STATE
> 01:09:03: ISAKMP (1): received packet from 172.16.14.1 (I)
> MM_NO_STATE
> 01:09:03: ISAKMP (0:1): processing SA payload. message ID = 0
> 01:09:03: ISAKMP (0:1): Checking ISAKMP transform 1 against
> priority 1 policy
> 01:09:03: ISAKMP:      encryption DES-CBC
> 01:09:03: ISAKMP:      hash MD5
> 01:09:03: ISAKMP:      default group 1
> 01:09:03: ISAKMP:      auth pre-share
> 01:09:03: ISAKMP (0:1): atts are acceptable. Next payload is 0
> 01:09:05: ISAKMP (0:1): SA is doing pre-shared key
> authentication
> 01:09:05: ISAKMP (1): SA is doing pre-shared key authentication
> using id type ID
> _IPV4_ADDR
> 01:09:05: ISAKMP (1): sending packet to 172.16.14.1 (I)
> MM_SA_SETUP
> 01:09:07: ISAKMP (1): received packet from 172.16.14.1 (I)
> MM_SA_SETUP
> 01:09:07: ISAKMP (0:1): processing KE payload. message ID = 0
> 01:09:09: ISAKMP (0:1): processing NONCE payload. message ID = 0
> 01:09:09: ISAKMP (0:1): SKEYID state generated
> 01:09:09: ISAKMP (0:1): processing vendor id payload
> 01:09:09: ISAKMP (0:1): speaking to another IOS box!
> 01:09:09: ISAKMP (1): ID payload
>         next-payload : 8
>         type         : 1
>         protocol     : 17
>         port         : 500
>         length       : 8
> 01:09:09: ISAKMP (1): Total payload length: 12
> 01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I)
> MM_KEY_EXCH
> 01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
> MM_KEY_EXCH
> 01:09:09: ISAKMP (0:1): processing ID payload. message ID = 0
> 01:09:09: ISAKMP (0:1): processing HASH payload. message ID = 0
> 01:09:09: ISAKMP (0:1): SA has been authenticated with
> 172.16.14.1
> 01:09:09: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -
> 1141343141
> 01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I) QM_IDLE
> 01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
> QM_IDLE
> 01:09:09: ISAKMP (1): processing NOTIFY payload 14 protocol 0
>         spi 0, message ID = 1136009096
> 01:09:09: ISAKMP (0:1): peer does not do paranoid keepalives.
>
> 01:09:09: ISAKMP (0:1): deleting node 1136009096 error FALSE
> reason "information
> al (in) state 1"
> 01:09:09: IPSEC(key_engine): got a queue event...
> 01:09:09: IPSEC(key_engine_delete_sas): rec'd delete notify
> from ISAKMP
> 01:09:09: IPSEC(key_engine_delete_sas): delete all SAs shared
> with 172.16.14.1
>
> I don't even know how to proceed at this point.  Any ideas?
>
> Thanks, especially to those who've already been helping me out
> with this stuff.
>
> John

• Next message: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Previous message: Hansang Bae: "Re: when do we need to nail the DR priority?"
• Maybe in reply to: John Neiberger: "IPSec: Simple config not working"
• Next in thread: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:04 GMT-3