From: Jaeheon Yoo (kghost@xxxxxxxxxxxx)
Date: Thu Mar 14 2002 - 02:07:37 GMT-3
Hi, John
I found a mismatch between isakmp key identity ip address and set peer ip addre
ss.
> crypto isakmp key cisco address 172.16.14.4
>
> crypto map mymap 1 ipsec-isakmp
> set peer 172.16.4.4 <----------------- this one should be "172.16.14.4".
> set transform-set myset
> match address 100
my 0.02 cents
Jaeheon
----- Original Message -----
From: "John Neiberger" <neiby@ureach.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, March 14, 2002 1:14 PM
Subject: IPSec: Simple config not working
> Okay, I'm tired of looking at this. I've read more about ipsec
> today and yesterday than I care to and I still can't figure out
> why this isn't working. I keep getting an error about how the
> peer can't do paranoid keepalives. CCO, of course, makes no
> mention of paranoid keepalives.
>
> The layout:
>
> R2-----R1----(ipsec)----R4-----R3
>
> I'm only attempting to encrypt ICMP traffic from R3 destined
> for the loopback address of R2 and vice versa. R1 and R4 and
> the ipsec endpoints.
>
> R1 Config:
>
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key cisco address 172.16.14.4
> !
> !
> crypto ipsec transform-set myset esp-des
> !
> crypto map mymap 1 ipsec-isakmp
> set peer 172.16.4.4
> set transform-set myset
> match address 100
> !
> interface Serial0
> no ip address
> encapsulation frame-relay
> frame-relay lmi-type cisco
> !
> interface Serial0.1 multipoint
> ip address 172.16.123.1 255.255.255.0
> ip router isis
> frame-relay map clns 102 broadcast
> frame-relay map ip 172.16.123.2 102 broadcast
> !
> interface Serial0.2 point-to-point
> ip address 172.16.14.1 255.255.255.0
> ip router isis
> frame-relay interface-dlci 104
> crypto map mymap
> !
> access-list 100 permit icmp host 147.10.1.145 host 172.16.43.3
>
> R4 Config:
>
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key cisco address 172.16.14.1
> !
> !
> crypto ipsec transform-set myset esp-des
> !
> crypto map mymap 1 ipsec-isakmp
> set peer 172.16.14.1
> set transform-set myset
> match address 100
> !
> interface Serial0
> no ip address
> encapsulation frame-relay
> frame-relay lmi-type cisco
> !
> interface Serial0.1 point-to-point
> ip address 172.16.14.4 255.255.255.0
> ip router isis
> frame-relay interface-dlci 401
> crypto map mymap
> !
> interface TokenRing0
> ip address 172.16.43.4 255.255.255.0
> ip router isis
> ring-speed 16
> !
> access-list 100 permit icmp host 172.16.43.3 host 147.10.1.145
>
> Here's the debug output from R4:
>
> 01:09:02: IPSEC(sa_request): ,
> (key eng. msg.) src= 172.16.14.4, dest= 172.16.14.1,
> src_proxy= 172.16.43.3/255.255.255.255/1/0 (type=1),
> dest_proxy= 147.10.1.145/255.255.255.255/1/0 (type=1),
> protocol= ESP, transform= esp-des ,
> lifedur= 3600s and 4608000kb,
> spi= 0xC14141D(202642461), conn_id= 0, keysize= 0, flags=
> 0x4004
> 01:09:02: ISAKMP: received ke message (1/1)
> 01:09:02: ISAKMP: local port 500, remote port 500
> 01:09:02: ISAKMP (0:1): beginning Main Mode exchange
> 01:09:02: ISAKMP (1): sending packet to 172.16.14.1 (I)
> MM_NO_STATE
> 01:09:03: ISAKMP (1): received packet from 172.16.14.1 (I)
> MM_NO_STATE
> 01:09:03: ISAKMP (0:1): processing SA payload. message ID = 0
> 01:09:03: ISAKMP (0:1): Checking ISAKMP transform 1 against
> priority 1 policy
> 01:09:03: ISAKMP: encryption DES-CBC
> 01:09:03: ISAKMP: hash MD5
> 01:09:03: ISAKMP: default group 1
> 01:09:03: ISAKMP: auth pre-share
> 01:09:03: ISAKMP (0:1): atts are acceptable. Next payload is 0
> 01:09:05: ISAKMP (0:1): SA is doing pre-shared key
> authentication
> 01:09:05: ISAKMP (1): SA is doing pre-shared key authentication
> using id type ID
> _IPV4_ADDR
> 01:09:05: ISAKMP (1): sending packet to 172.16.14.1 (I)
> MM_SA_SETUP
> 01:09:07: ISAKMP (1): received packet from 172.16.14.1 (I)
> MM_SA_SETUP
> 01:09:07: ISAKMP (0:1): processing KE payload. message ID = 0
> 01:09:09: ISAKMP (0:1): processing NONCE payload. message ID = 0
> 01:09:09: ISAKMP (0:1): SKEYID state generated
> 01:09:09: ISAKMP (0:1): processing vendor id payload
> 01:09:09: ISAKMP (0:1): speaking to another IOS box!
> 01:09:09: ISAKMP (1): ID payload
> next-payload : 8
> type : 1
> protocol : 17
> port : 500
> length : 8
> 01:09:09: ISAKMP (1): Total payload length: 12
> 01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I)
> MM_KEY_EXCH
> 01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
> MM_KEY_EXCH
> 01:09:09: ISAKMP (0:1): processing ID payload. message ID = 0
> 01:09:09: ISAKMP (0:1): processing HASH payload. message ID = 0
> 01:09:09: ISAKMP (0:1): SA has been authenticated with
> 172.16.14.1
> 01:09:09: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -
> 1141343141
> 01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I) QM_IDLE
> 01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
> QM_IDLE
> 01:09:09: ISAKMP (1): processing NOTIFY payload 14 protocol 0
> spi 0, message ID = 1136009096
> 01:09:09: ISAKMP (0:1): peer does not do paranoid keepalives.
>
> 01:09:09: ISAKMP (0:1): deleting node 1136009096 error FALSE
> reason "information
> al (in) state 1"
> 01:09:09: IPSEC(key_engine): got a queue event...
> 01:09:09: IPSEC(key_engine_delete_sas): rec'd delete notify
> from ISAKMP
> 01:09:09: IPSEC(key_engine_delete_sas): delete all SAs shared
> with 172.16.14.1
>
> I don't even know how to proceed at this point. Any ideas?
>
> Thanks, especially to those who've already been helping me out
> with this stuff.
>
> John
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:04 GMT-3