Re: Re: IPSec: Simple config not working

From: John Neiberger (neiby@xxxxxxxxxx)
Date: Thu Mar 14 2002 - 02:08:28 GMT-3

• Next message: John Neiberger: "Re: Re: IPSec: Simple config not working"
• Previous message: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Maybe in reply to: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Next in thread: John Neiberger: "Re: Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
AAAAAAAAGHHHHH!!!

Yes, that's the problem. :-) I can NOT believe I've stared
at that for as long as I have purposefully checking those
addresses over and over and over and I missed that.... that
does not bode well. <g>

I'm starting to think I'm dyslexic. This is embarrassing...

Thanks for the help! I'll try that and I have a feeling it
just might work!

regards,
John

---- On Wed, 13 Mar 2002, garry baker (fallow46@yahoo.com)
wrote:

> mate,
>
> Have a look at your first router config. i think there
> is a typo. your address on your key is different than
> the address for your peer in the crypto map. but in
> your second router config they are the same. they both
> should be the same.
>
> Garry
> --- John Neiberger <neiby@ureach.com> wrote:
> > Okay, I'm tired of looking at this. I've read more
> > about ipsec
> > today and yesterday than I care to and I still can't
> > figure out
> > why this isn't working. I keep getting an error
> > about how the
> > peer can't do paranoid keepalives. CCO, of course,
> > makes no
> > mention of paranoid keepalives.
> >
> > The layout:
> >
> > R2-----R1----(ipsec)----R4-----R3
> >
> > I'm only attempting to encrypt ICMP traffic from R3
> > destined
> > for the loopback address of R2 and vice versa. R1
> > and R4 and
> > the ipsec endpoints.
> >
> > R1 Config:
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key cisco address 172.16.14.4
> > !
> > !
> > crypto ipsec transform-set myset esp-des
> > !
> > crypto map mymap 1 ipsec-isakmp
> > set peer 172.16.4.4
> > set transform-set myset
> > match address 100
> > !
> > interface Serial0
> > no ip address
> > encapsulation frame-relay
> > frame-relay lmi-type cisco
> > !
> > interface Serial0.1 multipoint
> > ip address 172.16.123.1 255.255.255.0
> > ip router isis
> > frame-relay map clns 102 broadcast
> > frame-relay map ip 172.16.123.2 102 broadcast
> > !
> > interface Serial0.2 point-to-point
> > ip address 172.16.14.1 255.255.255.0
> > ip router isis
> > frame-relay interface-dlci 104
> > crypto map mymap
> > !
> > access-list 100 permit icmp host 147.10.1.145 host
> > 172.16.43.3
> >
> > R4 Config:
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key cisco address 172.16.14.1
> > !
> > !
> > crypto ipsec transform-set myset esp-des
> > !
> > crypto map mymap 1 ipsec-isakmp
> > set peer 172.16.14.1
> > set transform-set myset
> > match address 100
> > !
> > interface Serial0
> > no ip address
> > encapsulation frame-relay
> > frame-relay lmi-type cisco
> > !
> > interface Serial0.1 point-to-point
> > ip address 172.16.14.4 255.255.255.0
> > ip router isis
> > frame-relay interface-dlci 401
> > crypto map mymap
> > !
> > interface TokenRing0
> > ip address 172.16.43.4 255.255.255.0
> > ip router isis
> > ring-speed 16
> > !
> > access-list 100 permit icmp host 172.16.43.3 host
> > 147.10.1.145
> >
> > Here's the debug output from R4:
> >
> > 01:09:02: IPSEC(sa_request): ,
> > (key eng. msg.) src= 172.16.14.4, dest=
> > 172.16.14.1,
> > src_proxy= 172.16.43.3/255.255.255.255/1/0
> > (type=1),
> > dest_proxy= 147.10.1.145/255.255.255.255/1/0
> > (type=1),
> > protocol= ESP, transform= esp-des ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0xC14141D(202642461), conn_id= 0, keysize=
> > 0, flags=
> > 0x4004
> > 01:09:02: ISAKMP: received ke message (1/1)
> > 01:09:02: ISAKMP: local port 500, remote port 500
> > 01:09:02: ISAKMP (0:1): beginning Main Mode exchange
> > 01:09:02: ISAKMP (1): sending packet to 172.16.14.1
> > (I)
> > MM_NO_STATE
> > 01:09:03: ISAKMP (1): received packet from
> > 172.16.14.1 (I)
> > MM_NO_STATE
> > 01:09:03: ISAKMP (0:1): processing SA payload.
> > message ID = 0
> > 01:09:03: ISAKMP (0:1): Checking ISAKMP transform 1
> > against
> > priority 1 policy
> > 01:09:03: ISAKMP: encryption DES-CBC
> > 01:09:03: ISAKMP: hash MD5
> > 01:09:03: ISAKMP: default group 1
> > 01:09:03: ISAKMP: auth pre-share
> > 01:09:03: ISAKMP (0:1): atts are acceptable. Next
> > payload is 0
> > 01:09:05: ISAKMP (0:1): SA is doing pre-shared key
> > authentication
> > 01:09:05: ISAKMP (1): SA is doing pre-shared key
> > authentication
> > using id type ID
> > _IPV4_ADDR
> > 01:09:05: ISAKMP (1): sending packet to 172.16.14.1
> > (I)
> > MM_SA_SETUP
> > 01:09:07: ISAKMP (1): received packet from
> > 172.16.14.1 (I)
> > MM_SA_SETUP
> > 01:09:07: ISAKMP (0:1): processing KE payload.
> > message ID = 0
> > 01:09:09: ISAKMP (0:1): processing NONCE payload.
> > message ID = 0
> > 01:09:09: ISAKMP (0:1): SKEYID state generated
> > 01:09:09: ISAKMP (0:1): processing vendor id payload
> > 01:09:09: ISAKMP (0:1): speaking to another IOS box!
> > 01:09:09: ISAKMP (1): ID payload
> > next-payload : 8
> > type : 1
> > protocol : 17
> > port : 500
> > length : 8
> > 01:09:09: ISAKMP (1): Total payload length: 12
> > 01:09:09: ISAKMP (1): sending packet to 172.16.14.1
> > (I)
> > MM_KEY_EXCH
> > 01:09:09: ISAKMP (1): received packet from
> > 172.16.14.1 (I)
> > MM_KEY_EXCH
> > 01:09:09: ISAKMP (0:1): processing ID payload.
> > message ID = 0
> > 01:09:09: ISAKMP (0:1): processing HASH payload.
> > message ID = 0
> > 01:09:09: ISAKMP (0:1): SA has been authenticated
> > with
> > 172.16.14.1
> > 01:09:09: ISAKMP (0:1): beginning Quick Mode
> > exchange, M-ID of -
> > 1141343141
> > 01:09:09: ISAKMP (1): sending packet to 172.16.14.1
> > (I) QM_IDLE
> > 01:09:09: ISAKMP (1): received packet from
> > 172.16.14.1 (I)
> > QM_IDLE
> > 01:09:09: ISAKMP (1): processing NOTIFY payload 14
> > protocol 0
> > spi 0, message ID = 1136009096
> > 01:09:09: ISAKMP (0:1): peer does not do paranoid
> > keepalives.
> >
> > 01:09:09: ISAKMP (0:1): deleting node 1136009096
> > error FALSE
> > reason "information
> > al (in) state 1"
> > 01:09:09: IPSEC(key_engine): got a queue event...
> > 01:09:09: IPSEC(key_engine_delete_sas): rec'd delete
> > notify
> > from ISAKMP
> > 01:09:09: IPSEC(key_engine_delete_sas): delete all
> > SAs shared
> > with 172.16.14.1
> >
> > I don't even know how to proceed at this point. Any
> > ideas?
> >
> > Thanks, especially to those who've already been
> > helping me out
> > with this stuff.
> >
> > John
> >
>

• Next message: John Neiberger: "Re: Re: IPSec: Simple config not working"
• Previous message: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Maybe in reply to: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Next in thread: John Neiberger: "Re: Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:04 GMT-3