Re: Re: IPSec: Simple config not working

From: John Neiberger (neiby@xxxxxxxxxx)
Date: Thu Mar 14 2002 - 02:12:44 GMT-3

• Next message: Sundar Palaniappan: "Re: Redistribute connected Question"
• Previous message: John Neiberger: "Re: Re: IPSec: Simple config not working"
• Maybe in reply to: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Yep, that's it! I've been staring at those IP addresses for so
long I can't believe I missed that. In fact, I originally had
an even worse mismatch and I hurried too much when I tried to
fix them. Good grief ... <g>

I've been doing dumb stuff like this lately. Another one that
got me a few days ago was accidentally configuring an access
list without using an inverse mask. All sorts of weird stuff
started happening. I sure hope my ability to focus comes back
in time for the lab in a few weeks!

Thanks to all,
John

---- On Thu, 14 Mar 2002, Jaeheon Yoo (kghost@chollian.net)
wrote:

> Hi, John
>
> I found a mismatch between isakmp key identity ip address and
set peer
> ip address.
>
> > crypto isakmp key cisco address 172.16.14.4
> >
>
> > crypto map mymap 1 ipsec-isakmp
> > set peer 172.16.4.4 <----------------- this one should be
> "172.16.14.4".
> > set transform-set myset
> > match address 100
>
> my 0.02 cents
>
> Jaeheon
>
> ----- Original Message -----
> From: "John Neiberger" <neiby@ureach.com>
> To: <ccielab@groupstudy.com>
> Sent: Thursday, March 14, 2002 1:14 PM
> Subject: IPSec: Simple config not working
>
>
> > Okay, I'm tired of looking at this. I've read more about
ipsec
> > today and yesterday than I care to and I still can't figure
out
> > why this isn't working. I keep getting an error about how
the
> > peer can't do paranoid keepalives. CCO, of course, makes
no
> > mention of paranoid keepalives.
> >
> > The layout:
> >
> > R2-----R1----(ipsec)----R4-----R3
> >
> > I'm only attempting to encrypt ICMP traffic from R3
destined
> > for the loopback address of R2 and vice versa. R1 and R4
and
> > the ipsec endpoints.
> >
> > R1 Config:
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key cisco address 172.16.14.4
> > !
> > !
> > crypto ipsec transform-set myset esp-des
> > !
> > crypto map mymap 1 ipsec-isakmp
> > set peer 172.16.4.4
> > set transform-set myset
> > match address 100
> > !
> > interface Serial0
> > no ip address
> > encapsulation frame-relay
> > frame-relay lmi-type cisco
> > !
> > interface Serial0.1 multipoint
> > ip address 172.16.123.1 255.255.255.0
> > ip router isis
> > frame-relay map clns 102 broadcast
> > frame-relay map ip 172.16.123.2 102 broadcast
> > !
> > interface Serial0.2 point-to-point
> > ip address 172.16.14.1 255.255.255.0
> > ip router isis
> > frame-relay interface-dlci 104
> > crypto map mymap
> > !
> > access-list 100 permit icmp host 147.10.1.145 host
172.16.43.3
> >
> > R4 Config:
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key cisco address 172.16.14.1
> > !
> > !
> > crypto ipsec transform-set myset esp-des
> > !
> > crypto map mymap 1 ipsec-isakmp
> > set peer 172.16.14.1
> > set transform-set myset
> > match address 100
> > !
> > interface Serial0
> > no ip address
> > encapsulation frame-relay
> > frame-relay lmi-type cisco
> > !
> > interface Serial0.1 point-to-point
> > ip address 172.16.14.4 255.255.255.0
> > ip router isis
> > frame-relay interface-dlci 401
> > crypto map mymap
> > !
> > interface TokenRing0
> > ip address 172.16.43.4 255.255.255.0
> > ip router isis
> > ring-speed 16
> > !
> > access-list 100 permit icmp host 172.16.43.3 host
147.10.1.145
> >
> > Here's the debug output from R4:
> >
> > 01:09:02: IPSEC(sa_request): ,
> > (key eng. msg.) src= 172.16.14.4, dest= 172.16.14.1,
> > src_proxy= 172.16.43.3/255.255.255.255/1/0 (type=1),
> > dest_proxy= 147.10.1.145/255.255.255.255/1/0 (type=1),
> > protocol= ESP, transform= esp-des ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0xC14141D(202642461), conn_id= 0, keysize= 0,
flags=
> > 0x4004
> > 01:09:02: ISAKMP: received ke message (1/1)
> > 01:09:02: ISAKMP: local port 500, remote port 500
> > 01:09:02: ISAKMP (0:1): beginning Main Mode exchange
> > 01:09:02: ISAKMP (1): sending packet to 172.16.14.1 (I)
> > MM_NO_STATE
> > 01:09:03: ISAKMP (1): received packet from 172.16.14.1 (I)
> > MM_NO_STATE
> > 01:09:03: ISAKMP (0:1): processing SA payload. message ID =
0
> > 01:09:03: ISAKMP (0:1): Checking ISAKMP transform 1 against
> > priority 1 policy
> > 01:09:03: ISAKMP: encryption DES-CBC
> > 01:09:03: ISAKMP: hash MD5
> > 01:09:03: ISAKMP: default group 1
> > 01:09:03: ISAKMP: auth pre-share
> > 01:09:03: ISAKMP (0:1): atts are acceptable. Next payload
is 0
> > 01:09:05: ISAKMP (0:1): SA is doing pre-shared key
> > authentication
> > 01:09:05: ISAKMP (1): SA is doing pre-shared key
authentication
> > using id type ID
> > _IPV4_ADDR
> > 01:09:05: ISAKMP (1): sending packet to 172.16.14.1 (I)
> > MM_SA_SETUP
> > 01:09:07: ISAKMP (1): received packet from 172.16.14.1 (I)
> > MM_SA_SETUP
> > 01:09:07: ISAKMP (0:1): processing KE payload. message ID =
0
> > 01:09:09: ISAKMP (0:1): processing NONCE payload. message
ID = 0
> > 01:09:09: ISAKMP (0:1): SKEYID state generated
> > 01:09:09: ISAKMP (0:1): processing vendor id payload
> > 01:09:09: ISAKMP (0:1): speaking to another IOS box!
> > 01:09:09: ISAKMP (1): ID payload
> > next-payload : 8
> > type : 1
> > protocol : 17
> > port : 500
> > length : 8
> > 01:09:09: ISAKMP (1): Total payload length: 12
> > 01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I)
> > MM_KEY_EXCH
> > 01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
> > MM_KEY_EXCH
> > 01:09:09: ISAKMP (0:1): processing ID payload. message ID =
0
> > 01:09:09: ISAKMP (0:1): processing HASH payload. message ID
= 0
> > 01:09:09: ISAKMP (0:1): SA has been authenticated with
> > 172.16.14.1
> > 01:09:09: ISAKMP (0:1): beginning Quick Mode exchange, M-ID
of -
> > 1141343141
> > 01:09:09: ISAKMP (1): sending packet to 172.16.14.1 (I)
QM_IDLE
> > 01:09:09: ISAKMP (1): received packet from 172.16.14.1 (I)
> > QM_IDLE
> > 01:09:09: ISAKMP (1): processing NOTIFY payload 14 protocol
0
> > spi 0, message ID = 1136009096
> > 01:09:09: ISAKMP (0:1): peer does not do paranoid
keepalives.
> >
> > 01:09:09: ISAKMP (0:1): deleting node 1136009096 error
FALSE
> > reason "information
> > al (in) state 1"
> > 01:09:09: IPSEC(key_engine): got a queue event...
> > 01:09:09: IPSEC(key_engine_delete_sas): rec'd delete notify
> > from ISAKMP
> > 01:09:09: IPSEC(key_engine_delete_sas): delete all SAs
shared
> > with 172.16.14.1
> >
> > I don't even know how to proceed at this point. Any ideas?
> >
> > Thanks, especially to those who've already been helping me
out
> > with this stuff.
> >
> > John
> >

• Next message: Sundar Palaniappan: "Re: Redistribute connected Question"
• Previous message: John Neiberger: "Re: Re: IPSec: Simple config not working"
• Maybe in reply to: Jaeheon Yoo: "Re: IPSec: Simple config not working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:04 GMT-3