Can't get IPsec SA peers established

From: Lab Candidate (labccie@xxxxxxxxx)
Date: Mon Mar 18 2002 - 23:30:35 GMT-3

• Next message: Jason Sinclair: "RE: DLSW and Source Bridge"
• Previous message: Lupi, Guy: "RE: DLSW and Source Bridge"
• Next in thread: Gregg Malcolm: "Re: Can't get IPsec SA peers established"
• Maybe reply: Gregg Malcolm: "Re: Can't get IPsec SA peers established"
• Maybe reply: Engelhard M. Labiro: "Re: Can't get IPsec SA peers established"
• Maybe reply: Lab Candidate: "Re: Can't get IPsec SA peers established"
• Maybe reply: Manny Gonzalez: "Re: Can't get IPsec SA peers established"
• Maybe reply: Lab Candidate: "Re: Can't get IPsec SA peers established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I have set up a really basic IPSec config on 2 routers back to back with s0/0 c
onnected.

   r2 s0/0 --------------- s0/0 r4
   172.24.2.1 172.24.2.2

using pre-shared key "prek1", no matter how, the isakmp sa peers won't establis
h. and I can't ping
each other's s0/0 interface. the debug says "IPSEC(manual_key_stuffing): keys m
issing for addr
172.24.2.2/prot 51/spi0." but I've preshared key configured on both r2 and r4.
can anyone shed
some light on what I am doing wrong? Thanks.

here is configs from r2 and r4 and some output from show/debug commands.

r2#sh run
Building configuration...

Current configuration : 2409 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r2
!
!
username r2 password 0 t
username r4 password 0 t
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 5
!
crypto isakmp policy 1
 authentication pre-share
 lifetime 6000
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 lifetime 600
crypto isakmp key prek1 address 172.24.2.2
!
crypto ipsec security-association lifetime kilobytes 10000
crypto ipsec security-association lifetime seconds 1000
!
crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
 mode transport
!
crypto dynamic-map dm1 10
 set peer 172.24.2.2
 set security-association lifetime kilobytes 7000
 set security-association lifetime seconds 700
 set pfs group2
 match address 100
!
!
crypto key pubkey-chain rsa
 named-key nk1 encryption
  key-string
  quit
 !
 crypto map m1 10 ipsec-isakmp dynamic dm1 discover
!
crypto map im1 local-address Serial0/0
crypto map im1 10 ipsec-manual
 set peer 172.24.2.2
 set transform-set tf1
 match address 101
!
isdn switch-type basic-5ess
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Loopback1
 ip address 22.22.22.2 255.255.255.0
!
interface Ethernet0/0
 no ip address
 half-duplex
!
interface Serial0/0
 ip address 172.24.2.1 255.255.255.0
 crypto map im1
!
interface TokenRing0/0
 ip address 192.168.5.1 255.255.255.0
 ring-speed 16
!
interface BRI0/0
 no ip address
 isdn switch-type basic-dms100
!
interface Serial0/1
 ip address 10.10.10.2 255.255.255.0
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 2 md5 7 test1
 clock rate 128000
 frame-relay map ip 10.10.10.3 203 broadcast
 frame-relay map ip 10.10.10.4 203 broadcast
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 redistribute connected subnets
 network 2.2.2.2 0.0.0.0 area 0
 network 10.10.10.0 0.0.0.255 area 0
!
router rip
 network 172.24.0.0
 no auto-summary
!
ip classless
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password t
 login local
!
end

r2#

r2#ping 172.24.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.2.2, timeout is 2 seconds:

4d04h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
    local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac ,
    lifedur= 1000s and 10000kb,
    spi= 0xF20A4015(4060758037), conn_id= 0, keysize= 0, flags= 0x400C
4d04h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
    local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 1000s and 10000kb,
    spi= 0x83720808(2205288456), conn_id= 0, keysize= 0, flags= 0x400C
4d04h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
    local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    protocol= PCP, transform= comp-lzs ,
    lifedur= 1000s and 10000kb,
    spi= 0xB448(46152), conn_id= 0, keysize= 0, flags= 0x400C
4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output cryp
t
o map check failed.
4d04h: IPSEC(manual_key_stuffing): keys missing for addr 172.24.2.2/prot 51/spi
0.
4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output cryp
t
o map check failed..
4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output cryp
t
o map check failed..
4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output cryp
t
o map check failed..
4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output cryp
t
o map check failed..
Success rate is 0 percent (0/5)
r2#
4d04h: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 172.24.2.1 -> 172.24.2.2 (
8
/0), 5 packets

r2#show crypto isakmp key
Hostname/Address Preshared Key
172.24.2.2 prek1
r2#

r2#show crypto isakmp sa
dst src state conn-id slot

r2#

r2#show crypto ipsec sa

interface: Serial0/0
    Crypto map tag: im1, local addr. 172.24.2.1

   local ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
   current_peer: 172.24.2.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 20, #recv errors 0

     local crypto endpt.: 172.24.2.1, remote crypto endpt.: 172.24.2.2
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

r2#

==================== r4 config and debug ==============================

r4#sh run
Building configuration...

Current configuration : 2159 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r4
!
enable password tts
!
username r2 password 0 t
username r4 password 0 t
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 5
!
crypto isakmp policy 1
 authentication pre-share
 lifetime 600
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 lifetime 600
crypto isakmp key prek1 address 172.24.2.1
!
crypto ipsec security-association lifetime kilobytes 6000
!
crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
 mode transport
!
crypto map m1 local-address Serial0/0
crypto map m1 10 ipsec-manual
 set peer 172.24.2.1
 set transform-set tf1
 match address 101
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 172.24.2.2 255.255.255.0
 clock rate 64000
 crypto map m1
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 10.10.10.4 255.255.255.0
 encapsulation frame-relay
 ip ospf authentication-key 7 test
 ip ospf message-digest-key 2 md5 7 test1
 frame-relay map ip 10.10.10.2 403 broadcast
 frame-relay map ip 10.10.10.3 403 broadcast
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 network 4.4.4.4 0.0.0.0 area 0
 network 10.10.10.0 0.0.0.255 area 0
!
router rip
 network 172.24.0.0
 no auto-summary
!
ip classless
no ip http server
ip pim bidir-enable
!
access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
!
tftp-server flash:c2600-jk9o3s-mz.122-7a.bin
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer cor custom
!
!
!
dial-peer voice 1 pots
 destination-pattern 3085
 port 1/0/0
!
dial-peer voice 2 voip
 destination-pattern 4085
 session target ipv4:5.5.5.5
!
!
!
line con 0
line aux 0
line vty 0 4
 password tts
 login local
!
end

r4#show cr
r4#show crypto is
r4#show crypto isakmp k
r4#show crypto isakmp key
Hostname/Address Preshared Key
172.24.2.1 prek1
r4#sh
r4#show cr
r4#show crypto is
r4#show crypto isakmp s
r4#show crypto isakmp sa
dst src state conn-id slot

r4#ping 172.24.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.2.1, timeout is 2 seconds:

6d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
    local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac ,
    lifedur= 3600s and 6000kb,
    spi= 0x4A03C00E(1241759758), conn_id= 0, keysize= 0, flags= 0x400C
6d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
    local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 3600s and 6000kb,
    spi= 0x438314C6(1132664006), conn_id= 0, keysize= 0, flags= 0x400C
6d05h: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
    local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
    protocol= PCP, transform= comp-lzs ,
    lifedur= 3600s and 6000kb,
    spi= 0xF13B(61755), conn_id= 0, keysize= 0, flags= 0x400C
6d05h: IPSEC(manual_key_stuffing): keys missing for addr 172.24.2.1/prot 51/spi
0.....
Success rate is 0 percent (0/5)
r4#

r4#show crypto ipsec sa

interface: Serial0/0
    Crypto map tag: m1, local addr. 172.24.2.2

   local ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
   current_peer: 172.24.2.1
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 25, #recv errors 0

     local crypto endpt.: 172.24.2.2, remote crypto endpt.: 172.24.2.1
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

r4#

• Next message: Jason Sinclair: "RE: DLSW and Source Bridge"
• Previous message: Lupi, Guy: "RE: DLSW and Source Bridge"
• Next in thread: Gregg Malcolm: "Re: Can't get IPsec SA peers established"
• Maybe reply: Gregg Malcolm: "Re: Can't get IPsec SA peers established"
• Maybe reply: Engelhard M. Labiro: "Re: Can't get IPsec SA peers established"
• Maybe reply: Lab Candidate: "Re: Can't get IPsec SA peers established"
• Maybe reply: Manny Gonzalez: "Re: Can't get IPsec SA peers established"
• Maybe reply: Lab Candidate: "Re: Can't get IPsec SA peers established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:12 GMT-3