Re: Can't get IPsec SA peers established

From: Engelhard M. Labiro (engelhard@xxxxxxxxxxxxxx)
Date: Tue Mar 19 2002 - 01:04:16 GMT-3

   
Hi Lab Candidate,

The problem on your config is because you use "ipsec-manual"
to create the IPSec tunnel which require no IKE tunnel.
And the pre-shared key you define is for authentication to be
used when creating IKE tunnel
Try change the "ipsec-manual" entry on the "crypto map im1"
to "crypto map im1 10 ipsec-isakmp" . That way your crypto
map will use the pre-shared key listed on "crypto isakmp" policy.

And watch your crypto access-list 101 also! Normally you don`t
define the network between your serial interface to be encrypted.
Better use the network of to0 (192.168.5.0/24) or the loopback`s
network as the crypto access-list.

And I think there is no need for "dynamic crypto map" also, because
you already know your peer IP address.

HTH

> I have set up a really basic IPSec config on 2 routers back to back with
s0/0 connected.
>
> r2 s0/0 --------------- s0/0 r4
> 172.24.2.1 172.24.2.2
>
> using pre-shared key "prek1", no matter how, the isakmp sa peers won't
establish. and I can't ping
> each other's s0/0 interface. the debug says "IPSEC(manual_key_stuffing):
keys missing for addr
> 172.24.2.2/prot 51/spi0." but I've preshared key configured on both r2 and
r4. can anyone shed
> some light on what I am doing wrong? Thanks.
>
> here is configs from r2 and r4 and some output from show/debug commands.
>
> r2#sh run
> Building configuration...
>
> Current configuration : 2409 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r2
> !
> !
> username r2 password 0 t
> username r4 password 0 t
> ip subnet-zero
> !
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 120
> ip ssh authentication-retries 5
> !
> crypto isakmp policy 1
> authentication pre-share
> lifetime 6000
> !
> crypto isakmp policy 2
> encr 3des
> authentication pre-share
> lifetime 600
> crypto isakmp key prek1 address 172.24.2.2
> !
> crypto ipsec security-association lifetime kilobytes 10000
> crypto ipsec security-association lifetime seconds 1000
> !
> crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
> mode transport
> !
> crypto dynamic-map dm1 10
> set peer 172.24.2.2
> set security-association lifetime kilobytes 7000
> set security-association lifetime seconds 700
> set pfs group2
> match address 100
> !
> !
> crypto key pubkey-chain rsa
> named-key nk1 encryption
> key-string
> quit
> !
> crypto map m1 10 ipsec-isakmp dynamic dm1 discover
> !
> crypto map im1 local-address Serial0/0
> crypto map im1 10 ipsec-manual
> set peer 172.24.2.2
> set transform-set tf1
> match address 101
> !
> isdn switch-type basic-5ess
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 2.2.2.2 255.255.255.255
> !
> interface Loopback1
> ip address 22.22.22.2 255.255.255.0
> !
> interface Ethernet0/0
> no ip address
> half-duplex
> !
> interface Serial0/0
> ip address 172.24.2.1 255.255.255.0
> crypto map im1
> !
> interface TokenRing0/0
> ip address 192.168.5.1 255.255.255.0
> ring-speed 16
> !
> interface BRI0/0
> no ip address
> isdn switch-type basic-dms100
> !
> interface Serial0/1
> ip address 10.10.10.2 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 2 md5 7 test1
> clock rate 128000
> frame-relay map ip 10.10.10.3 203 broadcast
> frame-relay map ip 10.10.10.4 203 broadcast
> !
> router ospf 1
> log-adjacency-changes
> area 0 authentication message-digest
> redistribute connected subnets
> network 2.2.2.2 0.0.0.0 area 0
> network 10.10.10.0 0.0.0.255 area 0
> !
> router rip
> network 172.24.0.0
> no auto-summary
> !
> ip classless
> no ip http server
> ip pim bidir-enable
> !
> access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
> !
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> password t
> login local
> !
> end
>
> r2#
>
>
>
> r2#ping 172.24.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.24.2.2, timeout is 2 seconds:
>
> 4d04h: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> protocol= AH, transform= ah-sha-hmac ,
> lifedur= 1000s and 10000kb,
> spi= 0xF20A4015(4060758037), conn_id= 0, keysize= 0, flags= 0x400C
> 4d04h: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac ,
> lifedur= 1000s and 10000kb,
> spi= 0x83720808(2205288456), conn_id= 0, keysize= 0, flags= 0x400C
> 4d04h: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> protocol= PCP, transform= comp-lzs ,
> lifedur= 1000s and 10000kb,
> spi= 0xB448(46152), conn_id= 0, keysize= 0, flags= 0x400C
> 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
crypt
> o map check failed.
> 4d04h: IPSEC(manual_key_stuffing): keys missing for addr 172.24.2.2/prot
51/spi
> 0.
> 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
crypt
> o map check failed..
> 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
crypt
> o map check failed..
> 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
crypt
> o map check failed..
> 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
crypt
> o map check failed..
> Success rate is 0 percent (0/5)
> r2#
> 4d04h: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 172.24.2.1 ->
172.24.2.2 (8
> /0), 5 packets
>
> r2#show crypto isakmp key
> Hostname/Address Preshared Key
> 172.24.2.2 prek1
> r2#
>
> r2#show crypto isakmp sa
> dst src state conn-id slot
>
> r2#
>
> r2#show crypto ipsec sa
>
> interface: Serial0/0
> Crypto map tag: im1, local addr. 172.24.2.1
>
> local ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> current_peer: 172.24.2.2
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
> #send errors 20, #recv errors 0
>
> local crypto endpt.: 172.24.2.1, remote crypto endpt.: 172.24.2.2
> path mtu 1500, media mtu 1500
> current outbound spi: 0
>
> inbound esp sas:
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
>
> outbound ah sas:
>
> outbound pcp sas:
>
>
> r2#
>
> ==================== r4 config and debug ==============================
>
> r4#sh run
> Building configuration...
>
> Current configuration : 2159 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname r4
> !
> enable password tts
> !
> username r2 password 0 t
> username r4 password 0 t
> ip subnet-zero
> !
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 120
> ip ssh authentication-retries 5
> !
> crypto isakmp policy 1
> authentication pre-share
> lifetime 600
> !
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> lifetime 600
> crypto isakmp key prek1 address 172.24.2.1
> !
> crypto ipsec security-association lifetime kilobytes 6000
> !
> crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
> mode transport
> !
> crypto map m1 local-address Serial0/0
> crypto map m1 10 ipsec-manual
> set peer 172.24.2.1
> set transform-set tf1
> match address 101
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 4.4.4.4 255.255.255.255
> !
> interface FastEthernet0/0
> ip address 192.168.3.1 255.255.255.0
> duplex auto
> speed auto
> !
> interface Serial0/0
> ip address 172.24.2.2 255.255.255.0
> clock rate 64000
> crypto map m1
> !
> interface FastEthernet0/1
> no ip address
> duplex auto
> speed auto
> !
> interface Serial0/1
> ip address 10.10.10.4 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication-key 7 test
> ip ospf message-digest-key 2 md5 7 test1
> frame-relay map ip 10.10.10.2 403 broadcast
> frame-relay map ip 10.10.10.3 403 broadcast
> !
> router ospf 1
> log-adjacency-changes
> area 0 authentication message-digest
> network 4.4.4.4 0.0.0.0 area 0
> network 10.10.10.0 0.0.0.255 area 0
> !
> router rip
> network 172.24.0.0
> no auto-summary
> !
> ip classless
> no ip http server
> ip pim bidir-enable
> !
> access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
> !
> tftp-server flash:c2600-jk9o3s-mz.122-7a.bin
> !
> voice-port 1/0/0
> !
> voice-port 1/0/1
> !
> dial-peer cor custom
> !
> !
> !
> dial-peer voice 1 pots
> destination-pattern 3085
> port 1/0/0
> !
> dial-peer voice 2 voip
> destination-pattern 4085
> session target ipv4:5.5.5.5
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> password tts
> login local
> !
> end
>
> r4#show cr
> r4#show crypto is
> r4#show crypto isakmp k
> r4#show crypto isakmp key
> Hostname/Address Preshared Key
> 172.24.2.1 prek1
> r4#sh
> r4#show cr
> r4#show crypto is
> r4#show crypto isakmp s
> r4#show crypto isakmp sa
> dst src state conn-id slot
>
> r4#ping 172.24.2.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.24.2.1, timeout is 2 seconds:
>
> 6d05h: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
> local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> protocol= AH, transform= ah-sha-hmac ,
> lifedur= 3600s and 6000kb,
> spi= 0x4A03C00E(1241759758), conn_id= 0, keysize= 0, flags= 0x400C
> 6d05h: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
> local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac ,
> lifedur= 3600s and 6000kb,
> spi= 0x438314C6(1132664006), conn_id= 0, keysize= 0, flags= 0x400C
> 6d05h: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
> local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> protocol= PCP, transform= comp-lzs ,
> lifedur= 3600s and 6000kb,
> spi= 0xF13B(61755), conn_id= 0, keysize= 0, flags= 0x400C
> 6d05h: IPSEC(manual_key_stuffing): keys missing for addr 172.24.2.1/prot
51/spi
> 0.....
> Success rate is 0 percent (0/5)
> r4#
>
> r4#show crypto ipsec sa
>
> interface: Serial0/0
> Crypto map tag: m1, local addr. 172.24.2.2
>
> local ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> current_peer: 172.24.2.1
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
> #send errors 25, #recv errors 0
>
> local crypto endpt.: 172.24.2.2, remote crypto endpt.: 172.24.2.1
> path mtu 1500, media mtu 1500
> current outbound spi: 0
>
> inbound esp sas:
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
>
> outbound ah sas:
>
> outbound pcp sas:
>
>
> r4#
>
>
>
>

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:13 GMT-3