From: Lab Candidate (labccie@xxxxxxxxx)
Date: Tue Mar 19 2002 - 01:11:32 GMT-3
Gregg,
The isakmp keys are defined in there, but not actually in use.
it's the preshared key in use with crypto map:
crypto map im1 10 ipsec-manual
I know I missed something simple, but after spending a whole day
working on it, I can't think any more. Anyone has any ideas on it?
TIA...
--- Gregg Malcolm <greggm@sbcglobal.net> wrote:
> A portion of your config has me confused. You are using isakmp for keys but
> I see this statement on both routers : crypto map im1 10 ipsec-manual
>
> I'm an ipsec newbie but shouldn't that be crypto map im1 10 ipsec-isakmp ?
> Without doing alot of research, it appears to me that you are doing a combo
> of manual and isakmp.
>
> I'm sure someone who's more knowledgeable regarding ipsec will shed some
> light.
>
> Gregg
> ----- Original Message -----
> From: "Lab Candidate" <labccie@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, March 18, 2002 6:30 PM
> Subject: Can't get IPsec SA peers established
>
>
> > I have set up a really basic IPSec config on 2 routers back to back with
> s0/0 connected.
> >
> > r2 s0/0 --------------- s0/0 r4
> > 172.24.2.1 172.24.2.2
> >
> > using pre-shared key "prek1", no matter how, the isakmp sa peers won't
> establish. and I can't ping
> > each other's s0/0 interface. the debug says "IPSEC(manual_key_stuffing):
> keys missing for addr
> > 172.24.2.2/prot 51/spi0." but I've preshared key configured on both r2 and
> r4. can anyone shed
> > some light on what I am doing wrong? Thanks.
> >
> > here is configs from r2 and r4 and some output from show/debug commands.
> >
> > r2#sh run
> > Building configuration...
> >
> > Current configuration : 2409 bytes
> > !
> > version 12.2
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r2
> > !
> > !
> > username r2 password 0 t
> > username r4 password 0 t
> > ip subnet-zero
> > !
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > ip ssh time-out 120
> > ip ssh authentication-retries 5
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > lifetime 6000
> > !
> > crypto isakmp policy 2
> > encr 3des
> > authentication pre-share
> > lifetime 600
> > crypto isakmp key prek1 address 172.24.2.2
> > !
> > crypto ipsec security-association lifetime kilobytes 10000
> > crypto ipsec security-association lifetime seconds 1000
> > !
> > crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
> > mode transport
> > !
> > crypto dynamic-map dm1 10
> > set peer 172.24.2.2
> > set security-association lifetime kilobytes 7000
> > set security-association lifetime seconds 700
> > set pfs group2
> > match address 100
> > !
> > !
> > crypto key pubkey-chain rsa
> > named-key nk1 encryption
> > key-string
> > quit
> > !
> > crypto map m1 10 ipsec-isakmp dynamic dm1 discover
> > !
> > crypto map im1 local-address Serial0/0
> > crypto map im1 10 ipsec-manual
> > set peer 172.24.2.2
> > set transform-set tf1
> > match address 101
> > !
> > isdn switch-type basic-5ess
> > call rsvp-sync
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 2.2.2.2 255.255.255.255
> > !
> > interface Loopback1
> > ip address 22.22.22.2 255.255.255.0
> > !
> > interface Ethernet0/0
> > no ip address
> > half-duplex
> > !
> > interface Serial0/0
> > ip address 172.24.2.1 255.255.255.0
> > crypto map im1
> > !
> > interface TokenRing0/0
> > ip address 192.168.5.1 255.255.255.0
> > ring-speed 16
> > !
> > interface BRI0/0
> > no ip address
> > isdn switch-type basic-dms100
> > !
> > interface Serial0/1
> > ip address 10.10.10.2 255.255.255.0
> > encapsulation frame-relay
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 2 md5 7 test1
> > clock rate 128000
> > frame-relay map ip 10.10.10.3 203 broadcast
> > frame-relay map ip 10.10.10.4 203 broadcast
> > !
> > router ospf 1
> > log-adjacency-changes
> > area 0 authentication message-digest
> > redistribute connected subnets
> > network 2.2.2.2 0.0.0.0 area 0
> > network 10.10.10.0 0.0.0.255 area 0
> > !
> > router rip
> > network 172.24.0.0
> > no auto-summary
> > !
> > ip classless
> > no ip http server
> > ip pim bidir-enable
> > !
> > access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
> > !
> > !
> > dial-peer cor custom
> > !
> > !
> > !
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > line aux 0
> > line vty 0 4
> > password t
> > login local
> > !
> > end
> >
> > r2#
> >
> >
> >
> > r2#ping 172.24.2.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.24.2.2, timeout is 2 seconds:
> >
> > 4d04h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= AH, transform= ah-sha-hmac ,
> > lifedur= 1000s and 10000kb,
> > spi= 0xF20A4015(4060758037), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= ESP, transform= esp-3des esp-sha-hmac ,
> > lifedur= 1000s and 10000kb,
> > spi= 0x83720808(2205288456), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= PCP, transform= comp-lzs ,
> > lifedur= 1000s and 10000kb,
> > spi= 0xB448(46152), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
> crypt
> > o map check failed.
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:13 GMT-3