Re: Can't get IPsec SA peers established

From: Manny Gonzalez (gonzalu@xxxxxxx)
Date: Tue Mar 19 2002 - 12:35:02 GMT-3

   
First off, that config is FAR from a simple ipsec config as it can get
:-)

No offense but you could do a much simpler config. here is some sample
output I did in ther lab... this is pre-shared keys... nice and simple
and works just fine. Try this simple config and see if it works for you.
Then start adding complexity. Portions of the config omitted for
readability

!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set cisco
 match address 101
!
!
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

Gregg Malcolm wrote:
>
> A portion of your config has me confused. You are using isakmp for keys but
> I see this statement on both routers : crypto map im1 10 ipsec-manual
>
> I'm an ipsec newbie but shouldn't that be crypto map im1 10 ipsec-isakmp ?
> Without doing alot of research, it appears to me that you are doing a combo
> of manual and isakmp.
>
> I'm sure someone who's more knowledgeable regarding ipsec will shed some
> light.
>
> Gregg
> ----- Original Message -----
> From: "Lab Candidate" <labccie@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, March 18, 2002 6:30 PM
> Subject: Can't get IPsec SA peers established
>
> > I have set up a really basic IPSec config on 2 routers back to back with
> s0/0 connected.
> >
> > r2 s0/0 --------------- s0/0 r4
> > 172.24.2.1 172.24.2.2
> >
> > using pre-shared key "prek1", no matter how, the isakmp sa peers won't
> establish. and I can't ping
> > each other's s0/0 interface. the debug says "IPSEC(manual_key_stuffing):
> keys missing for addr
> > 172.24.2.2/prot 51/spi0." but I've preshared key configured on both r2 and
> r4. can anyone shed
> > some light on what I am doing wrong? Thanks.
> >
> > here is configs from r2 and r4 and some output from show/debug commands.
> >
> > r2#sh run
> > Building configuration...
> >
> > Current configuration : 2409 bytes
> > !
> > version 12.2
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r2
> > !
> > !
> > username r2 password 0 t
> > username r4 password 0 t
> > ip subnet-zero
> > !
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > ip ssh time-out 120
> > ip ssh authentication-retries 5
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > lifetime 6000
> > !
> > crypto isakmp policy 2
> > encr 3des
> > authentication pre-share
> > lifetime 600
> > crypto isakmp key prek1 address 172.24.2.2
> > !
> > crypto ipsec security-association lifetime kilobytes 10000
> > crypto ipsec security-association lifetime seconds 1000
> > !
> > crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
> > mode transport
> > !
> > crypto dynamic-map dm1 10
> > set peer 172.24.2.2
> > set security-association lifetime kilobytes 7000
> > set security-association lifetime seconds 700
> > set pfs group2
> > match address 100
> > !
> > !
> > crypto key pubkey-chain rsa
> > named-key nk1 encryption
> > key-string
> > quit
> > !
> > crypto map m1 10 ipsec-isakmp dynamic dm1 discover
> > !
> > crypto map im1 local-address Serial0/0
> > crypto map im1 10 ipsec-manual
> > set peer 172.24.2.2
> > set transform-set tf1
> > match address 101
> > !
> > isdn switch-type basic-5ess
> > call rsvp-sync
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 2.2.2.2 255.255.255.255
> > !
> > interface Loopback1
> > ip address 22.22.22.2 255.255.255.0
> > !
> > interface Ethernet0/0
> > no ip address
> > half-duplex
> > !
> > interface Serial0/0
> > ip address 172.24.2.1 255.255.255.0
> > crypto map im1
> > !
> > interface TokenRing0/0
> > ip address 192.168.5.1 255.255.255.0
> > ring-speed 16
> > !
> > interface BRI0/0
> > no ip address
> > isdn switch-type basic-dms100
> > !
> > interface Serial0/1
> > ip address 10.10.10.2 255.255.255.0
> > encapsulation frame-relay
> > ip ospf authentication message-digest
> > ip ospf message-digest-key 2 md5 7 test1
> > clock rate 128000
> > frame-relay map ip 10.10.10.3 203 broadcast
> > frame-relay map ip 10.10.10.4 203 broadcast
> > !
> > router ospf 1
> > log-adjacency-changes
> > area 0 authentication message-digest
> > redistribute connected subnets
> > network 2.2.2.2 0.0.0.0 area 0
> > network 10.10.10.0 0.0.0.255 area 0
> > !
> > router rip
> > network 172.24.0.0
> > no auto-summary
> > !
> > ip classless
> > no ip http server
> > ip pim bidir-enable
> > !
> > access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
> > !
> > !
> > dial-peer cor custom
> > !
> > !
> > !
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > line aux 0
> > line vty 0 4
> > password t
> > login local
> > !
> > end
> >
> > r2#
> >
> >
> >
> > r2#ping 172.24.2.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.24.2.2, timeout is 2 seconds:
> >
> > 4d04h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= AH, transform= ah-sha-hmac ,
> > lifedur= 1000s and 10000kb,
> > spi= 0xF20A4015(4060758037), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= ESP, transform= esp-3des esp-sha-hmac ,
> > lifedur= 1000s and 10000kb,
> > spi= 0x83720808(2205288456), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= PCP, transform= comp-lzs ,
> > lifedur= 1000s and 10000kb,
> > spi= 0xB448(46152), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
> crypt
> > o map check failed.
> > 4d04h: IPSEC(manual_key_stuffing): keys missing for addr 172.24.2.2/prot
> 51/spi
> > 0.
> > 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
> crypt
> > o map check failed..
> > 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
> crypt
> > o map check failed..
> > 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
> crypt
> > o map check failed..
> > 4d04h: IP: s=172.24.2.1 (local), d=172.24.2.2 (Serial0/0), len 100, output
> crypt
> > o map check failed..
> > Success rate is 0 percent (0/5)
> > r2#
> > 4d04h: %SEC-6-IPACCESSLOGDP: list 101 permitted icmp 172.24.2.1 ->
> 172.24.2.2 (8
> > /0), 5 packets
> >
> > r2#show crypto isakmp key
> > Hostname/Address Preshared Key
> > 172.24.2.2 prek1
> > r2#
> >
> > r2#show crypto isakmp sa
> > dst src state conn-id slot
> >
> > r2#
> >
> > r2#show crypto ipsec sa
> >
> > interface: Serial0/0
> > Crypto map tag: im1, local addr. 172.24.2.1
> >
> > local ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> > remote ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> > current_peer: 172.24.2.2
> > PERMIT, flags={origin_is_acl,}
> > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> > #pkts compressed: 0, #pkts decompressed: 0
> > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> > #send errors 20, #recv errors 0
> >
> > local crypto endpt.: 172.24.2.1, remote crypto endpt.: 172.24.2.2
> > path mtu 1500, media mtu 1500
> > current outbound spi: 0
> >
> > inbound esp sas:
> >
> > inbound ah sas:
> >
> > inbound pcp sas:
> >
> > outbound esp sas:
> >
> > outbound ah sas:
> >
> > outbound pcp sas:
> >
> >
> > r2#
> >
> > ==================== r4 config and debug ==============================
> >
> > r4#sh run
> > Building configuration...
> >
> > Current configuration : 2159 bytes
> > !
> > version 12.2
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r4
> > !
> > enable password tts
> > !
> > username r2 password 0 t
> > username r4 password 0 t
> > ip subnet-zero
> > !
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > ip ssh time-out 120
> > ip ssh authentication-retries 5
> > !
> > crypto isakmp policy 1
> > authentication pre-share
> > lifetime 600
> > !
> > crypto isakmp policy 10
> > encr 3des
> > authentication pre-share
> > lifetime 600
> > crypto isakmp key prek1 address 172.24.2.1
> > !
> > crypto ipsec security-association lifetime kilobytes 6000
> > !
> > crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
> > mode transport
> > !
> > crypto map m1 local-address Serial0/0
> > crypto map m1 10 ipsec-manual
> > set peer 172.24.2.1
> > set transform-set tf1
> > match address 101
> > !
> > call rsvp-sync
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 4.4.4.4 255.255.255.255
> > !
> > interface FastEthernet0/0
> > ip address 192.168.3.1 255.255.255.0
> > duplex auto
> > speed auto
> > !
> > interface Serial0/0
> > ip address 172.24.2.2 255.255.255.0
> > clock rate 64000
> > crypto map m1
> > !
> > interface FastEthernet0/1
> > no ip address
> > duplex auto
> > speed auto
> > !
> > interface Serial0/1
> > ip address 10.10.10.4 255.255.255.0
> > encapsulation frame-relay
> > ip ospf authentication-key 7 test
> > ip ospf message-digest-key 2 md5 7 test1
> > frame-relay map ip 10.10.10.2 403 broadcast
> > frame-relay map ip 10.10.10.3 403 broadcast
> > !
> > router ospf 1
> > log-adjacency-changes
> > area 0 authentication message-digest
> > network 4.4.4.4 0.0.0.0 area 0
> > network 10.10.10.0 0.0.0.255 area 0
> > !
> > router rip
> > network 172.24.0.0
> > no auto-summary
> > !
> > ip classless
> > no ip http server
> > ip pim bidir-enable
> > !
> > access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
> > !
> > tftp-server flash:c2600-jk9o3s-mz.122-7a.bin
> > !
> > voice-port 1/0/0
> > !
> > voice-port 1/0/1
> > !
> > dial-peer cor custom
> > !
> > !
> > !
> > dial-peer voice 1 pots
> > destination-pattern 3085
> > port 1/0/0
> > !
> > dial-peer voice 2 voip
> > destination-pattern 4085
> > session target ipv4:5.5.5.5
> > !
> > !
> > !
> > line con 0
> > line aux 0
> > line vty 0 4
> > password tts
> > login local
> > !
> > end
> >
> > r4#show cr
> > r4#show crypto is
> > r4#show crypto isakmp k
> > r4#show crypto isakmp key
> > Hostname/Address Preshared Key
> > 172.24.2.1 prek1
> > r4#sh
> > r4#show cr
> > r4#show crypto is
> > r4#show crypto isakmp s
> > r4#show crypto isakmp sa
> > dst src state conn-id slot
> >
> > r4#ping 172.24.2.1
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.24.2.1, timeout is 2 seconds:
> >
> > 6d05h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= AH, transform= ah-sha-hmac ,
> > lifedur= 3600s and 6000kb,
> > spi= 0x4A03C00E(1241759758), conn_id= 0, keysize= 0, flags= 0x400C
> > 6d05h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= ESP, transform= esp-3des esp-sha-hmac ,
> > lifedur= 3600s and 6000kb,
> > spi= 0x438314C6(1132664006), conn_id= 0, keysize= 0, flags= 0x400C
> > 6d05h: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 172.24.2.2, remote= 172.24.2.1,
> > local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> > protocol= PCP, transform= comp-lzs ,
> > lifedur= 3600s and 6000kb,
> > spi= 0xF13B(61755), conn_id= 0, keysize= 0, flags= 0x400C
> > 6d05h: IPSEC(manual_key_stuffing): keys missing for addr 172.24.2.1/prot
> 51/spi
> > 0.....
> > Success rate is 0 percent (0/5)
> > r4#
> >
> > r4#show crypto ipsec sa
> >
> > interface: Serial0/0
> > Crypto map tag: m1, local addr. 172.24.2.2
> >
> > local ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> > remote ident (addr/mask/prot/port): (172.24.2.0/255.255.255.0/0/0)
> > current_peer: 172.24.2.1
> > PERMIT, flags={origin_is_acl,}
> > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> > #pkts compressed: 0, #pkts decompressed: 0
> > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> > #send errors 25, #recv errors 0
> >
> > local crypto endpt.: 172.24.2.2, remote crypto endpt.: 172.24.2.1
> > path mtu 1500, media mtu 1500
> > current outbound spi: 0
> >
> > inbound esp sas:
> >
> > inbound ah sas:
> >
> > inbound pcp sas:
> >
> > outbound esp sas:
> >
> > outbound ah sas:
> >
> > outbound pcp sas:
> >
> >
> > r4#
> >
> >
> >
> >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:13 GMT-3