Re: Can't get IPsec SA peers established

From: Lab Candidate (labccie@xxxxxxxxx)
Date: Tue Mar 19 2002 - 16:40:20 GMT-3

• Next message: armreg@xxxxxxxxxxxx: "RE: RE: OSPF network - area 20 Question"
• Previous message: Louis Krucker: "AW: Static Route pointing to the exit interface"
• Maybe in reply to: Lab Candidate: "Can't get IPsec SA peers established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Engelhard,

The problem was solved and it's working nicely.
You pointed out the right spot that led me to solving the problem.
Thanks.

Manny,

Your config also works fine, I've tested it. Thanks as well.

---
First off, that config is FAR from a simple ipsec config as it can get
:-)
No offense but you could do a much simpler config. here is some sample
output I did in ther lab... this is pre-shared keys... nice and simple
and works just fine. Try this simple config and see if it works for you.
Then start adding complexity. Portions of the config omitted for
readability
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 10.1.1.1
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map cisco 10 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set cisco
 match address 101
!
!
access-list 101 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
--- "Engelhard M. Labiro" <engelhard@netmarks.co.jp> wrote:
> Hi Lab Candidate,
>
> The problem on your config is because you use "ipsec-manual"
> to create the IPSec tunnel which require no IKE tunnel.
> And the pre-shared key you define is for authentication to be
> used  when creating IKE tunnel
> Try change the "ipsec-manual" entry on the "crypto map im1"
> to "crypto map im1 10 ipsec-isakmp" . That way your crypto
> map will use the pre-shared key listed on "crypto isakmp" policy.
>
> And watch your crypto access-list 101 also! Normally you don`t
> define the network between your serial interface to be encrypted.
> Better use the network of to0 (192.168.5.0/24) or the loopback`s
> network as the crypto access-list.
>
> And I think there is no need for "dynamic crypto map" also, because
> you already know your peer IP address.
>
> HTH
>
>
>
>
>
> > I have set up a really basic IPSec config on 2 routers back to back with
> s0/0 connected.
> >
> >    r2 s0/0 --------------- s0/0 r4
> >    172.24.2.1           172.24.2.2
> >
> > using pre-shared key "prek1", no matter how, the isakmp sa peers won't
> establish. and I can't ping
> > each other's s0/0 interface. the debug says "IPSEC(manual_key_stuffing):
> keys missing for addr
> > 172.24.2.2/prot 51/spi0." but I've preshared key configured on both r2 and
> r4. can anyone shed
> > some light on what I am doing wrong? Thanks.
> >
> > here is configs from r2 and r4 and some output from show/debug commands.
> >
> > r2#sh run
> > Building configuration...
> >
> > Current configuration : 2409 bytes
> > !
> > version 12.2
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname r2
> > !
> > !
> > username r2 password 0 t
> > username r4 password 0 t
> > ip subnet-zero
> > !
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > ip ssh time-out 120
> > ip ssh authentication-retries 5
> > !
> > crypto isakmp policy 1
> >  authentication pre-share
> >  lifetime 6000
> > !
> > crypto isakmp policy 2
> >  encr 3des
> >  authentication pre-share
> >  lifetime 600
> > crypto isakmp key prek1 address 172.24.2.2
> > !
> > crypto ipsec security-association lifetime kilobytes 10000
> > crypto ipsec security-association lifetime seconds 1000
> > !
> > crypto ipsec transform-set tf1 ah-sha-hmac esp-3des esp-sha-hmac comp-lzs
> >  mode transport
> > !
> > crypto dynamic-map dm1 10
> >  set peer 172.24.2.2
> >  set security-association lifetime kilobytes 7000
> >  set security-association lifetime seconds 700
> >  set pfs group2
> >  match address 100
> > !
> > !
> > crypto key pubkey-chain rsa
> >  named-key nk1 encryption
> >   key-string
> >   quit
> >  !
> >  crypto map m1 10 ipsec-isakmp dynamic dm1 discover
> > !
> > crypto map im1 local-address Serial0/0
> > crypto map im1 10 ipsec-manual
> >  set peer 172.24.2.2
> >  set transform-set tf1
> >  match address 101
> > !
> > isdn switch-type basic-5ess
> > call rsvp-sync
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> >  ip address 2.2.2.2 255.255.255.255
> > !
> > interface Loopback1
> >  ip address 22.22.22.2 255.255.255.0
> > !
> > interface Ethernet0/0
> >  no ip address
> >  half-duplex
> > !
> > interface Serial0/0
> >  ip address 172.24.2.1 255.255.255.0
> >  crypto map im1
> > !
> > interface TokenRing0/0
> >  ip address 192.168.5.1 255.255.255.0
> >  ring-speed 16
> > !
> > interface BRI0/0
> >  no ip address
> >  isdn switch-type basic-dms100
> > !
> > interface Serial0/1
> >  ip address 10.10.10.2 255.255.255.0
> >  encapsulation frame-relay
> >  ip ospf authentication message-digest
> >  ip ospf message-digest-key 2 md5 7 test1
> >  clock rate 128000
> >  frame-relay map ip 10.10.10.3 203 broadcast
> >  frame-relay map ip 10.10.10.4 203 broadcast
> > !
> > router ospf 1
> >  log-adjacency-changes
> >  area 0 authentication message-digest
> >  redistribute connected subnets
> >  network 2.2.2.2 0.0.0.0 area 0
> >  network 10.10.10.0 0.0.0.255 area 0
> > !
> > router rip
> >  network 172.24.0.0
> >  no auto-summary
> > !
> > ip classless
> > no ip http server
> > ip pim bidir-enable
> > !
> > access-list 101 permit ip 172.24.2.0 0.0.0.255 172.24.2.0 0.0.0.255 log
> > !
> > !
> > dial-peer cor custom
> > !
> > !
> > !
> > !
> > !
> > line con 0
> >  exec-timeout 0 0
> > line aux 0
> > line vty 0 4
> >  password t
> >  login local
> > !
> > end
> >
> > r2#
> >
> >
> >
> > r2#ping 172.24.2.2
> >
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 172.24.2.2, timeout is 2 seconds:
> >
> > 4d04h: IPSEC(sa_request): ,
> >   (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> >     local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> >     remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> >     protocol= AH, transform= ah-sha-hmac ,
> >     lifedur= 1000s and 10000kb,
> >     spi= 0xF20A4015(4060758037), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IPSEC(sa_request): ,
> >   (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> >     local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> >     remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> >     protocol= ESP, transform= esp-3des esp-sha-hmac ,
> >     lifedur= 1000s and 10000kb,
> >     spi= 0x83720808(2205288456), conn_id= 0, keysize= 0, flags= 0x400C
> > 4d04h: IPSEC(sa_request): ,
> >   (key eng. msg.) OUTBOUND local= 172.24.2.1, remote= 172.24.2.2,
> >     local_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
> >     remote_proxy= 172.24.2.0/255.255.255.0/0/0 (type=4),
>
=== message truncated ===

• Next message: armreg@xxxxxxxxxxxx: "RE: RE: OSPF network - area 20 Question"
• Previous message: Louis Krucker: "AW: Static Route pointing to the exit interface"
• Maybe in reply to: Lab Candidate: "Can't get IPsec SA peers established"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:57:13 GMT-3