From: Gregg Malcolm (greggm@xxxxxxxxxxxxx)
Date: Tue Apr 09 2002 - 16:47:53 GMT-3
What IOS version are you running on these routers ?
----- Original Message -----
From: "Jaspreet Bhatia" <jasbhati@cisco.com>
To: "Gregg Malcolm" <greggm@sbcglobal.net>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, April 09, 2002 10:19 AM
Subject: Re: TED
> Hello Ted,
> I have gotten TED to work at my end . Here are
> the working configs
>
> ROUTER A
>
> RouterA#sh run
> Building configuration...
>
> Current configuration : 1222 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname RouterA
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> !
> !
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0
> !
> !
> crypto ipsec transform-set myset esp-des esp-md5-hmac
> !
> crypto dynamic-map dynamicmap 10
> set transform-set myset
> match address 101
> !
> !
> crypto map map1 10 ipsec-isakmp dynamic dynamicmap discover
> !
> !
> !
> !
> !
> !
> interface Ethernet0/0
> ip address 135.25.1.1 255.255.255.252
> crypto map map1
> !
> interface Ethernet0/1
> ip address 135.25.3.1 255.255.255.0
> no keepalive
> !
> interface BRI1/0
> no ip address
> shutdown
> !
> interface BRI1/1
> no ip address
> shutdown
> !
> interface BRI1/2
> no ip address
> shutdown
> !
> interface BRI1/3
> no ip address
> shutdown
> !
> interface BRI1/4
> no ip address
> shutdown
> !
> interface BRI1/5
> no ip address
> shutdown
> !
> interface BRI1/6
> no ip address
> shutdown
> !
> interface BRI1/7
> no ip address
> shutdown
> !
> router ospf 1
> log-adjacency-changes
> network 135.25.0.0 0.0.255.255 area 0
> !
> ip classless
> ip http server
> !
> access-list 101 permit ip 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> end
>
>
>
> ROUTER B
>
> RouterB#sh run
> Building configuration...
>
> Current configuration : 1379 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname RouterB
> !
> !
> ip subnet-zero
> !
> !
> !
> ip ssh time-out 120
> ip ssh authentication-retries 3
> !
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set myset esp-des esp-md5-hmac
> !
> crypto dynamic-map dynamicmap 10
> set transform-set myset
> match address 101
> !
> !
> crypto map mymap 10 ipsec-isakmp dynamic dynamicmap discover
> !
> call rsvp-sync
> !
> !
> !
> !
> !
> !
> !
> !
> interface Ethernet0/0
> ip address 135.25.1.2 255.255.255.252
> half-duplex
> crypto map mymap
> !
> interface TokenRing0/0
> ip address 135.25.4.1 255.255.255.0
> ring-speed 16
> !
> interface Serial1/0
> no ip address
> shutdown
> !
> interface Serial1/1
> no ip address
> shutdown
> !
> interface Serial1/2
> no ip address
> shutdown
> !
> interface Serial1/3
> no ip address
> shutdown
> !
> interface Serial1/4
> no ip address
> shutdown
> !
> interface Serial1/5
> no ip address
> shutdown
> !
> interface Serial1/6
> no ip address
> shutdown
> !
> interface Serial1/7
> no ip address
> shutdown
> !
> router ospf 1
> log-adjacency-changes
> network 135.25.0.0 0.0.255.255 area 0
> !
> ip classless
> ip http server
> ip pim bidir-enable
> !
> access-list 101 permit ip 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255
> !
> !
> dial-peer cor custom
> !
> !
> !
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> end
>
>
> Hope this helps
>
> Jaspreet
>
>
>
> At 12:46 AM 4/9/2002 -0700, Gregg Malcolm wrote:
> >Folks,
> >
> >Does anyone have a working example of TED ? I haven't seen it mentioned
much
> >on the list, but I wanted to make sure that I can get it to work. I
browsed
> >the archives and found a similar symptom to mine but no solution. My
problem
> >is that 'debug cry ipsec" gives me the following error :
IPSEC(sa_initiate):
> >ACL = deny; sa request ignored. I do not believe that my problem is ACL
> >related however. Also, I can ping between the serials and I trying to
secure
> >the tok0 on r1 and the e0 on r6.
> >
> >I can make the configs work w/o TED. Maybe someone has experienced
something
> >similar. Here are the 2 router config's :
> >
> >Thanks, Gregg
> >
> >r1
> >wrt
> >
> >!
> >crypto isakmp policy 10
> > authentication pre-share
> >crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
> >!
> >crypto ipsec transform-set secure1 esp-des esp-md5-hmac
> >!
> >crypto dynamic-map dyn 10
> > set transform-set secure1
> > match address 101
> >!
> >crypto map secure 500 ipsec-isakmp dynamic dyn discover
> >!
> >interface Serial1
> > ip address 150.20.12.1 255.255.255.0
> > crypto map secure
> >!
> >interface TokenRing0
> > ip address 150.20.10.1 255.255.255.0
> > ring-speed 16
> >!
> >access-list 101 permit ip 150.20.10.0 0.0.0.255 150.20.50.0 0.0.0.255
> >access-list 101 permit icmp 150.20.10.0 0.0.0.255 150.20.50.0 0.0.0.255
> >
> >R6
> >
> >r6#wrt
> >
> >!
> >crypto isakmp policy 10
> > authentication pre-share
> >crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
> >!
> >crypto ipsec transform-set secure1 esp-des esp-md5-hmac
> >!
> >crypto dynamic-map dyn 10
> > set transform-set secure1
> > match address 101
> >!
> >crypto map secure 500 ipsec-isakmp dynamic dyn discover
> >!
> >interface Serial0
> > ip address 150.20.100.6 255.255.255.224
> > encapsulation frame-relay
> > ip ospf network broadcast
> > ip ospf priority 0
> > ipx network 100
> > ipx output-network-filter 801
> > no fair-queue
> > clockrate 2000000
> > dce-terminal-timing-enable
> > frame-relay map ipx 100.0010.7b7f.5b9a 601 broadcast
> > frame-relay map ipx 100.0060.476c.3e3c 601 broadcast
> > frame-relay map ip 150.20.100.2 601 broadcast
> > frame-relay map ip 150.20.100.4 601 broadcast
> > frame-relay map ip 150.20.100.5 601 broadcast
> > frame-relay map ipx 100.0000.0c87.05ca 601 broadcast
> > frame-relay lmi-type ansi
> > crypto map secure
> >!
> >access-list 101 permit ip 150.20.50.0 0.0.0.255 150.20.10.0 0.0.0.255
> >access-list 101 permit icmp 150.20.50.0 0.0.0.255 150.20.10.0 0.0.0.255
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:01 GMT-3