From: Jaspreet Bhatia (jasbhati@xxxxxxxxx)
Date: Tue Apr 09 2002 - 17:00:39 GMT-3
Hello Ted,
Router B is running
IOS (tm) 3600 Software (C3620-JK9S-M), Version 12.2(7b),
Router A is running
IOS (tm) C2600 Software (C2600-JS56I-M), Version 12.1(13)
Thanks
Jaspreet
At 12:47 PM 4/9/2002 -0700, Gregg Malcolm wrote:
>What IOS version are you running on these routers ?
>----- Original Message -----
>From: "Jaspreet Bhatia" <jasbhati@cisco.com>
>To: "Gregg Malcolm" <greggm@sbcglobal.net>
>Cc: <ccielab@groupstudy.com>
>Sent: Tuesday, April 09, 2002 10:19 AM
>Subject: Re: TED
>
>
> > Hello Ted,
> > I have gotten TED to work at my end . Here are
> > the working configs
> >
> > ROUTER A
> >
> > RouterA#sh run
> > Building configuration...
> >
> > Current configuration : 1222 bytes
> > !
> > version 12.1
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname RouterA
> > !
> > !
> > !
> > !
> > !
> > !
> > ip subnet-zero
> > !
> > !
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key cisco address 0.0.0.0
> > !
> > !
> > crypto ipsec transform-set myset esp-des esp-md5-hmac
> > !
> > crypto dynamic-map dynamicmap 10
> > set transform-set myset
> > match address 101
> > !
> > !
> > crypto map map1 10 ipsec-isakmp dynamic dynamicmap discover
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Ethernet0/0
> > ip address 135.25.1.1 255.255.255.252
> > crypto map map1
> > !
> > interface Ethernet0/1
> > ip address 135.25.3.1 255.255.255.0
> > no keepalive
> > !
> > interface BRI1/0
> > no ip address
> > shutdown
> > !
> > interface BRI1/1
> > no ip address
> > shutdown
> > !
> > interface BRI1/2
> > no ip address
> > shutdown
> > !
> > interface BRI1/3
> > no ip address
> > shutdown
> > !
> > interface BRI1/4
> > no ip address
> > shutdown
> > !
> > interface BRI1/5
> > no ip address
> > shutdown
> > !
> > interface BRI1/6
> > no ip address
> > shutdown
> > !
> > interface BRI1/7
> > no ip address
> > shutdown
> > !
> > router ospf 1
> > log-adjacency-changes
> > network 135.25.0.0 0.0.255.255 area 0
> > !
> > ip classless
> > ip http server
> > !
> > access-list 101 permit ip 135.25.3.0 0.0.0.255 135.25.4.0 0.0.0.255
> > !
> > !
> > !
> > line con 0
> > line aux 0
> > line vty 0 4
> > !
> > end
> >
> >
> >
> > ROUTER B
> >
> > RouterB#sh run
> > Building configuration...
> >
> > Current configuration : 1379 bytes
> > !
> > version 12.2
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname RouterB
> > !
> > !
> > ip subnet-zero
> > !
> > !
> > !
> > ip ssh time-out 120
> > ip ssh authentication-retries 3
> > !
> > crypto isakmp policy 1
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key cisco address 0.0.0.0 0.0.0.0
> > !
> > !
> > crypto ipsec transform-set myset esp-des esp-md5-hmac
> > !
> > crypto dynamic-map dynamicmap 10
> > set transform-set myset
> > match address 101
> > !
> > !
> > crypto map mymap 10 ipsec-isakmp dynamic dynamicmap discover
> > !
> > call rsvp-sync
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Ethernet0/0
> > ip address 135.25.1.2 255.255.255.252
> > half-duplex
> > crypto map mymap
> > !
> > interface TokenRing0/0
> > ip address 135.25.4.1 255.255.255.0
> > ring-speed 16
> > !
> > interface Serial1/0
> > no ip address
> > shutdown
> > !
> > interface Serial1/1
> > no ip address
> > shutdown
> > !
> > interface Serial1/2
> > no ip address
> > shutdown
> > !
> > interface Serial1/3
> > no ip address
> > shutdown
> > !
> > interface Serial1/4
> > no ip address
> > shutdown
> > !
> > interface Serial1/5
> > no ip address
> > shutdown
> > !
> > interface Serial1/6
> > no ip address
> > shutdown
> > !
> > interface Serial1/7
> > no ip address
> > shutdown
> > !
> > router ospf 1
> > log-adjacency-changes
> > network 135.25.0.0 0.0.255.255 area 0
> > !
> > ip classless
> > ip http server
> > ip pim bidir-enable
> > !
> > access-list 101 permit ip 135.25.4.0 0.0.0.255 135.25.3.0 0.0.0.255
> > !
> > !
> > dial-peer cor custom
> > !
> > !
> > !
> > !
> > !
> > line con 0
> > line aux 0
> > line vty 0 4
> > !
> > end
> >
> >
> > Hope this helps
> >
> > Jaspreet
> >
> >
> >
> > At 12:46 AM 4/9/2002 -0700, Gregg Malcolm wrote:
> > >Folks,
> > >
> > >Does anyone have a working example of TED ? I haven't seen it mentioned
>much
> > >on the list, but I wanted to make sure that I can get it to work. I
>browsed
> > >the archives and found a similar symptom to mine but no solution. My
>problem
> > >is that 'debug cry ipsec" gives me the following error :
>IPSEC(sa_initiate):
> > >ACL = deny; sa request ignored. I do not believe that my problem is ACL
> > >related however. Also, I can ping between the serials and I trying to
>secure
> > >the tok0 on r1 and the e0 on r6.
> > >
> > >I can make the configs work w/o TED. Maybe someone has experienced
>something
> > >similar. Here are the 2 router config's :
> > >
> > >Thanks, Gregg
> > >
> > >r1
> > >wrt
> > >
> > >!
> > >crypto isakmp policy 10
> > > authentication pre-share
> > >crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
> > >!
> > >crypto ipsec transform-set secure1 esp-des esp-md5-hmac
> > >!
> > >crypto dynamic-map dyn 10
> > > set transform-set secure1
> > > match address 101
> > >!
> > >crypto map secure 500 ipsec-isakmp dynamic dyn discover
> > >!
> > >interface Serial1
> > > ip address 150.20.12.1 255.255.255.0
> > > crypto map secure
> > >!
> > >interface TokenRing0
> > > ip address 150.20.10.1 255.255.255.0
> > > ring-speed 16
> > >!
> > >access-list 101 permit ip 150.20.10.0 0.0.0.255 150.20.50.0 0.0.0.255
> > >access-list 101 permit icmp 150.20.10.0 0.0.0.255 150.20.50.0 0.0.0.255
> > >
> > >R6
> > >
> > >r6#wrt
> > >
> > >!
> > >crypto isakmp policy 10
> > > authentication pre-share
> > >crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
> > >!
> > >crypto ipsec transform-set secure1 esp-des esp-md5-hmac
> > >!
> > >crypto dynamic-map dyn 10
> > > set transform-set secure1
> > > match address 101
> > >!
> > >crypto map secure 500 ipsec-isakmp dynamic dyn discover
> > >!
> > >interface Serial0
> > > ip address 150.20.100.6 255.255.255.224
> > > encapsulation frame-relay
> > > ip ospf network broadcast
> > > ip ospf priority 0
> > > ipx network 100
> > > ipx output-network-filter 801
> > > no fair-queue
> > > clockrate 2000000
> > > dce-terminal-timing-enable
> > > frame-relay map ipx 100.0010.7b7f.5b9a 601 broadcast
> > > frame-relay map ipx 100.0060.476c.3e3c 601 broadcast
> > > frame-relay map ip 150.20.100.2 601 broadcast
> > > frame-relay map ip 150.20.100.4 601 broadcast
> > > frame-relay map ip 150.20.100.5 601 broadcast
> > > frame-relay map ipx 100.0000.0c87.05ca 601 broadcast
> > > frame-relay lmi-type ansi
> > > crypto map secure
> > >!
> > >access-list 101 permit ip 150.20.50.0 0.0.0.255 150.20.10.0 0.0.0.255
> > >access-list 101 permit icmp 150.20.50.0 0.0.0.255 150.20.10.0 0.0.0.255
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:01 GMT-3