??IPSec over BRI line - small buffer overflow problem

From: . . (hsm_p@hotmail.com)
Date: Tue Oct 08 2002 - 16:18:19 GMT-3

Has anyone able to perform IPSec over BRI line? I can configure IPSec over
Serial or Ethernet but not on BRI line. It has a complain about the small
buffer size. I am using Preshared keying and the IOS is
c2600-jk8o3s-mz.122-5.bin

*Mar 1 00:52:06: IPSEC(encapsulate): encaps area too small, moving to new
buffer:
idbtype 0, encaps_size 84, header size 36, avail 84
*Mar 1 00:52:26: ISAKMP (0:1): purging node 1121848727

///////////////////////////////////////////////////////////

The related config is as shown (I am confident that this is correct)

isdn switch-type basic-ni
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key abcd address 145.45.45.5
!
!
crypto ipsec transform-set my_set esp-des
!
crypto map my_map 10 ipsec-isakmp
set peer 145.45.45.5
set transform-set my_set
match address encrypted_traffic
!
interface Loopback0
ip address 4.4.4.4 255.255.255.0
!
interface BRI0
crypto map my_map
!
ip access-list extended encrypted_traffic
permit ip 145.45.45.0 0.0.0.255 145.45.45.0 0.0.0.255
permit ip 4.4.4.0 0.0.0.255 5.5.5.0 0.0.0.255
deny ip any any

///////////////////////////////////////////////////////////
Here is the entire debug (both IPSec and ISAKMP)

*Mar 1 00:51:36: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 145.45.45.5, remote= 145.45.45.4,
    local_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x980E50B2(2551074994), conn_id= 0, keysize= 0, flags= 0x400C
*Mar 1 00:51:36: ISAKMP: received ke message (1/1)
*Mar 1 00:51:36: ISAKMP (0:1): sitting IDLE. Starting QM immediately
(QM_IDLE )
*Mar 1 00:51:36: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of
1121848727
*Mar 1 00:51:36: ISAKMP (0:1): sending packet to 145.45.45.4 (R) QM_IDLE
*Mar 1 00:51:36: ISAKMP (0:1): received packet from 145.45.45.4 (R) QM_IDLE
*Mar 1 00:51:36: ISAKMP (0:1): processing HASH payload. message ID =
1121848727
*Mar 1 00:51:36: ISAKMP (0:1): processing SA payload. message ID =
1121848727
*Mar 1 00:51:36: ISAKMP (0:1): Checking IPSec proposal 1
*Mar 1 00:51:36: ISAKMP: transform 1, ESP_DES
*Mar 1 00:51:36: ISAKMP: attributes in transform:
*Mar 1 00:51:36: ISAKMP: encaps is 1
*Mar 1 00:51:36: ISAKMP: SA life type in seconds
*Mar 1 00:51:36: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:51:36: ISAKMP: SA life type in kilobytes
*Mar 1 00:51:36: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:51:36: ISAKMP (0:1): atts are acceptable.
*Mar 1 00:51:36: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 145.45.45.5, remote= 145.45.45.4,
    local_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
*Mar 1 00:51:36: ISAKMP (0:1): processing NONCE payload. message ID .=
1121848727
*Mar 1 00:51:36: ISAKMP (0:1): processing ID payload. message ID =
1121848727
*Mar 1 00:51:36: ISAKMP (0:1): processing ID payload. message ID =
1121848727
*Mar 1 00:51:36: ISAKMP (0:1): Creating IPSec SAs
*Mar 1 00:51:36: inbound SA from 145.45.45.4 to 145.45.45.5
        (proxy 145.45.45.0 to 145.45.45.0)
*Mar 1 00:51:36: has spi 0x980E50B2 and conn_id 2002 and flags 4
*Mar 1 00:51:36: lifetime of 3600 seconds
*Mar 1 00:51:36: lifetime of 4608000 kilobytes
*Mar 1 00:51:36: outbound SA from 145.45.45.5 to 145.45.45.4
  (proxy 145.45.45.0 to 145.45.45.0 )
*Mar 1 00:51:36: has spi 355667570 and conn_id 2003 and flags C
*Mar 1 00:51:36: lifetime of 3600 seconds
*Mar 1 00:51:36: lifetime of 4608000 kilobytes
*Mar 1 00:51:36: ISAKMP (0:1): sending packet to 145.45.45.4 (R) QM_IDLE
*Mar 1 00:51:36: ISAKMP (0:1): deleting node 1121848727 error FALSE reason
""
*Mar 1 00:51:36: IPSEC(key_engine): got a queue event...
*Mar 1 00:51:36: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 145.45.45.5, remote= 145.45.45.4,
    local_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x980E50B2(2551074994), conn_id= 2002, keysize= 0, flags= 0x4
*Mar 1 00:51:36: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 145.45.45.5, remote= 145.45.45.4,
    local_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 145.45.45.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x15330E72.(355667570), conn_id= 2003, keysize= 0, flags= 0xC
*Mar 1 00:51:36: IPSEC(create_sa): sa created,
  (sa) sa_dest= 145.45.45.5, sa_prot= 50,
    sa_spi= 0x980E50B2(2551074994),
    sa_trans= esp-des , sa_conn_id= 2002
*Mar 1 00:51:36: IPSEC(create_sa): sa created,
  (sa) sa_dest= 145.45.45.4, sa_prot= 50,
    sa_spi= 0x15330E72(355667570),
    sa_trans= esp-des , sa_conn_id= 2003...

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:42 GMT-3