Re: IPSec problem with manual keying

From: Dan.Thorson@seagate.com
Date: Thu Nov 14 2002 - 16:47:00 GMT-3

Next message: david: "access-list"
Previous message: stan.zhang@verizon.com: "Re: new environment"
Maybe in reply to: Vijay S Jayaraman: "IPSec problem with manual keying"
Next in thread: Vijay S Jayaraman: "Re: IPSec problem with manual keying"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Try adding
crypto map CryMap local-address Loopback 99
on each router.

Also, shouldn't the peers be the Loopback IP's, and not the physical
interface IP's?

danT

========================================
Dan Thorson - Seagate Technology, LLC
desk +1 (952) 402-8293 fax +1 (952) 402-1007
SeaTel 8-402-8293
========================================

                    "Vijay S
                    Jayaraman" To: ccielab@groupstudy.com
                    <vjayaram@in. cc:
                    ibm.com> Subject: IPSec problem with manual keying
                    Sent by:
                    nobody@groups
                    tudy.com
                    No Phone Info
                    Available

                    11/14/2002
                    10:32 AM
                    Please
                    respond to
                    "Vijay S
                    Jayaraman"

Hi,
I am having some trouble with IPSec when I use manual keying....

I have two routers R2 and R4 that are connected on a FR point-to-point link
and I have defined loopbacks 200.200.200.200 on R2 and 44.44.44.44 on
R4....
I wish to encrypt traffic from these two loopbacks...

When I originate an extended ping from R2 loopback to R4 Loopback, I am
able to establish IPSec SA and the ping goes through...
However when I clear the SA's and originate the traffic from R4 to R2 in
the reverse direction, I get a log message on R2 that the incoming SPI 300
from R4 is invalid....

I am not sure I understand why? Is there anything I am missing?
I have the same problem if I use any other transform like AH......

Also I find that the IPSec works like a dream when I use ISAKMP to
negotiate the keys....

Attached are the relevant configs....

---- interface Loopback99 ip address 44.44.44.44 255.255.255.0

crypto ipsec transform-set TR esp-des ! crypto map CryMap 10 ipsec-manual set peer 135.1.2.2 set session-key inbound esp 400 cipher 1234567890123456789012345678901234567890 set session-key outbound esp 300 cipher 1234567890123456789012345678901234567890 set transform-set TR match address 122 ! interface Serial0/1.2 point-to-point ip address 135.1.2.4 255.255.255.224 frame-relay interface-dlci 42 crypto map CryMap

access-list 122 permit ip host 44.44.44.44 host 200.200.200.200

R2 ---- interface Loopback99 ip address 200.200.200.200 255.255.255.0

crypto ipsec transform-set TR esp-des ! crypto map CryMap 10 ipsec-manual set peer 135.1.2.4 set session-key inbound esp 300 cipher 1234567890123456789012345678901234567890 set session-key outbound esp 400 cipher 1234567890123456789012345678901234567890 set transform-set TR match address 122 ! interface Serial0/0.4 point-to-point ip address 135.1.2.2 255.255.255.224 no arp frame-relay frame-relay interface-dlci 42 crypto map CryMap

access-list 122 permit ip host 200.200.200.200 host 44.44.44.44

I also have default routes pointing to each others serial interface IPs.

Regards, Vijay.

Next message: david: "access-list"
Previous message: stan.zhang@verizon.com: "Re: new environment"
Maybe in reply to: Vijay S Jayaraman: "IPSec problem with manual keying"
Next in thread: Vijay S Jayaraman: "Re: IPSec problem with manual keying"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:00 GMT-3