From: Vijay S Jayaraman (vjayaram@in.ibm.com)
Date: Fri Nov 15 2002 - 01:50:29 GMT-3
Hi Dan
I am trying to encrypt traffic between the loopbacks so I cannot give the
loopback as the peer.....
My idea was local-address statement is necessary if I need to use multiple
interfaces with the crypto map statement.....But I will give this a try
Just for a clearification....
I need to have the SPI (greater than 256) common on inbound of R2 and
outbound of R4 and vice versa.....Is there any thing else I need to
consider for SPI?
Regards,
Vijay.
Dan.Thorson@seaga
te.com To: Vijay S Jayaraman/India/IBM@IBMIN
cc: ccielab@groupstudy.com, nobody@groupstudy.com
11/15/2002 01:17 Subject: Re: IPSec problem with manual keying
AM
Try adding
crypto map CryMap local-address Loopback 99
on each router.
Also, shouldn't the peers be the Loopback IP's, and not the physical
interface IP's?
danT
========================================
Dan Thorson - Seagate Technology, LLC
desk +1 (952) 402-8293 fax +1 (952) 402-1007
SeaTel 8-402-8293
========================================
"Vijay S
Jayaraman" To: ccielab@groupstudy.com
<vjayaram@in. cc:
ibm.com> Subject: IPSec problem with
manual keying
Sent by:
nobody@groups
tudy.com
No Phone Info
Available
11/14/2002
10:32 AM
Please
respond to
"Vijay S
Jayaraman"
Hi,
I am having some trouble with IPSec when I use manual keying....
I have two routers R2 and R4 that are connected on a FR point-to-point link
and I have defined loopbacks 200.200.200.200 on R2 and 44.44.44.44 on
R4....
I wish to encrypt traffic from these two loopbacks...
When I originate an extended ping from R2 loopback to R4 Loopback, I am
able to establish IPSec SA and the ping goes through...
However when I clear the SA's and originate the traffic from R4 to R2 in
the reverse direction, I get a log message on R2 that the incoming SPI 300
from R4 is invalid....
I am not sure I understand why? Is there anything I am missing?
I have the same problem if I use any other transform like AH......
Also I find that the IPSec works like a dream when I use ISAKMP to
negotiate the keys....
Attached are the relevant configs....
R4
---- interface Loopback99 ip address 44.44.44.44 255.255.255.0crypto ipsec transform-set TR esp-des ! crypto map CryMap 10 ipsec-manual set peer 135.1.2.2 set session-key inbound esp 400 cipher 1234567890123456789012345678901234567890 set session-key outbound esp 300 cipher 1234567890123456789012345678901234567890 set transform-set TR match address 122 ! interface Serial0/1.2 point-to-point ip address 135.1.2.4 255.255.255.224 frame-relay interface-dlci 42 crypto map CryMap
access-list 122 permit ip host 44.44.44.44 host 200.200.200.200
R2 ---- interface Loopback99 ip address 200.200.200.200 255.255.255.0
crypto ipsec transform-set TR esp-des ! crypto map CryMap 10 ipsec-manual set peer 135.1.2.4 set session-key inbound esp 300 cipher 1234567890123456789012345678901234567890 set session-key outbound esp 400 cipher 1234567890123456789012345678901234567890 set transform-set TR match address 122 ! interface Serial0/0.4 point-to-point ip address 135.1.2.2 255.255.255.224 no arp frame-relay frame-relay interface-dlci 42 crypto map CryMap
access-list 122 permit ip host 200.200.200.200 host 44.44.44.44
I also have default routes pointing to each others serial interface IPs.
Regards, Vijay.
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:00 GMT-3