From: jl yan (yanjunling@hotmail.com)
Date: Fri Nov 15 2002 - 02:45:34 GMT-3
I think you should set transparent mode manually, not tunnel mode at default
>From: "Vijay S Jayaraman" <vjayaram@in.ibm.com>
>Reply-To: "Vijay S Jayaraman" <vjayaram@in.ibm.com>
>To: ccielab@groupstudy.com
>Subject: IPSec problem with manual keying
>Date: Thu, 14 Nov 2002 22:02:16 +0530
>
>Hi,
>I am having some trouble with IPSec when I use manual keying....
>
>I have two routers R2 and R4 that are connected on a FR point-to-point link
>and I have defined loopbacks 200.200.200.200 on R2 and 44.44.44.44 on
>R4....
>I wish to encrypt traffic from these two loopbacks...
>
>When I originate an extended ping from R2 loopback to R4 Loopback, I am
>able to establish IPSec SA and the ping goes through...
>However when I clear the SA's and originate the traffic from R4 to R2 in
>the reverse direction, I get a log message on R2 that the incoming SPI 300
>from R4 is invalid....
>
>I am not sure I understand why? Is there anything I am missing?
>I have the same problem if I use any other transform like AH......
>
>Also I find that the IPSec works like a dream when I use ISAKMP to
>negotiate the keys....
>
>
>Attached are the relevant configs....
>
>R4
>----
>interface Loopback99
> ip address 44.44.44.44 255.255.255.0
>
>crypto ipsec transform-set TR esp-des
>!
>crypto map CryMap 10 ipsec-manual
> set peer 135.1.2.2
> set session-key inbound esp 400 cipher
>1234567890123456789012345678901234567890
> set session-key outbound esp 300 cipher
>1234567890123456789012345678901234567890
> set transform-set TR
> match address 122
>!
>interface Serial0/1.2 point-to-point
> ip address 135.1.2.4 255.255.255.224
> frame-relay interface-dlci 42
> crypto map CryMap
>
>access-list 122 permit ip host 44.44.44.44 host 200.200.200.200
>
>
>R2
>----
>interface Loopback99
> ip address 200.200.200.200 255.255.255.0
>
>crypto ipsec transform-set TR esp-des
>!
>crypto map CryMap 10 ipsec-manual
> set peer 135.1.2.4
> set session-key inbound esp 300 cipher
>1234567890123456789012345678901234567890
> set session-key outbound esp 400 cipher
>1234567890123456789012345678901234567890
> set transform-set TR
> match address 122
>!
>interface Serial0/0.4 point-to-point
> ip address 135.1.2.2 255.255.255.224
> no arp frame-relay
> frame-relay interface-dlci 42
> crypto map CryMap
>
>access-list 122 permit ip host 200.200.200.200 host 44.44.44.44
>
>
>I also have default routes pointing to each others serial interface IPs.
>
>Regards,
>Vijay.
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:00 GMT-3