IPSec identity question?

From: Richard Hanks (ccieingroup@hotmail.com)
Date: Mon Dec 23 2002 - 20:58:11 GMT-3

• Next message: Sara Li: "Frame relay interface in the lab"
• Previous message: Jeffery S Kimes: "Re: Flash"
• Next in thread: ccie_studying: "Re: IPSec identity question?"
• Maybe reply: ccie_studying: "Re: IPSec identity question?"
• Maybe reply: Justin Menga: "RE: IPSec identity question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Guys,

For preparing the lab test, I did some practices about IPSec on my routers.
When I used the ip address to build the peer relationship, everything works
fine. But when I replaced the "ip address" to the hostname + identity, no
matter what I tried, the isakmp peer can not be built. Could you give me some
hints or advices about my configuration? Thanks a lot and Merry Christmas!

R4(e0:10.0.0.4)------IPSec--------(e0:10.0.0.5)R5

R5:

hostname r5

ip host r4.cisco.com 10.0.0.4

ip domain-name cisco.com

!

crypto isakmp policy 10

 authentication pre-share

 encryption des

!

crypto isakmp key cisco hostname r4.cisco.com ( I also tried the r4 here)

crypto isakmp identity hostname

!

crypto ipsec transform-set trans1 esp-des

!

crypto map map1 10 ipsec-isakmp

 set peer 10.0.0.4 (when set the r4.cisco.com, which was replaced by the ip
automatically)

 set transform-set trans1

 match address 100

!

interface Ethernet0

 ip address 10.0.0.5 255.255.255.0

 no ip mroute-cache

 crypto map map1

access-list 100 permit icmp any any

R4:

hostname r4

ip host r5.cisco.com 10.0.0.5

ip domain-name cisco.com

!

crypto isakmp policy 10

 authentication pre-share

 encryption des

!

crypto isakmp key cisco hostname r5.cisco.com ( I also tried the r5 here)

crypto isakmp identity hostname

!

crypto ipsec transform-set trans1 esp-des

!

crypto map map1 10 ipsec-isakmp

 set peer 10.0.0.5

 set transform-set trans1

 match address 100

!

interface Ethernet0

 ip address 10.0.0.4 255.255.255.0

 no ip mroute-cache

 crypto map map1

access-list 100 permit icmp any any

After I ping 10.0.0.5 from R4. It is .....

r4#sh cry isa sa
    dst src state conn-id slot
10.0.0.5 10.0.0.4 AG_INIT_EXCH 1 0

r4#p 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r4#
*Mar 1 01:04:38: IPSEC(sa_request): ,
  (key eng. msg.) src= 10.0.0.4, dest= 10.0.0.5,
    src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
    dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
    protocol= ESP, transform= esp-des ,
    lifedur= 3600s and 4608000kb,
    spi= 0xB1B026B(186319467), conn_id= 0, keysize= 0, flags= 0x4004
*Mar 1 01:04:38: ISAKMP: received ke message (1/1)
*Mar 1 01:04:40: ISAKMP (1): ID payload
        next-payload : 0
        type : 2
        protocol : 17
        port : 500
        length : 16
*Mar 1 01:04:40: ISAKMP (1): Total payload length: 20
*Mar 1 01:04:40: ISAKMP (0:1): beginning Aggressive Mode exchange
*Mar 1 01:04:40: ISAKMP (1): sending packet to 10.0.0.5 (I) AG_INIT_EXCH
*Mar 1 01:04:40: ISAKMP (1): received packet from 10.0.0.5 (I) AG_INIT_EXCH
*Mar 1 01:04:40: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational
mode
failed with peer at 10.0.0.5
r4#
.

• Next message: Sara Li: "Frame relay interface in the lab"
• Previous message: Jeffery S Kimes: "Re: Flash"
• Next in thread: ccie_studying: "Re: IPSec identity question?"
• Maybe reply: ccie_studying: "Re: IPSec identity question?"
• Maybe reply: Justin Menga: "RE: IPSec identity question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:52 GMT-3