From: ccie_studying (ccie_studying@hotmail.com)
Date: Mon Dec 23 2002 - 21:39:55 GMT-3
I did not try this, but two things you may try:
1. Simply take out "ip host r4.cisco.com 10.0.0.4" in R5 and "ip host
r5.cisco.com 10.0.0.5" in R4.
Or
2. change R5 configuration to "ip host r4 10.0.0.4" and R4 to "ip host r5
10.0.0.5"
----- Original Message -----
From: "Richard Hanks" <ccieingroup@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Monday, December 23, 2002 6:58 PM
Subject: IPSec identity question?
> Hi Guys,
>
> For preparing the lab test, I did some practices about IPSec on my
routers.
> When I used the ip address to build the peer relationship, everything
works
> fine. But when I replaced the "ip address" to the hostname + identity, no
> matter what I tried, the isakmp peer can not be built. Could you give me
some
> hints or advices about my configuration? Thanks a lot and Merry Christmas!
>
> R4(e0:10.0.0.4)------IPSec--------(e0:10.0.0.5)R5
>
> R5:
>
> hostname r5
>
> ip host r4.cisco.com 10.0.0.4
>
> ip domain-name cisco.com
>
> !
>
> crypto isakmp policy 10
>
> authentication pre-share
>
> encryption des
>
> !
>
> crypto isakmp key cisco hostname r4.cisco.com ( I also tried the r4 here)
>
> crypto isakmp identity hostname
>
> !
>
> crypto ipsec transform-set trans1 esp-des
>
> !
>
> crypto map map1 10 ipsec-isakmp
>
> set peer 10.0.0.4 (when set the r4.cisco.com, which was replaced by the
ip
> automatically)
>
> set transform-set trans1
>
> match address 100
>
> !
>
> interface Ethernet0
>
> ip address 10.0.0.5 255.255.255.0
>
> no ip mroute-cache
>
> crypto map map1
>
> access-list 100 permit icmp any any
>
>
>
> R4:
>
> hostname r4
>
> ip host r5.cisco.com 10.0.0.5
>
> ip domain-name cisco.com
>
> !
>
> crypto isakmp policy 10
>
> authentication pre-share
>
> encryption des
>
> !
>
> crypto isakmp key cisco hostname r5.cisco.com ( I also tried the r5 here)
>
> crypto isakmp identity hostname
>
> !
>
> crypto ipsec transform-set trans1 esp-des
>
> !
>
> crypto map map1 10 ipsec-isakmp
>
> set peer 10.0.0.5
>
> set transform-set trans1
>
> match address 100
>
> !
>
> interface Ethernet0
>
> ip address 10.0.0.4 255.255.255.0
>
> no ip mroute-cache
>
> crypto map map1
>
> access-list 100 permit icmp any any
>
>
>
>
>
> After I ping 10.0.0.5 from R4. It is .....
>
> r4#sh cry isa sa
> dst src state conn-id slot
> 10.0.0.5 10.0.0.4 AG_INIT_EXCH 1 0
>
>
>
> r4#p 10.0.0.5
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> r4#
> *Mar 1 01:04:38: IPSEC(sa_request): ,
> (key eng. msg.) src= 10.0.0.4, dest= 10.0.0.5,
> src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
> dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
> protocol= ESP, transform= esp-des ,
> lifedur= 3600s and 4608000kb,
> spi= 0xB1B026B(186319467), conn_id= 0, keysize= 0, flags= 0x4004
> *Mar 1 01:04:38: ISAKMP: received ke message (1/1)
> *Mar 1 01:04:40: ISAKMP (1): ID payload
> next-payload : 0
> type : 2
> protocol : 17
> port : 500
> length : 16
> *Mar 1 01:04:40: ISAKMP (1): Total payload length: 20
> *Mar 1 01:04:40: ISAKMP (0:1): beginning Aggressive Mode exchange
> *Mar 1 01:04:40: ISAKMP (1): sending packet to 10.0.0.5 (I) AG_INIT_EXCH
> *Mar 1 01:04:40: ISAKMP (1): received packet from 10.0.0.5 (I)
AG_INIT_EXCH
> *Mar 1 01:04:40: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational
> mode
> failed with peer at 10.0.0.5
> r4#
> .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:52 GMT-3