From: John Tafasi (johntafasi@yahoo.com)
Date: Wed Apr 09 2003 - 00:41:42 GMT-3
Hi Group,
I configured Ipsec between r5 and r7 as shown below. I used ISAKMP with
rsa-encr authentication. The access list on both routers allows icmp packet
to use ipsec. I could not ping r5 from r7, but the ping did not work. I have
included the necessary information below. Can some let me know what is
wrong?
Thanks
John Tafasi
r7#ping 105.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 105.0.0.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r7#
===============================
r5#debug crypto isakmp
Crypto ISAKMP debugging is on
r5#
10:22:10: ISAKMP (0:0): received packet from 7.0.0.7 (N) NEW SA
10:22:10: ISAKMP: local port 500, remote port 500
10:22:10: ISAKMP (0:1): processing SA payload. message ID = 0
10:22:10: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1
policy
10:22:10: ISAKMP: encryption DES-CBC
10:22:10: ISAKMP: hash MD5
10:22:10: ISAKMP: default group 1
10:22:10: ISAKMP: auth RSA encr
10:22:10: ISAKMP: life type in seconds
10:22:10: ISAKMP: life duration (basic) of 3600
10:22:10: ISAKMP (0:1): atts are acceptable. Next payload is 3
10:22:12: ISAKMP (0:1): Unable to get router cert or routerdoes not have a
cert: needed to find DN!
10:22:12: ISAKMP (0:1): SA is doing RSA encryption authentication using id
type ID_IPV4_ADDR
10:22:12: ISAKMP (0:1): sending packet to 7.0.0.7 (R) MM_SA_SETUP
r5#
10:22:12: ISAKMP (0:1): received packet from 7.0.0.7 (R) MM_SA_SETUP
10:22:12: ISAKMP (0:1): processing KE payload. message ID = 0
10:22:14: ISAKMP (0:1): processing ID payload. message ID = 0
r5#
10:22:17: ISAKMP (0:1): processing NONCE payload. message ID = 0
10:22:20: ISAKMP (0:1): SKEYID state generated
10:22:20: ISAKMP (0:1): processing vendor id payload
10:22:20: ISAKMP (0:1): speaking to another IOS box!
10:22:20: ISAKMP (1): ID payload
next-payload : 10
type : 1
protocol : 17
port : 500
length : 8
10:22:20: ISAKMP (1): length after encryption 64
10:22:20: ISAKMP (1): Total payload length: 68
10:22:20: ISAKMP (0:1): sending packet to 7.0.0.7 (R) MM_KEY_EXCH
r5#
10:22:21: ISAKMP (0:1): received packet from 7.0.0.7 (R) MM_KEY_EXCH
10:22:21: ISAKMP (0:1): processing HASH payload. message ID = 0
10:22:21: ISAKMP (0:1): SA has been authenticated with 7.0.0.7
10:22:21: ISAKMP (0:1): sending packet to 7.0.0.7 (R) QM_IDLE
10:22:21: ISAKMP (0:1): received packet from 7.0.0.7 (R) QM_IDLE
10:22:21: ISAKMP (0:1): processing HASH payload. message ID = 310386281
10:22:21: ISAKMP (0:1): processing SA payload. message ID = 310386281
10:22:21: ISAKMP (0:1): Checking IPSec proposal 1
10:22:21: ISAKMP: transform 1, AH_SHA
10:22:21: ISAKMP: attributes in transform:
10:22:21: ISAKMP: encaps is 1
10:22:21: ISAKMP: SA life type in seconds
10:22:21: ISAKMP: SA life duration (basic) of 1800
10:22:21: ISAKMP: SA life type in kilobytes
10:22:21: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
10:22:21: ISAKMP: authenticator is HMAC-SHA
10:22:21: ISAKMP (0:1): atts are acceptable.
10:22:21: ISAKMP (0:1): Checking IPSec proposal 1
10:22:21: ISAKMP: transform 1, ESP_DES
10:22:21: ISAKMP: attributes in transform:
10:22:21: ISAKMP: encaps is 1
10:22:21: ISAKMP: SA life type in seconds
10:22:21: ISAKMP: SA life duration (basic) of 1800
10:22:21: ISAKMP: SA life type in kilobytes
10:22:21: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
10:22:21: ISAKMP (0:1): atts are acceptable.
10:22:21: ISAKMP (0:1): IPSec policy invalidated proposal
10:22:21: ISAKMP (0:1): phase 2 SA not acceptable!
10:22:21: ISAKMP (0:1): sending packet to 7.0.0.7 (R) QM_IDLE
10:22:21: ISAKMP (0:1): purging node -1390795555
10:22:21: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with
peer at 7.0.0.7
10:22:21: ISAKMP (0:1): deleting node 310386281 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"
r5#
10:22:40: ISAKMP (0:1): received packet from 7.0.0.7 (R) QM_IDLE
10:22:40: ISAKMP (0:1): processing HASH payload. message ID = -2113048605
10:22:40: ISAKMP (0:1): processing SA payload. message ID = -2113048605
10:22:40: ISAKMP (0:1): Checking IPSec proposal 1
10:22:40: ISAKMP: transform 1, AH_SHA
10:22:40: ISAKMP: attributes in transform:
10:22:40: ISAKMP: encaps is 1
10:22:40: ISAKMP: SA life type in seconds
10:22:40: ISAKMP: SA life duration (basic) of 1800
10:22:40: ISAKMP: SA life type in kilobytes
10:22:40: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
10:22:40: ISAKMP: authenticator is HMAC-SHA
10:22:40: ISAKMP (0:1): atts are acceptable.
10:22:40: ISAKMP (0:1): Checking IPSec proposal 1
10:22:40: ISAKMP: transform 1, ESP_DES
10:22:40: ISAKMP: attributes in transform:
10:22:40: ISAKMP: encaps is 1
10:22:40: ISAKMP: SA life type in seconds
10:22:40: ISAKMP: SA life duration (basic) of 1800
10:22:40: ISAKMP: SA life type in kilobytes
10:22:40: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
10:22:40: ISAKMP (0:1): atts are acceptable.
10:22:40: ISAKMP (0:1): IPSec policy invalidated proposal
10:22:40: ISAKMP (0:1): phase 2 SA not acceptable!
10:22:40: ISAKMP (0:1): sending packet to 7.0.0.7 (R) QM_IDLE
10:22:40: ISAKMP (0:1): purging node 211797906
10:22:40: ISAKMP (0:1): deleting node -2113048605 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"
r5#
10:23:10: ISAKMP (0:1): received packet from 7.0.0.7 (R) QM_IDLE
10:23:10: ISAKMP (0:1): processing HASH payload. message ID = -545978674
10:23:10: ISAKMP:received payload type 15
10:23:10: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID
= -545978674, reason: DELETE_BY_ERROR
10:23:10: ISAKMP (0:1): deleting node -545978674 error FALSE reason "ISAKMP
Delete notify (in)"
10:23:10: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (R)
QM_IDLE (peer 7.0.0.7) input queue 0
10:23:11: ISAKMP (0:1): purging node 310386281
r5#
10:23:30: ISAKMP (0:1): purging node -2113048605
r5#
=============================
r5#show run
Building configuration...
Current configuration : 2158 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r5
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
ip domain-name cisco.com
ip host r7.cisco.com 7.0.0.7
ip host r6.cisco.com 6.0.0.6
!
ip ssh time-out 120
ip ssh authentication-retries 3
cns event-service server
!
!
crypto isakmp policy 1
hash md5
authentication rsa-encr
lifetime 3600
!
!
crypto ipsec transform-set standard ah-sha-hmac esp-des
!
crypto key pubkey-chain rsa
named-key r6.cisco.com
address 6.0.0.6
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C65CFD D6EFC5B4
DB4B045B 3C6CB7E9 17FCB6C0 CA268393 D1815586 308AEF30 5A1677C7 EBAFAD58
A25E3F6D 2BB953EA CFB0472C E29EC980 FFDADCA3 3FD58ADD C7020301 0001
quit
named-key r7.cisco.com
address 7.0.0.7
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D1BD55 C8EA97A2
E817DCB3 5D949263 1E2C0F52 AEBD8012 F03F1EAA E932311E A0EDC528 820DDD86
1F93BCD1 4D4169AC 8C6FD232 D63AAC04 F1E9A921 E3630E5C B3020301 0001
quit
!
crypto map r5 10 ipsec-isakmp
set peer 6.0.0.6
set security-association lifetime seconds 1800
set transform-set standard
match address 106
crypto map r5 20 ipsec-isakmp
set peer 7.0.0.7
set security-association lifetime seconds 1800
set transform-set standard
match address 107
!
!
!
!
interface Loopback0
ip address 105.0.0.5 255.255.255.0
!
interface Ethernet0
ip address 5.0.0.5 255.255.255.0
crypto map r5
!
interface Serial0
no ip address
encapsulation frame-relay
shutdown
frame-relay lmi-type cisco
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router rip
version 2
network 5.0.0.0
network 105.0.0.0
!
ip kerberos source-interface any
ip classless
no ip http server
!
access-list 105 permit icmp any 105.0.0.0 0.255.255.255
access-list 106 permit icmp any 106.0.0.0 0.255.255.255
access-list 107 permit icmp any 107.0.0.0 0.255.255.255
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport input none
line aux 0
line vty 0 4
!
end
r5#
========================
r7#show run
Building configuration...
Current configuration : 1982 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r7
!
!
ip subnet-zero
!
!
ip domain-name cisco.com
ip host r6.cisco.com 6.0.0.6
ip host r5.cisco.com 5.0.0.5
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication rsa-encr
lifetime 3600
!
!
crypto ipsec transform-set standard ah-sha-hmac esp-des
!
crypto key pubkey-chain rsa
named-key r5.cisco.com
address 5.0.0.5
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C16AB0 89065FFA
2E1149F8 A9227BAF 30B0FB9C 2A2C08D3 50A8B0A7 512754FD 0FFCF928 3CA5F676
C3155BA2 CD3F74E8 384FE37C 5B35CDBE D55BC771 EE6001D5 2B020301 0001
quit
named-key r6.cisco.com
address 6.0.0.6
key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C65CFD D6EFC5B4
DB4B045B 3C6CB7E9 17FCB6C0 CA268393 D1815586 308AEF30 5A1677C7 EBAFAD58
A25E3F6D 2BB953EA CFB0472C E29EC980 FFDADCA3 3FD58ADD C7020301 0001
quit
!
crypto map r7 10 ipsec-isakmp
set peer 5.0.0.5
set security-association lifetime seconds 1800
set transform-set standard
match address 105
crypto map r7 20 ipsec-isakmp
set peer 6.0.0.6
set security-association lifetime seconds 1800
set transform-set standard
match address 106
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 107.0.0.7 255.255.255.0
!
interface Ethernet1/0
ip address 7.0.0.7 255.255.255.0
half-duplex
crypto map r7
!
interface Serial1/0
no ip address
shutdown
no fair-queue
!
router rip
version 2
network 7.0.0.0
network 107.0.0.0
!
ip classless
ip http server
ip pim bidir-enable
!
access-list 105 permit icmp any 105.0.0.0 0.255.255.255
access-list 106 permit icmp any 106.0.0.0 0.255.255.255
access-list 107 permit icmp any 107.0.0.0 0.255.255.255
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
end
r7#
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3