RE: IPSec Encryption of EIGRP - Weird Problem (longish)

From: OhioHondo (ohiohondo@columbus.rr.com)
Date: Thu May 01 2003 - 08:52:47 GMT-3

I believe your problem is that the eigrp packet is a multicast.

Try making it a unicast -- and make the appropriate ACL.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Joseph Hao
Sent: Thursday, May 01, 2003 6:04 AM
To: ccielab@groupstudy.com
Subject: IPSec Encryption of EIGRP - Weird Problem (longish)

Hello Folks,

I'm trying to configure IPSec encryption across the serial link of 2 routers
(R1 and R2). I am also trying to run EIGRP over the same link. After
configuring IPSec, the EIGRP is no longer running.

I've been up all night and I'm tried and I'm missing something very simple
here, so if anyone who's fresh can look at my configs that would be great.

The full configs are below with the corresponding error message. As you can
see, IPSec configs are correct because pings work. I suspect an IOS issue
so if somebody can run the configs on a different IOS version, we can
compare the results.

Thanks
Joseph

Current configuration : 2083 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
!
key chain jochain1
 key 10
  key-string password
  accept-lifetime 00:00:00 Jan 1 1993 infinite
  send-lifetime 00:00:00 Jan 1 1993 infinite
!
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key password address 133.10.12.2
!
!
crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
!
crypto map jomap1 10 ipsec-isakmp
 set peer 133.10.12.2
 set security-association level per-host
 set transform-set jotransform1
 set pfs group2
 match address 101
!
!
!
!
interface Loopback0
 ip address 133.10.1.1 255.255.255.0
!
interface Ethernet0
 ip address 150.100.10.1 255.255.255.0
!
interface Serial0
 no ip address
 shutdown
 no fair-queue
!
interface Serial1
 ip address 133.10.12.1 255.255.255.0
 clockrate 64000
 crypto map jomap1
!
interface BRI0
 no ip address
 shutdown
 isdn x25 static-tei 0
!
router eigrp 10
 redistribute bgp 3000 metric 100 10 255 1 1500
 network 133.10.1.1 0.0.0.0
 network 133.10.12.1 0.0.0.0
 network 150.100.10.1 0.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
router bgp 3000
 no synchronization
 bgp log-neighbor-changes
 redistribute eigrp 10 metric 3333
 neighbor 133.10.8.8 remote-as 3000
 neighbor 133.10.8.8 ebgp-multihop 10
 neighbor 133.10.8.8 update-source Loopback0
 neighbor 150.100.10.9 remote-as 1000
 neighbor 150.100.10.9 password password
 no auto-summary
!
ip classless
ip http server
!
access-list 101 permit eigrp any any
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
alias router e exit
alias line e exit
alias interface e exit
alias configure e exit
alias exec p ping
alias exec c config t
alias exec s sh run
alias exec sip sh ip route
alias exec sib sh ip bgp
alias exec cib clear ip bgp *
alias exec cip clear ip route *
alias exec co clear ip ospf process
alias exec crs copy run start
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

R1#
00:08:56: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:09:57: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:11:02: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
R1#
R1#ping 133.10.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 133.10.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:

00:12:03: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88.....
Success rate is 0 percent (0/5)
R1#ping 133.10.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/108/108 ms
R1#
00:13:05: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:14:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:15:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88

Current configuration : 2525 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
frame-relay switching
!
key chain jochain1
 key 10
  key-string password
  accept-lifetime 00:00:00 Jan 1 1993 infinite
  send-lifetime 00:00:00 Jan 1 1993 infinite
!
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key password address 133.10.12.1
!
!
crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
!
crypto map jomap1 10 ipsec-isakmp
 set peer 133.10.12.1
 set security-association level per-host
 set transform-set jotransform1
 set pfs group2
 match address 101
!
!
!
!
interface Loopback0
 ip address 133.10.2.2 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0
 ip address 133.10.23.2 255.255.255.192
 no ip redirects
 standby 1 ip 133.10.23.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 authentication password
 standby 1 track Serial0 150
!
interface Serial0
 ip address 133.10.235.2 255.255.255.0
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 password
 ip ospf priority 0
 no fair-queue
 clockrate 64000
 frame-relay map ip 133.10.235.8 300 broadcast
 frame-relay map ip 133.10.235.3 300 broadcast
 frame-relay lmi-type ansi
 frame-relay intf-type dce
!
interface Serial1
 ip address 133.10.12.2 255.255.255.0
 crypto map jomap1
!
interface BRI0
 no ip address
 shutdown
 isdn x25 static-tei 0
!
router eigrp 10
 redistribute ospf 10 metric 100 10 255 1 1500 match internal external 1
external 2
 network 133.10.12.2 0.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
router ospf 10
 log-adjacency-changes
 area 0 authentication message-digest
 area 2 range 133.10.23.0 255.255.255.0
 redistribute eigrp 10 metric 199 metric-type 1 subnets
 network 133.10.2.2 0.0.0.0 area 0
 network 133.10.23.2 0.0.0.0 area 2
 network 133.10.235.2 0.0.0.0 area 0
!
ip classless
ip http server
!
access-list 101 permit eigrp any any
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
alias router e exit
alias line e exit
alias interface e exit
alias configure e exit
alias exec p ping
alias exec c config t
alias exec s sh run
alias exec sip sh ip route
alias exec sib sh ip bgp
alias exec cib clear ip bgp *
alias exec cip clear ip route *
alias exec co clear ip ospf process
alias exec crs copy run start
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

R2#
00:09:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
00:10:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
00:11:34: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
00:12:37: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3