From: Joseph Hao (jthao1@hotmail.com)
Date: Thu May 01 2003 - 09:19:49 GMT-3
Got it. I simply added the neighbor command under EIGRP.
Joseph
----- Original Message -----
From: "Joseph Hao" <jthao1@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, May 01, 2003 6:04 AM
Subject: IPSec Encryption of EIGRP - Weird Problem (longish)
> Hello Folks,
>
> I'm trying to configure IPSec encryption across the serial link of 2
routers
> (R1 and R2). I am also trying to run EIGRP over the same link. After
> configuring IPSec, the EIGRP is no longer running.
>
> I've been up all night and I'm tried and I'm missing something very simple
> here, so if anyone who's fresh can look at my configs that would be great.
>
> The full configs are below with the corresponding error message. As you
can
> see, IPSec configs are correct because pings work. I suspect an IOS issue
> so if somebody can run the configs on a different IOS version, we can
> compare the results.
>
>
>
> Thanks
> Joseph
>
>
>
> Current configuration : 2083 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R1
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> !
> key chain jochain1
> key 10
> key-string password
> accept-lifetime 00:00:00 Jan 1 1993 infinite
> send-lifetime 00:00:00 Jan 1 1993 infinite
> !
> !
> crypto isakmp policy 10
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key password address 133.10.12.2
> !
> !
> crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
> !
> crypto map jomap1 10 ipsec-isakmp
> set peer 133.10.12.2
> set security-association level per-host
> set transform-set jotransform1
> set pfs group2
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 133.10.1.1 255.255.255.0
> !
> interface Ethernet0
> ip address 150.100.10.1 255.255.255.0
> !
> interface Serial0
> no ip address
> shutdown
> no fair-queue
> !
> interface Serial1
> ip address 133.10.12.1 255.255.255.0
> clockrate 64000
> crypto map jomap1
> !
> interface BRI0
> no ip address
> shutdown
> isdn x25 static-tei 0
> !
> router eigrp 10
> redistribute bgp 3000 metric 100 10 255 1 1500
> network 133.10.1.1 0.0.0.0
> network 133.10.12.1 0.0.0.0
> network 150.100.10.1 0.0.0.0
> no auto-summary
> eigrp log-neighbor-changes
> !
> router bgp 3000
> no synchronization
> bgp log-neighbor-changes
> redistribute eigrp 10 metric 3333
> neighbor 133.10.8.8 remote-as 3000
> neighbor 133.10.8.8 ebgp-multihop 10
> neighbor 133.10.8.8 update-source Loopback0
> neighbor 150.100.10.9 remote-as 1000
> neighbor 150.100.10.9 password password
> no auto-summary
> !
> ip classless
> ip http server
> !
> access-list 101 permit eigrp any any
> access-list 101 permit ip any any
> access-list 101 permit icmp any any
> !
> alias router e exit
> alias line e exit
> alias interface e exit
> alias configure e exit
> alias exec p ping
> alias exec c config t
> alias exec s sh run
> alias exec sip sh ip route
> alias exec sib sh ip bgp
> alias exec cib clear ip bgp *
> alias exec cip clear ip route *
> alias exec co clear ip ospf process
> alias exec crs copy run start
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> end
>
> R1#
> 00:08:56: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:09:57: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:11:02: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> R1#
> R1#ping 133.10.12.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> R1#ping 133.10.12.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
>
> 00:12:03: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88.....
> Success rate is 0 percent (0/5)
> R1#ping 133.10.12.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 108/108/108 ms
> R1#
> 00:13:05: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:14:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
> 00:15:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
>
>
>
>
>
>
>
>
>
>
>
> Current configuration : 2525 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R2
> !
> !
> !
> !
> !
> !
> ip subnet-zero
> no ip domain-lookup
> !
> frame-relay switching
> !
> key chain jochain1
> key 10
> key-string password
> accept-lifetime 00:00:00 Jan 1 1993 infinite
> send-lifetime 00:00:00 Jan 1 1993 infinite
> !
> !
> crypto isakmp policy 10
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key password address 133.10.12.1
> !
> !
> crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
> !
> crypto map jomap1 10 ipsec-isakmp
> set peer 133.10.12.1
> set security-association level per-host
> set transform-set jotransform1
> set pfs group2
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 133.10.2.2 255.255.255.0
> ip ospf network point-to-point
> !
> interface Ethernet0
> ip address 133.10.23.2 255.255.255.192
> no ip redirects
> standby 1 ip 133.10.23.1
> standby 1 priority 200
> standby 1 preempt
> standby 1 authentication password
> standby 1 track Serial0 150
> !
> interface Serial0
> ip address 133.10.235.2 255.255.255.0
> encapsulation frame-relay
> ip ospf authentication message-digest
> ip ospf message-digest-key 1 md5 password
> ip ospf priority 0
> no fair-queue
> clockrate 64000
> frame-relay map ip 133.10.235.8 300 broadcast
> frame-relay map ip 133.10.235.3 300 broadcast
> frame-relay lmi-type ansi
> frame-relay intf-type dce
> !
> interface Serial1
> ip address 133.10.12.2 255.255.255.0
> crypto map jomap1
> !
> interface BRI0
> no ip address
> shutdown
> isdn x25 static-tei 0
> !
> router eigrp 10
> redistribute ospf 10 metric 100 10 255 1 1500 match internal external 1
> external 2
> network 133.10.12.2 0.0.0.0
> no auto-summary
> eigrp log-neighbor-changes
> !
> router ospf 10
> log-adjacency-changes
> area 0 authentication message-digest
> area 2 range 133.10.23.0 255.255.255.0
> redistribute eigrp 10 metric 199 metric-type 1 subnets
> network 133.10.2.2 0.0.0.0 area 0
> network 133.10.23.2 0.0.0.0 area 2
> network 133.10.235.2 0.0.0.0 area 0
> !
> ip classless
> ip http server
> !
> access-list 101 permit eigrp any any
> access-list 101 permit ip any any
> access-list 101 permit icmp any any
> !
> alias router e exit
> alias line e exit
> alias interface e exit
> alias configure e exit
> alias exec p ping
> alias exec c config t
> alias exec s sh run
> alias exec sip sh ip route
> alias exec sib sh ip bgp
> alias exec cib clear ip bgp *
> alias exec cip clear ip route *
> alias exec co clear ip ospf process
> alias exec crs copy run start
> !
> line con 0
> exec-timeout 0 0
> line aux 0
> line vty 0 4
> login
> !
> end
>
> R2#
> 00:09:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
> 00:10:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
> 00:11:34: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
> 00:12:37: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3