RE: IPSec Encryption of EIGRP - Weird Problem (longish)

From: Teisberg, Evan (eteisbe@qwest.com)
Date: Thu May 01 2003 - 10:33:41 GMT-3

• Next message: IPexpert, Inc.: "Re: IPexpert Section 13 Qos (CustomQueing) Exercise 6"
• Previous message: Mhlanga Libone: "RE: Nightmare Proctor - Save Your Sanity"
• Maybe in reply to: Joseph Hao: "IPSec Encryption of EIGRP - Weird Problem (longish)"
• Next in thread: balaji.balakrishnan: "Re: IPSec Encryption of EIGRP - Weird Problem (longish)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Joseph,

I'll give it a try.

You should never use "permit ip any any" in a crypto map access-list. The
function of the access-list does two things.

1)Tells the router what traffic to encrypt (outbound).

2)Tells the router what traffic coming INTO the router must be encrypted
(inbound).

With a "permit ip any any" statement, the router will ONLY accept encrypted
traffic coming in on your serial 1 interface (because everything is a match
for "permit ip any any". This is what is breaking your eigrp.

Your getting the "Rec'd packet not an IPSEC packet" error because your
access-list 101 matches everything (permit ip any any). This means
everything received on serial 1 into the router must be encrypted traffic,
or it will be rejected. I believe that the multicast eigrp traffic
originating from serial 1 interface will never be encrypted.

To fix this (and encrypt traffic between the two ethernet subnets and the
two loopbacks):

Make R1 list 101:
access-list 101 permit ip 150.100.10.0 0.0.0.255 133.10.23.0 0.0.0.63
access-list 101 permit ip 133.10.1.0 0.0.0.255 133.10.2.0 0.0.0.255

Make R2 list 101:
access-list 101 permit ip 133.10.23.0 0.0.0.63 150.100.10.0 0.0.0.255
access-list 101 permit ip 133.10.2.0 0.0.0.255 133.10.1.0 0.0.0.255

Note how these access-lists are mirror images of one another. This is a good
rule-of-thumb to always follow on IPSEC crypto map access-lists.

I think this is the problem.

Good luck!

-Evan.

-----Original Message-----
From: Joseph Hao [mailto:jthao1@hotmail.com]
Sent: Thursday, May 01, 2003 5:04 AM
To: ccielab@groupstudy.com
Subject: IPSec Encryption of EIGRP - Weird Problem (longish)

Hello Folks,

I'm trying to configure IPSec encryption across the serial link of 2 routers
(R1 and R2). I am also trying to run EIGRP over the same link. After
configuring IPSec, the EIGRP is no longer running.

I've been up all night and I'm tried and I'm missing something very simple
here, so if anyone who's fresh can look at my configs that would be great.

The full configs are below with the corresponding error message. As you can
see, IPSec configs are correct because pings work. I suspect an IOS issue
so if somebody can run the configs on a different IOS version, we can
compare the results.

Thanks
Joseph

Current configuration : 2083 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
!
key chain jochain1
 key 10
  key-string password
  accept-lifetime 00:00:00 Jan 1 1993 infinite
  send-lifetime 00:00:00 Jan 1 1993 infinite
!
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key password address 133.10.12.2
!
!
crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
!
crypto map jomap1 10 ipsec-isakmp
 set peer 133.10.12.2
 set security-association level per-host
 set transform-set jotransform1
 set pfs group2
 match address 101
!
!
!
!
interface Loopback0
 ip address 133.10.1.1 255.255.255.0
!
interface Ethernet0
 ip address 150.100.10.1 255.255.255.0
!
interface Serial0
 no ip address
 shutdown
 no fair-queue
!
interface Serial1
 ip address 133.10.12.1 255.255.255.0
 clockrate 64000
 crypto map jomap1
!
interface BRI0
 no ip address
 shutdown
 isdn x25 static-tei 0
!
router eigrp 10
 redistribute bgp 3000 metric 100 10 255 1 1500
 network 133.10.1.1 0.0.0.0
 network 133.10.12.1 0.0.0.0
 network 150.100.10.1 0.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
router bgp 3000
 no synchronization
 bgp log-neighbor-changes
 redistribute eigrp 10 metric 3333
 neighbor 133.10.8.8 remote-as 3000
 neighbor 133.10.8.8 ebgp-multihop 10
 neighbor 133.10.8.8 update-source Loopback0
 neighbor 150.100.10.9 remote-as 1000
 neighbor 150.100.10.9 password password
 no auto-summary
!
ip classless
ip http server
!
access-list 101 permit eigrp any any
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
alias router e exit
alias line e exit
alias interface e exit
alias configure e exit
alias exec p ping
alias exec c config t
alias exec s sh run
alias exec sip sh ip route
alias exec sib sh ip bgp
alias exec cib clear ip bgp *
alias exec cip clear ip route *
alias exec co clear ip ospf process
alias exec crs copy run start
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

R1#
00:08:56: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:09:57: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:11:02: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
R1#
R1#ping 133.10.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 133.10.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:

00:12:03: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88.....
Success rate is 0 percent (0/5)
R1#ping 133.10.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 133.10.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/108/108 ms
R1#
00:13:05: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:14:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88
00:15:06: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.2, prot= 88

Current configuration : 2525 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
frame-relay switching
!
key chain jochain1
 key 10
  key-string password
  accept-lifetime 00:00:00 Jan 1 1993 infinite
  send-lifetime 00:00:00 Jan 1 1993 infinite
!
!
crypto isakmp policy 10
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key password address 133.10.12.1
!
!
crypto ipsec transform-set jotransform1 ah-sha-hmac esp-des esp-sha-hmac
!
crypto map jomap1 10 ipsec-isakmp
 set peer 133.10.12.1
 set security-association level per-host
 set transform-set jotransform1
 set pfs group2
 match address 101
!
!
!
!
interface Loopback0
 ip address 133.10.2.2 255.255.255.0
 ip ospf network point-to-point
!
interface Ethernet0
 ip address 133.10.23.2 255.255.255.192
 no ip redirects
 standby 1 ip 133.10.23.1
 standby 1 priority 200
 standby 1 preempt
 standby 1 authentication password
 standby 1 track Serial0 150
!
interface Serial0
 ip address 133.10.235.2 255.255.255.0
 encapsulation frame-relay
 ip ospf authentication message-digest
 ip ospf message-digest-key 1 md5 password
 ip ospf priority 0
 no fair-queue
 clockrate 64000
 frame-relay map ip 133.10.235.8 300 broadcast
 frame-relay map ip 133.10.235.3 300 broadcast
 frame-relay lmi-type ansi
 frame-relay intf-type dce
!
interface Serial1
 ip address 133.10.12.2 255.255.255.0
 crypto map jomap1
!
interface BRI0
 no ip address
 shutdown
 isdn x25 static-tei 0
!
router eigrp 10
 redistribute ospf 10 metric 100 10 255 1 1500 match internal external 1
external 2
 network 133.10.12.2 0.0.0.0
 no auto-summary
 eigrp log-neighbor-changes
!
router ospf 10
 log-adjacency-changes
 area 0 authentication message-digest
 area 2 range 133.10.23.0 255.255.255.0
 redistribute eigrp 10 metric 199 metric-type 1 subnets
 network 133.10.2.2 0.0.0.0 area 0
 network 133.10.23.2 0.0.0.0 area 2
 network 133.10.235.2 0.0.0.0 area 0
!
ip classless
ip http server
!
access-list 101 permit eigrp any any
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
alias router e exit
alias line e exit
alias interface e exit
alias configure e exit
alias exec p ping
alias exec c config t
alias exec s sh run
alias exec sip sh ip route
alias exec sib sh ip bgp
alias exec cib clear ip bgp *
alias exec cip clear ip route *
alias exec co clear ip ospf process
alias exec crs copy run start
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

R2#
00:09:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
00:10:33: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
00:11:34: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88
00:12:37: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 224.0.0.10, src_addr= 133.10.12.1, prot= 88

• Next message: IPexpert, Inc.: "Re: IPexpert Section 13 Qos (CustomQueing) Exercise 6"
• Previous message: Mhlanga Libone: "RE: Nightmare Proctor - Save Your Sanity"
• Maybe in reply to: Joseph Hao: "IPSec Encryption of EIGRP - Weird Problem (longish)"
• Next in thread: balaji.balakrishnan: "Re: IPSec Encryption of EIGRP - Weird Problem (longish)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3