AW: IPsec problem with the ACL (with configs)

From: Oliver Ziltener (ziltener@netcloud.ch)
Date: Sun May 18 2003 - 06:13:33 GMT-3

• Next message: Shahid Shafi: "RE: IPsec problem with the ACL (with configs)"
• Previous message: Christian Aguillo: "Please Remove me from the list..............."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey there
yes, I have right, i should post the configs.

I changed the acl 100 and now it seems it works.
Afterwords i start to play with the IKE lifetime and it seems that after the
lifetime was gone, no isakmp sa built up anymore, but I could see hits on the
acl! Why the peers don't bring up anymore a new isakmp sa?

thanks Oliver

Setup:
R8---R7---R6

hostname R8
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 120
crypto isakmp key cisco address 192.168.200.6
!
crypto ipsec transform-set TRANS esp-des esp-md5-hmac
!
crypto map MAP 1 ipsec-isakmp
 set peer 192.168.200.6
 set transform-set TRANS
 match address 100
!
call rsvp-sync
cns event-service server
!
dlsw local-peer peer-id 8.8.8.8
dlsw remote-peer 0 tcp 6.6.6.6
!
interface Loopback0
 ip address 8.8.8.8 255.255.255.255
!
interface Serial0/0
 ip address 192.168.100.8 255.255.255.0
 ip ospf hello-interval 22
 no fair-queue
 clockrate 64000
 crypto map MAP
!
router ospf 1
 log-adjacency-changes
 network 8.8.8.8 0.0.0.0 area 0
 network 192.168.100.0 0.0.0.255 area 0
!
access-list 100 permit tcp host 8.8.8.8 eq 2065 host 6.6.6.6
access-list 100 permit tcp host 8.8.8.8 host 6.6.6.6 eq 2065
!
*****************************
hostname R6
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 120
crypto isakmp key cisco address 192.168.100.8
!
crypto ipsec transform-set TRANS esp-des esp-md5-hmac
!
crypto map MAP 1 ipsec-isakmp
 set peer 192.168.100.8
 set transform-set TRANS
 match address 100
!
dlsw local-peer peer-id 6.6.6.6
dlsw remote-peer 0 tcp 8.8.8.8
!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.200.6 255.255.255.0
 half-duplex
 crypto map MAP
!
router ospf 1
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 192.168.200.0 0.0.0.255 area 0
!
access-list 100 permit tcp host 6.6.6.6 host 8.8.8.8 eq 2065
access-list 100 permit tcp host 6.6.6.6 eq 2065 host 8.8.8.8
!
xXXXXXXXXXXXXXXXXXXXXXXXX
R7: only ospf and ip addresses on the interfaces

>
> My Setup:
> R8----R7-----R6
> I wanna encrypt dlsw traffic from R8 to R6 and vice versa.
>
> With
> access-list 100 permit ip host 8.8.8.8 host 6.6.6.6
> is works fine!
>
> but with
> access-list 100 permit tcp host 8.8.8.8 host 6.6.6.6 eq 2065
> it does not.
> The router come up with the message:
> %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed
> with peer at
> 192.168.200.6
>
> Why? Thanks for helping
> Oliver
>

You'll get more responses, and more HELPFUL responses when you post your
configs.

Try adding this so you have 2065 both ways:
access-list 100 permit tcp host 8.8.8.8 eq 2065 host 6.6.6.6

• Next message: Shahid Shafi: "RE: IPsec problem with the ACL (with configs)"
• Previous message: Christian Aguillo: "Please Remove me from the list..............."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:44 GMT-3