From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Wed Dec 10 2003 - 15:35:48 GMT-3
Ipsec doesn't do multicast. Which is needed for OSPF.
You can line the vpn tunnels with gre tunnels.
-----Original Message-----
From: Sean Garrett [mailto:sgarrett@perfectorder.com]
Sent: Wednesday, December 10, 2003 11:51 AM
To: security@groupstudy.com
Subject: IPsec /ospf question
I have three routers (r4,r2,r3) configured in a FR hub and spoke with R4
as the hub.
OSPF is working fine before adding IPSec between the sites. My crypto
acls are
permitting all IP traffic any/any. Why are the ospf packets not being
included with the
ip traffic defined by the cypto maps?
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet,
on all three routers. What needs to be done to keep the ospf adjacency?
I've also
reloaded all three routers.
The task in the scenerio are as follows;
> Set up IPsec between R4, R2 ,R3 over the frame network only
to ensure that all data between these routers is not susceptible to
intruders.
> Use MD5 as the hashing alg
> Auth is pre-shared, key is to be CCIE, 56-bit
> SHA to calc the hashes on the actual packet payloads in ESP
> IPsec to use transport mode
> SA lifetime to 300 sec
> Use one transform set on each router
I have included the relevant IPsec configurations below.
=============
R4
=============
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key CCIE address 144.254.3.2
crypto isakmp key CCIE address 144.254.3.3
!
crypto ipsec transform-set MYSET esp-des esp-sha-hmac
mode transport
!
crypto map MYMAP 1 ipsec-isakmp
set peer 144.254.3.2
set peer 144.254.3.3
set security-association lifetime seconds 300
set transform-set MYSET
match address 150
!
access-list 150 permit ip any any
!
interface Serial0/0.1 multipoint
ip address 144.254.3.1 255.255.255.240
crypto map MYMAP
---
5d13h: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 224.0.0.5, src_addr= 144.254.3.3, prot= 89
5d13h: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 224.0.0.5, src_addr= 144.254.3.2, prot= 89
=============
R2
=============
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key CCIE address 144.254.3.1
!
crypto ipsec transform-set MYSET esp-des esp-sha-hmac
mode transport
!
crypto map MYMAP 1 ipsec-isakmp
set peer 144.254.3.1
set security-association lifetime seconds 300
set transform-set MYSET
match address 150
!
interface Serial0
ip address 144.254.3.2 255.255.255.240
crypto map MYMAP
---
2w5d: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 224.0.0.5, src_addr= 144.254.3.1, prot= 89
=============
R3
=============
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key CCIE address 144.254.3.1
!
crypto ipsec transform-set MYSET esp-des esp-sha-hmac
mode transport
!
crypto map MYMAP 1 ipsec-isakmp
set peer 144.254.3.1
set security-association lifetime seconds 300
set transform-set MYSET
match address 150
!
access-list 150 permit ip any any
!
interface Serial0
ip address 144.254.3.3 255.255.255.240
crypto map MYMAP
---
2w5d: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= 224.0.0.5, src_addr= 144.254.3.1, prot= 89
Thanks,
Sean Garrett, CCIE#11390
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:38 GMT-3