From: Wright, Jeremy (wright@admworld.com)
Date: Wed Apr 21 2004 - 09:38:36 GMT-3
I rebuilt my config from scratch and on 1 side I get the debug output and I see ACL hits. When I try it on the other side it doesn't even try to come up. There are no hits on the ACL either. I tripled checked my ACL and still no hits on the ACL. Keep in mind that I'm working on 2500's so there may be a bug or something. What hardware are you working on?
-----Original Message-----
From: murali68@emirates.net.ae [mailto:murali68@emirates.net.ae]
Sent: Wednesday, April 21, 2004 4:00 AM
To: patrick.basso@groupstudy.com
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: TED Help
Hi Jeremy,
I tried your configuration in my lab setup and it works fine. Hope you must be making some other small mistake in your setup. The debug output with the TED portion from one of the router is shown below.
00:31:33: IPSEC(tunnel discover request): ,
(key eng. msg.) src= 192.168.15.2, dest= 172.16.44.4,
src_proxy= 192.168.15.0/255.255.255.0/0/0 (type=4),
dest_proxy= 150.50.12.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
dest=Serial0:150.50.12.2
00:31:33: ISAKMP: received ke message (1/1)
00:31:33: ISAKMP: GOT A PEER DISCOVERY MESSAGE FROM THE SA MANAGER!!!
00:31:33: src = 192.168.15.2 to 172.16.44.4, protocol 3, transform 2, hmac 1
00:31:33: proxy source is 192.168.15.0/255.255.255.0 and my address (not used now) is 150.50.12.1
00:31:33: ISAKMP: local port 500, remote port 500
00:31:33: ISAKMP (1): ID payload
next-payload : 5
type : 1
protocol : 17
port : 500
length : 8
00:31:33: ISAKMP (1): Total payload length: 12
00:31:33: 1st ID is 150.50.12.1
00:31:33: 2nd ID is 192.168.15.0 /255.255.255.0
00:31:33: ISAKMP (0:1): beginning peer discovery exchange
00:31:33: ISAKMP (1): sending packet to 172.16.44.4 (I)
PEER_DISCOVERY via Serial0:150.50.12.2
00:31:33: ISAKMP (1): received packet from 150.50.24.4 (I) PEER_DISCOVERY
00:31:33: ISAKMP (0:1): processing vendor id payload
00:31:33: ISAKMP (0:1): speaking to another IOS box!
00:31:33: ISAKMP (0:1): processing ID payload. message ID = 0
00:31:33: ISAKMP (0:1): processing ID payload. message ID = -184628929
00:31:33: ISAKMP (1): ID_IPV4_ADDR_SUBNET dst 172.16.44.0/255.255.255.0 prot 0 port 0
00:31:33: ISAKMP (1): received response to my peer discovery probe!
......MORE
Best regards,
Murali Sethuraman
----- Original Message -----
From: "Wright, Jeremy" <wright@admworld.com>
Date: Wednesday, April 21, 2004 6:17 am
Subject: TED Help
> I can't see to get TED fired up. I pulled the info straight off CCO
> (minus IP's) and no output on debug crypto isakmp,ipsec,engine. No
> hits on my ACL either. Below are my configs. R1-R2(hub router)-R4
>
> R1:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
> !
> crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac !
> crypto dynamic-map ted-map 10
> set transform-set ted-transforms
> match address 101
> !
> crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover interface
> FastEthernet0/0 ip address 192.168.15.1 255.255.255.0
>
> interface Serial0/0
> ip address 150.50.12.1 255.255.255.0
> encapsulation frame-relay
> frame-relay map ip 150.50.12.2 112 broadcast no frame-relay
> inverse-arp crypto map tedtag ip route 0.0.0.0 0.0.0.0 150.50.12.2
> access-list 101 permit ip 192.168.15.0 0.0.0.255 172.16.44.0 0.0.0.255
>
> R2:interface Serial0.21 point-to-point ip address 150.50.12.2
> 255.255.255.0
> frame-relay interface-dlci 121
> !
> interface Serial0.24 point-to-point
> ip address 150.50.24.2 255.255.255.0
> frame-interface-dlci 124
> ip route 172.16.44.0 255.255.255.0 150.50.24.4 ip route 192.168.15.0
> 255.255.255.0 150.50.12.1
>
> R4:
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
> !
> crypto ipsec transform-set ted-transforms esp-des esp-md5-hmac !
> crypto dynamic-map ted-map 10
> set transform-set ted-transforms
> match address 101
> !
> crypto map tedtag 10 ipsec-isakmp dynamic ted-map discover interface
> Ethernet0 ip address 172.16.44.4 255.255.255.0 !
> interface Serial0
> ip address 150.50.24.4 255.255.255.0
> encapsulation frame-relay
> frame-relay map ip 150.50.24.2 142 broadcast no frame-relay
> inverse-arp crypto map tedtag !
> access-list 101 permit ip 172.16.44.0 0.0.0.255 192.168.15.0 0.0.0.255
> ip route 0.0.0.0 0.0.0.0 150.50.24.2
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This message is intended for the use of the individual or
entity
> to which it is addressed and may contain information that is
> privileged, confidential and exempt from disclosure under applicable
> law. If the reader of this message is not the intended recipient or
> the employee or agent responsible for delivering this message to the
> intended recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited.
> If you have received this communication in error, please notify us
> immediately by email reply or by telephone and immediately delete this
> message and any attachments. In the U.S. call us toll free at (800)
> 637-5843.
> Spanish, French, French (Canada), Portuguese, Polish, German, Dutch,
> Turkish, Russian, Japanese and Chinese:
> http://www.admworld.com/confidentiality.htm.
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3