IPSec Phase I doesn't happen

From: Jason Aarons (jaarons@hotmail.com)
Date: Thu Nov 25 2004 - 15:07:21 GMT-3

PC on 10.1.1.50 generates interesting traffic (acl122) to 172.16.16.2,
but the IPSec tunnel doesn't get built (no output from debug crypto ipsec
sa). TAC is looking at this but can't find what is wrong. The remote
network already has a 10.1.1.0 network, so I static nat my end to
10.1.2.0 which is ACL 121. This is complex.. Code is 12.3(9b) !
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key <something> address 44.33.148.192
!
crypto ipsec transform-set TYCO-com esp-3des esp-md5-hmac
!
crypto map IPSec 10 ipsec-isakmp
 description sengel@TYCO.com
 set peer 44.33.148.192
 set transform-set TYCO-com
 match address 122
!
interface Ethernet0
 ip address 66.109.64.9 255.255.255.240
!
interface FastEthernet0
 description connected to Internal LAN
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface Serial0
 no ip address
 encapsulation frame-relay
!
interface Serial0.1 point-to-point
 ip address 44.109.64.250 255.255.255.252
 ip nat outside
 frame-relay interface-dlci 448 IETF
 crypto map IPSec
!
ip nat inside source list 1 interface Serial0.1 overload
ip nat inside source static tcp 10.1.1.10 49201 44.109.73.83 49201
extendable
ip nat inside source static network 10.1.1.0 10.1.2.0 /24 route-map TYCO
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
!
access-list 1 permit 10.1.1.0 0.0.0.255access-list 121 remark Used for
IPSEC
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.17.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.18.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.19.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 122 remark Used for IPSEC
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.200.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.15.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.17.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.18.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.19.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.103.0 0.0.0.255
!
route-map TYCO permit 10
 match ip address 121

------------------------------------------------------------------------

Rock, jazz, country, soul & more. Find the music you love on MSN Music!

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3