Re: IPSec Phase I doesn't happen

From: Lee Gillespie (gillespie_ccie@yahoo.com)
Date: Fri Nov 26 2004 - 01:37:18 GMT-3

• Next message: Joe Chang: "Re: Dual FIFO"
• Previous message: Larry Roberts: "Re: IPSec Phase I doesn't happen"
• Maybe in reply to: Jason Aarons: "IPSec Phase I doesn't happen"
• Next in thread: Tony Schaffran: "RE: IPSec Phase I doesn't happen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The samething happened to me just the other week, I
think there is a bug in the code. To get it up, I
placed the loophack of the router into the crypto map
ACL and started a ping sourced from the Loopback. The
tunnel came right up. I then removed the loopback from
the ACL but interesting traffic was then able to bring
the tunnel up. It was like the tunnel just needed to
be kick started.

--- Larry Roberts <Groupstudy@american-hero.com>
wrote:

> Have you debugged the isakmp negotiations?
>
> What does "show crypto isakmp sa" give you ?
>
> What does the other side configuration look like?
>
>
> Jason Aarons wrote:
>
> >PC on 10.1.1.50 generates interesting traffic
> (acl122) to 172.16.16.2,
> >but the IPSec tunnel doesn't get built (no output
> from debug crypto ipsec
> >sa). TAC is looking at this but can't find what is
> wrong. The remote
> >network already has a 10.1.1.0 network, so I static
> nat my end to
> >10.1.2.0 which is ACL 121. This is complex.. Code
> is 12.3(9b) !
> >crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> >crypto isakmp key <something> address 44.33.148.192
> >!
> >crypto ipsec transform-set TYCO-com esp-3des
> esp-md5-hmac
> >!
> >crypto map IPSec 10 ipsec-isakmp
> > description sengel@TYCO.com
> > set peer 44.33.148.192
> > set transform-set TYCO-com
> > match address 122
> >!
> >interface Ethernet0
> > ip address 66.109.64.9 255.255.255.240
> >!
> >interface FastEthernet0
> > description connected to Internal LAN
> > ip address 10.1.1.2 255.255.255.0
> > ip nat inside
> >!
> >interface Serial0
> > no ip address
> > encapsulation frame-relay
> >!
> >interface Serial0.1 point-to-point
> > ip address 44.109.64.250 255.255.255.252
> > ip nat outside
> > frame-relay interface-dlci 448 IETF
> > crypto map IPSec
> >!
> >ip nat inside source list 1 interface Serial0.1
> overload
> >ip nat inside source static tcp 10.1.1.10 49201
> 44.109.73.83 49201
> >extendable
> >ip nat inside source static network 10.1.1.0
> 10.1.2.0 /24 route-map TYCO
> >ip classless
> >ip route 0.0.0.0 0.0.0.0 Serial0.1
> >!
> >access-list 1 permit 10.1.1.0 0.0.0.255access-list
> 121 remark Used for
> >IPSEC
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.200.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.15.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.16.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.17.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.18.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.19.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 172.16.20.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 192.168.100.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 192.168.101.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 192.168.102.0 0.0.0.255
> >access-list 121 permit ip 10.1.1.0 0.0.0.255
> 192.168.103.0 0.0.0.255
> >access-list 122 remark Used for IPSEC
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.200.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.15.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.16.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.17.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.18.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.19.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 172.16.20.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 192.168.100.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 192.168.101.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 192.168.102.0 0.0.0.255
> >access-list 122 permit ip 10.1.2.0 0.0.0.255
> 192.168.103.0 0.0.0.255
> >!
> >route-map TYCO permit 10
> > match ip address 121
> >
>
>------------------------------------------------------------------------
> >
> >Rock, jazz, country, soul & more. Find the music
> you love on MSN Music!
> >
>
>_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>

• Next message: Joe Chang: "Re: Dual FIFO"
• Previous message: Larry Roberts: "Re: IPSec Phase I doesn't happen"
• Maybe in reply to: Jason Aarons: "IPSec Phase I doesn't happen"
• Next in thread: Tony Schaffran: "RE: IPSec Phase I doesn't happen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3