RE: IPSec Phase I doesn't happen

From: Tony Schaffran (groupstudy@cconlinelabs.com)
Date: Fri Nov 26 2004 - 02:30:02 GMT-3

• Next message: jatinder.p.singh@bt.com: "SAA to measure Round trip delay from routers."
• Previous message: Joe Chang: "Re: Dual FIFO"
• Maybe in reply to: Jason Aarons: "IPSec Phase I doesn't happen"
• Next in thread: Jason Aarons: "RE: IPSec Phase I doesn't happen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You might want to take another look at your config.

You are missing a next hop statement in you route map to a loopback address.

Take a look at this link, it explains it all.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp
le09186a0080094634.shtml

Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Larry Roberts
Sent: Thursday, November 25, 2004 7:20 PM
To: Jason Aarons
Cc: ccielab@groupstudy.com
Subject: Re: IPSec Phase I doesn't happen

Have you debugged the isakmp negotiations?

What does "show crypto isakmp sa" give you ?

What does the other side configuration look like?

Jason Aarons wrote:

>PC on 10.1.1.50 generates interesting traffic (acl122) to 172.16.16.2,
>but the IPSec tunnel doesn't get built (no output from debug crypto ipsec
>sa). TAC is looking at this but can't find what is wrong. The remote
>network already has a 10.1.1.0 network, so I static nat my end to
>10.1.2.0 which is ACL 121. This is complex.. Code is 12.3(9b) !
>crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
>crypto isakmp key <something> address 44.33.148.192
>!
>crypto ipsec transform-set TYCO-com esp-3des esp-md5-hmac
>!
>crypto map IPSec 10 ipsec-isakmp
> description sengel@TYCO.com
> set peer 44.33.148.192
> set transform-set TYCO-com
> match address 122
>!
>interface Ethernet0
> ip address 66.109.64.9 255.255.255.240
>!
>interface FastEthernet0
> description connected to Internal LAN
> ip address 10.1.1.2 255.255.255.0
> ip nat inside
>!
>interface Serial0
> no ip address
> encapsulation frame-relay
>!
>interface Serial0.1 point-to-point
> ip address 44.109.64.250 255.255.255.252
> ip nat outside
> frame-relay interface-dlci 448 IETF
> crypto map IPSec
>!
>ip nat inside source list 1 interface Serial0.1 overload
>ip nat inside source static tcp 10.1.1.10 49201 44.109.73.83 49201
>extendable
>ip nat inside source static network 10.1.1.0 10.1.2.0 /24 route-map TYCO
>ip classless
>ip route 0.0.0.0 0.0.0.0 Serial0.1
>!
>access-list 1 permit 10.1.1.0 0.0.0.255access-list 121 remark Used for
>IPSEC
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.200.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.15.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.16.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.17.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.18.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.19.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 172.16.20.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.101.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.102.0 0.0.0.255
>access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.103.0 0.0.0.255
>access-list 122 remark Used for IPSEC
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.200.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.15.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.16.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.17.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.18.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.19.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 172.16.20.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.100.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.101.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.102.0 0.0.0.255
>access-list 122 permit ip 10.1.2.0 0.0.0.255 192.168.103.0 0.0.0.255
>!
>route-map TYCO permit 10
> match ip address 121
>
>------------------------------------------------------------------------
>
>Rock, jazz, country, soul & more. Find the music you love on MSN Music!
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: jatinder.p.singh@bt.com: "SAA to measure Round trip delay from routers."
• Previous message: Joe Chang: "Re: Dual FIFO"
• Maybe in reply to: Jason Aarons: "IPSec Phase I doesn't happen"
• Next in thread: Jason Aarons: "RE: IPSec Phase I doesn't happen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:50 GMT-3