From: Sing-Yu Hung (bradford.hung@gmail.com)
Date: Tue Feb 01 2005 - 22:22:21 GMT-3
Hi group,
Thanks, I have got the Adaptive Services-II in M10i but the
problem is I can't use GRE between Juniper and Cisco, and therefore
can't established IKE and IPSec session. I think I have to establish
GRE or IKE/IPSec first then running OSPF on it. And I found that Cisco
keep sending packet to juniper, but Juniper didn't response as below
log message from cisco. Any suggestion are appreciate.
Cisco configuration
############################################################
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key cisco address 10.1.34.10
!
crypto ipsec transform-set ipsec-tran-1-tunnel esp-des esp-md5-hmac
!
crypto map ipsec-map-tunnel local-address GigabitEthernet0/0
crypto map ipsec-map-tunnel 5 ipsec-isakmp
set peer 10.1.34.10
set transform-set ipsec-tran-1-tunnel
match address 100
!
interface Tunnel0
ip address 10.1.41.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 10.1.34.10
crypto map ipsec-map-tunnel
!
interface GigabitEthernet0/0
ip address 10.1.34.11 255.255.255.248
duplex auto
speed auto
media-type rj45
crypto map ipsec-map-tunnel
############################################################
Juniper Configuration
############################################################
interfaces {
sp-0/0/0 {
unit 1001 {
family inet {
address 10.1.41.2/30;
}
service-domain inside;
}
unit 2001 {
family inet;
service-domain outside;
}
}
services {
service-set ipsec-ser-1 {
next-hop-service {
inside-service-interface sp-0/0/0.1001;
outside-service-interface sp-0/0/0.2001;
}
ipsec-vpn-options {
local-gateway 10.1.34.10;
}
ipsec-vpn-rules ipsec-rule-1;
}
ipsec-vpn {
rule ipsec-rule-1 {
term 5 {
then {
remote-gateway 10.1.34.11;
dynamic {
ike-policy ike-policy-1;
ipsec-policy ipsec-policy-1;
}
}
}
match-direction input;
}
ipsec {
proposal ipsec-pro-1 {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
}
policy ipsec-policy-1 {
proposals ipsec-pro-1;
}
}
ike {
proposal ike-pro-1 {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm des-cbc;
}
policy ike-policy-1 {
mode main;
proposals ike-pro-1;
pre-shared-key ascii-text "$9$MtQXxdaJDkmT7-Dk";
}
}
}
}
############################################################
sending packet to 10.1.34.10 my_port 500 peer_port 500 (I) AG_INIT_EXCH.....
Success rate is 0 percent (0/5)
cisco-r7400#
02:40:16: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
02:40:16: ISAKMP:(0:1:SW:1):incrementing error counter on sa: retransmit phase 1
02:40:16: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
02:40:16: ISAKMP:(0:1:SW:1): sending packet to 10.1.34.10 my_port 500
peer_port 500 (I) AG_INIT_EXCH
cisco-r7400#
02:40:26: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH...
02:40:26: ISAKMP:(0:1:SW:1):incrementing error counter on sa: retransmit phase 1
02:40:26: ISAKMP:(0:1:SW:1): retransmitting phase 1 AG_INIT_EXCH
02:40:26: ISAKMP:(0:1:SW:1): sending packet to 10.1.34.10 my_port 500
peer_port 500 (I) AG_INIT_EXCH
cisco-r7400#
Thx
Bradford Hung
On Tue, 1 Feb 2005 21:08:55 -0000, Julian Skelley
<julian.skelley@itex.je> wrote:
> Are you trying to out the OSPF in the IPSEC tunnel?
>
> If so you can put OSPF inside a IPSEC tunnel since it is generated by the router interface. I believe if you wan to do this in Cisco land you would use a GRE tunnel to send the OSPF and then send the IPSEC through the GRE tunnel also.
>
> Does that help?
>
> Thanks
>
> J
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Sing-Yu Hung
> Sent: 01 February 2005 14:53
> To: ccielab@groupstudy.com; security@groupstudy.com;
> juniper@groupstudy.com
> Subject: IPSec
>
> Hi group,
>
> I have a Juniper M10 and Cisco 2600, and try to setup a IPSec
> tunnel running ospf between both, but not successful, may I ask anyone
> have experience on this and give some example to me.
>
> Thx
> Bradford Hung
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
>
> CONFIDENTIALITY NOTICE
>
> The information contained in this e-mail and any attachments to it are
> for the exclusive use of the intended recipient (s). It may be
> confidential and contain privileged information and will be protected
> by copyright. If you are not the intended recipient (s) you must not
> review, copy, distribute or in any other way use or rely on the
> information contained in this message.
>
> If you have received this e-mail in error, please notify us by fax,
> e-mail or by telephone (+44 1534 633633) and then delete all copies
> from your system.
>
> http://www.itex.je
> http://www.guiton.co.uk
> http://www.thisisjersey.com
> http://www.thisisguernsey.com
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:16 GMT-3