From: Dane Newman (dane.newman@gmail.com)
Date: Tue Jun 17 2008 - 00:47:48 ART
Ah gotcha
Tried no dice ;(
Rack1R3#config t
Enter configuration commands, one per line. End with CNTL/Z.
Rack1R3(config)#ip access-list extended vlan3_to_vlan112
Rack1R3(config-ext-nacl)#$ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
Rack1R3(config-ext-nacl)#permit ip host 10.3.3.3 host 192.10.6.254
Rack1R3(config-ext-nacl)#exit
Rack1R3(config)#exit
Rack1R3#ping 192.10.6.254 source 10.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
.....
Success rate is 0 percent (0/5)
Rack1R3#
On Mon, Jun 16, 2008 at 11:25 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
wrote:
> I meant change this:
> " ip access-list extended vlan3_to_vlan112
> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255"
> to this:
> ip access-list extended vlan3_to_vlan112
> permit ip host 10.3.3.3 <http://10.3.3.0/> host 192.10.6.254<http://192.10.6.0/>
>
>
>
> On Mon, Jun 16, 2008 at 11:21 PM, Dane Newman <dane.newman@gmail.com>
> wrote:
>
>> There is no access-list on R3's S1/1.35 interface which is what the crypto
>> map is applied too so there should be no filtering going on?
>>
>>
>> On Mon, Jun 16, 2008 at 10:33 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>> wrote:
>>
>>> Yeah, it should work...sorry, it just look funny at the moment :P
>>> So on the VPN side You have
>>> interface = its WAN 131.1.115.11
>>> bidirectional
>>> peer 10.3.3.3
>>> localnetwork ip address 192.10.6.254/0.0.0.0
>>> remotenetwork 10.3.3.3/0.0.0.0
>>> ?
>>> My only other suggestion would be on your router ACL, use permit host
>>> 10.3.3.3 host 192.10.6.254.
>>>
>>>
>>>
>>> On Mon, Jun 16, 2008 at 10:06 PM, Dane Newman <dane.newman@gmail.com>
>>> wrote:
>>>
>>>> In one of the requirements in the first part of the lab it told me to do
>>>>
>>>> crypto map VPN local-address FastEthernet0/0
>>>>
>>>> To the crypto map VPN on r3. So I didnt want to break the requirement
>>>> on the first part so I put into the VPN3k the peer was fa0/0 of r3 (
>>>> 10.3.3.3) this config should work no?
>>>>
>>>> Dane
>>>>
>>>> On Mon, Jun 16, 2008 at 9:49 PM, Luan Nguyen <luan.m.nguyen@gmail.com>
>>>> wrote:
>>>>
>>>>> Local-address should be Serial1/1.35
>>>>>
>>>>> -Luan
>>>>>
>>>>> On Mon, Jun 16, 2008 at 7:31 PM, Dane Newman <dane.newman@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I am doing a LAN to LAN vpn as per the scenario with a router and
>>>>>> the
>>>>>> vpn3k. Below is the debug. I see that during the isakmp phase 1 it
>>>>>> finds a
>>>>>> policy on both devices that match but after that when I debug crypt
>>>>>> isa
>>>>>> error it shows the only error to be
>>>>>>
>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>>>
>>>>>>
>>>>>> I looked that Up online and it said
>>>>>>
>>>>>>
>>>>>> Indicates that the notify message received from the peer lacked a
>>>>>> valid
>>>>>> hash. This means that the notify message was not authenticated. For
>>>>>> security
>>>>>> reasons, this message is ignored.
>>>>>>
>>>>>> http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/omt/omt_03a.htm
>>>>>>
>>>>>>
>>>>>> anyone able to comment?
>>>>>>
>>>>>> Rack1R3#ping 192.10.6.254 source 10.3.3.3
>>>>>> Type escape sequence to abort.
>>>>>> Sending 5, 100-byte ICMP Echos to 192.10.6.254, timeout is 2 seconds:
>>>>>> Packet sent with a source address of 10.3.3.3
>>>>>> Jun 16 16:22:33.830: ISAKMP: received ke message (1/1)
>>>>>> Jun 16 16:22:33.830: ISAKMP (0:0): SA request profile is (NULL)
>>>>>> Jun 16 16:22:33.830: ISAKMP: local port 500, remote port 500
>>>>>> Jun 16 16:22:33.830: ISAKMP: set new node 0 to QM_IDLE
>>>>>> Jun 16 16:22:33.834: ISAKMP: insert sa successfully sa = 83B46590
>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Can not start Aggressive mode,
>>>>>> trying
>>>>>> Main mode.
>>>>>> Jun 16 16:22:33.834: ISAKMP: Looking for a matching key for
>>>>>> 132.1.115.11 in
>>>>>> default : success
>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): found peer pre-shared key matching
>>>>>> 132.1.115.11
>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-03 ID
>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): constructed NAT-T vendor-02 ID
>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
>>>>>> IKE_SA_REQ_MM
>>>>>> Jun 16 16:22:33.834: ISAKMP (0:1): Old State = IKE_READY New State =
>>>>>> IKE_I_MM1
>>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): beginning Main Mode exchange
>>>>>> Jun 16 16:22:33.838: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>>> 500 peer_port 500 (I) MM_NO_STATE
>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>>>> 500 sport 500 Global (I) MM_NO_STATE
>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>>>> IKE_MM_EXCH
>>>>>> Jun 16 16:22:34.043: ISAKMP (0:1): Old State = IKE_I_MM1 New State =
>>>>>> IKE_I_MM2
>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing SA payload. message ID =
>>>>>> 0
>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): processing vendor id payload
>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>>>>> 194
>>>>>> mismatch
>>>>>> Jun 16 16:22:34.047: ISAKMP: Looking for a matching key for
>>>>>> 132.1.115.11 in
>>>>>> default : success
>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1): found peer pre-shared key matching
>>>>>> 132.1.115.11
>>>>>> Jun 16 16:22:34.047: ISAKMP (0:1) local preshared key found
>>>>>> Jun 16 16:22:34.047: ISAKMP : Scanning profiles for xauth ...
>>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): Checking IS.AKMP transform 1
>>>>>> against
>>>>>> priority 1 policy
>>>>>> Jun 16 16:22:34.051: ISAKMP: encryption 3DES-CBC
>>>>>> Jun 16 16:22:34.051: ISAKMP: hash MD5
>>>>>> Jun 16 16:22:34.051: ISAKMP: default group 2
>>>>>> Jun 16 16:22:34.051: ISAKMP: auth pre-share
>>>>>> Jun 16 16:22:34.051: ISAKMP: life type in seconds
>>>>>> Jun 16 16:22:34.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
>>>>>> 0x80
>>>>>> Jun 16 16:22:34.051: ISAKMP (0:1): atts are acceptable. Next payload
>>>>>> is 0
>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): processing vendor id payload
>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): vendor ID seems Unity/DPD but major
>>>>>> 194
>>>>>> mismatch
>>>>>> Jun 16 16:22:34.315: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>>> IKE_PROCESS_MAIN_MODE
>>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>>>> IKE_I_MM2
>>>>>> Jun 16 16:22:34.319: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>>> IKE_PROCESS_COMPLETE
>>>>>> Jun 16 16:22:34.323: ISAKMP (0:1): Old State = IKE_I_MM2 New State =
>>>>>> IKE_I_MM3
>>>>>> ....
>>>>>> Success rate is 0 percent (0/5)
>>>>>> Rack1R3#
>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1
>>>>>> MM_SA_SETUP...
>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): incrementing error counter on sa:
>>>>>> retransmit phase 1
>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
>>>>>> Jun 16 16:22:44.323: ISAKMP (0:1): sending packet to 132.1.115.11my_port
>>>>>> 500 peer_port 500 (I) MM_SA_SETUP
>>>>>> Jun 16 16:22:44.428: ISAKMP (0:1): received packet from 132.1.115.11dport
>>>>>> 500 sport 500 Global (I) MM_SA_SETUP
>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Notify has no hash. Rejected.
>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
>>>>>> IKE_INFO_NOTIFY
>>>>>> Jun 16 16:22:44.432: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>>>> IKE_I_MM3
>>>>>> Rack1R3#
>>>>>> Jun 16 16:23:03.831: ISAKMP: received ke message (1/1)
>>>>>> Jun 16 16:23:03.831: ISAKMP: set new node 0 to QM_IDLE
>>>>>> Jun 16 16:23:03.831: ISAKMP (0:1): SA is still budding. Attached new
>>>>>> ipsec
>>>>>> request to it. (local 10.3.3.3, remote 132.1.115.11)
>>>>>> Rack1R3#
>>>>>> Jun 16 16:23:33.833: ISAKMP: received ke message (3/1)
>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): peer does not do paranoid
>>>>>> keepalives.
>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>>>> 132.1.115.11) input queue 0
>>>>>> Jun 16 16:23:33.833: ISAKMP (0:1): deleting SA reason
>>>>>> "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_SA_SETUP (peer
>>>>>> 132.1.115.11) input queue 0
>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -492041071 error TRUE
>>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): deleting node -1371117716 error
>>>>>> TRUE
>>>>>> reason "gen_ipsec_isakmp_delete but doi isakmp"
>>>>>> Rack1R3#
>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
>>>>>> IKE_PHASE1_DEL
>>>>>> Jun 16 16:23:33.837: ISAKMP (0:1): Old State = IKE_I_MM3 New State =
>>>>>> IKE_DEST_SA
>>>>>> Rack1R3#
>>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -492041071
>>>>>> Jun 16 16:24:23.839: ISAKMP (0:1): purging node -1371117716
>>>>>> Rack1R3#
>>>>>> Jun 16 16:24:33.839: ISAKMP (0:1): purging SA., sa=83B46590,
>>>>>> delme=83B46590
>>>>>> Rack1R3#u all
>>>>>> All possible debugging has been turned off
>>>>>> Rack1R3#
>>>>>>
>>>>>> Rack1R3#show run
>>>>>> Building configuration...
>>>>>> Current configuration : 3053 bytes
>>>>>> !
>>>>>> ! Last configuration change at 16:18:44 UTC Mon Jun 16 2008
>>>>>> ! NVRAM config last updated at 15:46:05 UTC Mon Jun 16 2008
>>>>>> !
>>>>>> version 12.2
>>>>>> service timestamps debug datetime msec
>>>>>> service timestamps log datetime msec
>>>>>> no service password-encryption
>>>>>> !
>>>>>> hostname Rack1R3
>>>>>> !
>>>>>> logging queue-limit 100
>>>>>> enable password cisco
>>>>>> !
>>>>>> ip subnet-zero
>>>>>> !
>>>>>> !
>>>>>> no ip domain lookup
>>>>>> !
>>>>>> ip audit notify log
>>>>>> ip audit po max-events 100
>>>>>> mpls ldp logging neighbor-changes
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> crypto isakmp policy 1
>>>>>> encr 3des
>>>>>> hash md5
>>>>>> authentication pre-share
>>>>>> group 2
>>>>>> !
>>>>>> crypto isakmp policy 10
>>>>>> authentication pre-share
>>>>>> lifetime 2400
>>>>>> !
>>>>>> crypto isakmp policy 20
>>>>>> encr 3des
>>>>>> hash md5
>>>>>> authentication pre-share
>>>>>> group 2
>>>>>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0
>>>>>> !
>>>>>> !
>>>>>> crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
>>>>>> crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> crypto map VPN local-address FastEthernet0/0
>>>>>> crypto map VPN 10 ipsec-isakmp
>>>>>> set peer 10.4.4.4
>>>>>> set transform-set DES_MD5
>>>>>> match address vlan3_to_vlan44
>>>>>> crypto map VPN 20 ipsec-isakmp
>>>>>> set peer 132.1.115.11
>>>>>> set transform-set 3DES_MD5
>>>>>> match address vlan3_to_vlan112
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> no voice hpi capture buffer
>>>>>> no voice hpi capture destination
>>>>>> !
>>>>>> !
>>>>>> mta receive maximum-recipients 0
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> interface Loopback0
>>>>>> ip address 150.1.3.3 255.255.255.0
>>>>>> !
>>>>>> interface FastEthernet0/0
>>>>>> ip address 10.3.3.3 255.255.255.0
>>>>>> duplex auto
>>>>>> speed auto
>>>>>> !
>>>>>> interface FastEthernet0/1
>>>>>> ip address 132.1.33.3 255.255.255.0
>>>>>> duplex auto
>>>>>> speed auto
>>>>>> !
>>>>>> interface Serial1/0
>>>>>> no ip address
>>>>>> encapsulation frame-relay
>>>>>> !
>>>>>> interface Serial1/0.1234 point-to-point
>>>>>> ip address 132.1.0.3 255.255.255.0
>>>>>> ip ospf network point-to-multipoint
>>>>>> frame-relay interface-dlci 302
>>>>>> crypto map VPN
>>>>>> !
>>>>>> interface Serial1/1
>>>>>> no ip address
>>>>>> encapsulation frame-relay
>>>>>> !
>>>>>> interface Serial1/1.35 point-to-point
>>>>>> ip address 132.1.35.3 255.255.255.0
>>>>>> frame-relay interface-dlci 315
>>>>>> crypto map VPN
>>>>>> !
>>>>>> interface Serial1/2
>>>>>> no ip address
>>>>>> shutdown
>>>>>> !
>>>>>> interface Serial1/3
>>>>>> no ip address
>>>>>> shutdown
>>>>>> !
>>>>>> router ospf 1
>>>>>> router-id 150.1.3.3
>>>>>> log-adjacency-changes
>>>>>> redistribute connected subnets route-map CONNECTED_TO_OSPF
>>>>>> network 132.1.0.3 0.0.0.0 area 0
>>>>>> network 132.1.35.3 0.0.0.0 area 345
>>>>>> network 150.1.3.3 0.0.0.0 area 0
>>>>>> !
>>>>>> router bgp 100
>>>>>> no synchronization
>>>>>> bgp router-id 150.1.3.3
>>>>>> bgp log-neighbor-changes
>>>>>> neighbor 150.1.2.2 remote-as 100
>>>>>> neighbor 150.1.2.2 update-source Loopback0
>>>>>> no auto-summary
>>>>>> !
>>>>>> ip http server
>>>>>> no ip http secure-server
>>>>>> ip classless
>>>>>> ip route 132.1.115.0 255.255.255.0 132.1.35.5
>>>>>> ip route 192.10.6.0 255.255.255.0 132.1.35.6
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> ip access-list extended vlan3_to_vlan112
>>>>>> permit ip 10.3.3.0 0.0.0.255 192.10.6.0 0.0.0.255
>>>>>> ip access-list extended vlan3_to_vlan44
>>>>>> permit ip 10.3.3.0 0.0.0.255 10.4.4.0 0.0.0.255
>>>>>> !
>>>>>> !
>>>>>> route-map CONNECTED_TO_OSPF permit 10
>>>>>> match interface FastEthernet0/0
>>>>>> !
>>>>>> !
>>>>>> call rsvp-sync
>>>>>> !
>>>>>> !
>>>>>> mgcp profile default
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> dial-peer cor custom
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> !
>>>>>> line con 0
>>>>>> exec-timeout 0 0
>>>>>> privilege level 15
>>>>>> logging synchronous
>>>>>> line aux 0
>>>>>> exec-timeout 0 0
>>>>>> privilege level 15
>>>>>> line vty 0 4
>>>>>> password cisco
>>>>>> login
>>>>>> !
>>>>>> !
>>>>>> end
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART