[c-nsp] (no subject)
mk at vserver.elxsi.de
mk at vserver.elxsi.de
Tue Oct 19 17:34:44 EDT 2004
Hi,
I'm trying to setup a ipsec tunnel between two routers. One router has a
dynamic ip address and the other a static one. The problem is, that I
always get the following error, when I try to establish the ipsec tunnel:
Router#debug crypto ipsec
Router#debug crypto isakmp
Router#
00:49:15: ISAKMP (0:0): received packet from 10.0.0.2 (N) NEW SA
00:49:15: ISAKMP: local port 500, remote port 500
00:49:15: ISAKMP (0:1): processing SA payload. message ID = 0
00:49:15: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.2
00:49:15: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:49:15: ISAKMP: encryption DES-CBC
00:49:15: ISAKMP: hash MD5
00:49:15: ISAKMP: default group 1
00:49:15: ISAKMP: auth pre-share
00:49:15: ISAKMP: life type in seconds
00:49:15: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
00:49:15: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:49:15: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) MM_SA_SETUP
00:49:15: ISAKMP (0:1): received packet from 10.0.0.2 (R) MM_SA_SETUP
00:49:15: ISAKMP (0:1): processing KE payload. message ID = 0
00:49:15: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:49:15: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.2
00:49:15: ISAKMP (0:1): SKEYID state generated
00:49:15: ISAKMP (0:1): processing vendor id payload
00:49:15: ISAKMP (0:1): speaking to another IOS box!
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) MM_KEY_EXCH
00:49:15: ISAKMP (0:1): received packet from 10.0.0.2 (R) MM_KEY_EXCH
00:49:15: ISAKMP (0:1): processing ID payload. message ID = 0
00:49:15: ISAKMP (0:1): processing HASH payload. message ID = 0
00:49:15: ISAKMP (0:1): SA has been authenticated with 10.0.0.2
00:49:15: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:49:15: ISAKMP (1): Total payload length: 12
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) QM_IDLE
00:49:15: ISAKMP (0:1): received packet from 10.0.0.2 (R) QM_IDLE
00:49:15: ISAKMP (0:1): processing HASH payload. message ID = -391103982
00:49:15: ISAKMP (0:1): processing SA payload. message ID = -391103982
00:49:15: ISAKMP (0:1): Checking IPSec proposal 1
00:49:15: ISAKMP: transform 1, ESP_DES
00:49:15: ISAKMP: attributes in transform:
00:49:15: ISAKMP: encaps is 1
00:49:15: ISAKMP: SA life type in seconds
00:49:15: ISAKMP: SA life duration (basic) of 3600
00:49:15: ISAKMP: SA life type in kilobytes
00:49:15: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:49:15: ISAKMP: authenticator is HMAC-MD5
00:49:15: ISAKMP (0:1): atts are acceptable.
00:49:15: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.0.0.1, remote= 10.0.0.2,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:49:15: IPSEC(validate_transform_proposal): proxy identities not supported
00:49:15: ISAKMP (0:1): IPSec policy invalidated proposal
00:49:15: ISAKMP (0:1): phase 2 SA not acceptable!
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) QM_IDLE
00:49:15: ISAKMP (0:1): purging node 249970632
00:49:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.0.0.2
00:49:15: ISAKMP (0:1): deleting node -391103982 error FALSE reason "IKMP_NO_ERR_NO_TRANS"
So why is the "phase 2 SA" not acceptable? And why does the processing of
quick mode fail?
Here is the configuration of both routers, some unimportant stuff removed
(lab, so both routers have a static ip for testing purposes):
Router1 (hub router):
Router#show run
Building configuration...
Current configuration : 1407 bytes
!
version 12.2
service nagle
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
aaa new-model
aaa authentication login clientauth local
aaa authorization network groupauthor local
enable secret 5 <snip>
!
username <snip> password 7 <snip>
ip subnet-zero
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
!
interface Ethernet0
ip address 192.168.1.141 255.255.255.252
media-type 10BaseT
!
interface Serial0
ip address 10.0.0.1 255.0.0.0
clockrate 4000000
crypto map rtptrans
!
ip classless
!
access-list 115 permit ip any any
!
end
-------------------------------------------------------------------------------
Router2 (remote router):
Router2#show run
Current configuration : 1133 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot system flash:c4500-ik8s-mz.122-19a.bin
enable secret 5 <snip>
!
ip subnet-zero
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.0.0.1
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set rtpset
match address 115
!
!
controller E1 0
!
!
!
interface Serial0
ip address 10.0.0.2 255.255.255.252
no ip route-cache
no ip mroute-cache
crypto map rtp
!
ip classless
no ip http server
!
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
!
end
I used this example and modified some parts of it:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
Both lab routers are Cisco 4500 with the following IOS versions:
Router1 (hub router): c4500-jk8s-mz.122-23.bin
Router2 (remote router): c4500-ik8s-mz.122-19a.bin
Does anyone know, what I'm doing wrong?
Thank you for your help,
Martin Kluge
More information about the cisco-nsp
mailing list