[c-nsp] (no subject)

Luan Nguyen luan.nguyen at mci.com
Tue Oct 19 22:13:59 EDT 2004 

Seems like Cisco doesn't like acl permit any any.

"Proxy Identities Not Supported
The message below appears in debugs if the access list for IPSec traffic
does not match.

1d00h: IPSec(validate_transform_proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!"

For dynamic side, usually you don't have to set up acl for since the other
side will initiate and the acl will be dynamically created.  Once created,
traffics then can flow both way.
On the spoke side, if you don't have a lan interface then create a loopback
interface and do acl 115 permit host <loopback> host 10.0.0.1 or
192.168.1.141.

Luan


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mk at vserver.elxsi.de
Sent: Tuesday, October 19, 2004 5:35 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] (no subject)

Hi,

I'm trying to setup a ipsec tunnel between two routers. One router has a
dynamic ip address and the other a static one. The problem is, that I
always get the following error, when I try to establish the ipsec tunnel:


Router#debug crypto ipsec
Router#debug crypto isakmp
Router#
00:49:15: ISAKMP (0:0): received packet from 10.0.0.2 (N) NEW SA
00:49:15: ISAKMP: local port 500, remote port 500
00:49:15: ISAKMP (0:1): processing SA payload. message ID = 0
00:49:15: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.2
00:49:15: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1
policy
00:49:15: ISAKMP:      encryption DES-CBC
00:49:15: ISAKMP:      hash MD5
00:49:15: ISAKMP:      default group 1
00:49:15: ISAKMP:      auth pre-share
00:49:15: ISAKMP:      life type in seconds
00:49:15: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
00:49:15: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:49:15: ISAKMP (0:1): SA is doing pre-shared key authentication using id
type ID_IPV4_ADDR
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) MM_SA_SETUP
00:49:15: ISAKMP (0:1): received packet from 10.0.0.2 (R) MM_SA_SETUP
00:49:15: ISAKMP (0:1): processing KE payload. message ID = 0
00:49:15: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:49:15: ISAKMP (0:1): found peer pre-shared key matching 10.0.0.2
00:49:15: ISAKMP (0:1): SKEYID state generated
00:49:15: ISAKMP (0:1): processing vendor id payload
00:49:15: ISAKMP (0:1): speaking to another IOS box!
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) MM_KEY_EXCH
00:49:15: ISAKMP (0:1): received packet from 10.0.0.2 (R) MM_KEY_EXCH
00:49:15: ISAKMP (0:1): processing ID payload. message ID = 0
00:49:15: ISAKMP (0:1): processing HASH payload. message ID = 0
00:49:15: ISAKMP (0:1): SA has been authenticated with 10.0.0.2
00:49:15: ISAKMP (1): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
00:49:15: ISAKMP (1): Total payload length: 12
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) QM_IDLE      
00:49:15: ISAKMP (0:1): received packet from 10.0.0.2 (R) QM_IDLE      
00:49:15: ISAKMP (0:1): processing HASH payload. message ID = -391103982
00:49:15: ISAKMP (0:1): processing SA payload. message ID = -391103982
00:49:15: ISAKMP (0:1): Checking IPSec proposal 1
00:49:15: ISAKMP: transform 1, ESP_DES
00:49:15: ISAKMP:   attributes in transform:
00:49:15: ISAKMP:      encaps is 1
00:49:15: ISAKMP:      SA life type in seconds
00:49:15: ISAKMP:      SA life duration (basic) of 3600
00:49:15: ISAKMP:      SA life type in kilobytes
00:49:15: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
00:49:15: ISAKMP:      authenticator is HMAC-MD5
00:49:15: ISAKMP (0:1): atts are acceptable.
00:49:15: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 10.0.0.1, remote= 10.0.0.2, 
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac , 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:49:15: IPSEC(validate_transform_proposal): proxy identities not supported
00:49:15: ISAKMP (0:1): IPSec policy invalidated proposal
00:49:15: ISAKMP (0:1): phase 2 SA not acceptable!
00:49:15: ISAKMP (0:1): sending packet to 10.0.0.2 (R) QM_IDLE      
00:49:15: ISAKMP (0:1): purging node 249970632
00:49:15: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with
peer at 10.0.0.2       
00:49:15: ISAKMP (0:1): deleting node -391103982 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"


So why is the "phase 2 SA" not acceptable? And why does the processing of
quick mode fail?


Here is the configuration of both routers, some unimportant stuff removed
(lab, so both routers have a static ip for testing purposes):

Router1 (hub router):
Router#show run
Building configuration...

Current configuration : 1407 bytes
!
version 12.2
service nagle
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
aaa new-model
aaa authentication login clientauth local
aaa authorization network groupauthor local 
enable secret 5 <snip>
!
username <snip> password 7 <snip>
ip subnet-zero
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!         
!         
crypto ipsec transform-set rtpset esp-des esp-md5-hmac 
!         
crypto dynamic-map rtpmap 10
 set transform-set rtpset 
 match address 115
!         
!         
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap 
!         
!         
interface Ethernet0
 ip address 192.168.1.141 255.255.255.252
 media-type 10BaseT
!         
interface Serial0
 ip address 10.0.0.1 255.0.0.0
 clockrate 4000000
 crypto map rtptrans
!         
ip classless
!         
access-list 115 permit ip any any
!         
end       


----------------------------------------------------------------------------
---

Router2 (remote router):
Router2#show run
Current configuration : 1133 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot system flash:c4500-ik8s-mz.122-19a.bin
enable secret 5 <snip>
!
ip subnet-zero
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 10.0.0.1
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set rtpset
 match address 115
!
!
controller E1 0
!
!
!
interface Serial0
 ip address 10.0.0.2 255.255.255.252
 no ip route-cache
 no ip mroute-cache
 crypto map rtp
!
ip classless
no ip http server
!
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
!
end


I used this example and modified some parts of it:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp
le09186a0080093f86.shtml


Both lab routers are Cisco 4500 with the following IOS versions:

Router1 (hub router):		c4500-jk8s-mz.122-23.bin
Router2 (remote router):	c4500-ik8s-mz.122-19a.bin


Does anyone know, what I'm doing wrong?


Thank you for your help,
Martin Kluge

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list