[c-nsp] asymmetric VPN tunnel trouble

adam.morrison at pobox.com adam.morrison at pobox.com
Mon Jan 3 16:33:47 EST 2005


Hi,

I'm running into trouble setting up an asymmetric IPSEC VPN between two
3745 boxes running 12.2(15)T.  I have a REMOTE router which is simply
a gateway to some network (i.e. has two interfaces, internal and
external) and a LOCAL router which is a multihomed gateway (3
interfaces).

I want to encrypt only traffic flowing from the REMOTE router to the
LOCAL router; the way routing is set up dictates that the encrypted
traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets
sent
from LOCAL to REMOTE will be sent using the IP address of interface
FastEthernet 0/0.

According to the documentation, this scenario is what "identity
hostname"
is for --- but I can't set up the tunnel.  Turning on debugging, I see
that
authentication works (almost) fine:

LOCAL:	ISAKMP (0:1): SA has been authenticated with 10.0.4.2
ISAKMP (0:1): peer matches *none* of the profiles
REMOTE:	ISAKMP (0:1): SA has been authenticated with 10.0.1.2
ISAKMP (0:1): peer matches *none* of the profiles

But encryption doesn't seem to work, apparently because the packets
arrive from the wrong IP:

REMOTE:	IPSEC(validate_transform_proposal): peer address 10.0.1.2 not
found
ISAKMP (0:1): IPSec policy invalidated proposal
ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2
remote 10.0.1.2)


Any ideas?  What am I missing?

Below the relevant configuration excerpts; note that for the
experiments
I created a setup where the tunnel can be used by a single host on each
side.

LOCAL:
------
ip domain example.com
ip host REMOTE.example.com 10.0.4.2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key EXAMPLE address 10.0.4.2
crypto isakmp identity hostname
!
crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
!
crypto map remote 10 ipsec-isakmp
decription TO_REMOTE
set peer 10.0.4.2
set transform-set ggg
match address 101
!
interface Tunnel1
ip address 11.0.0.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 10.0.4.2
!
interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
crypto map remote
!
interface FastEthernet0/1
ip address 10.0.0.2 255.255.255.252
crypto map remote
!
interface GigabitEthernet1/0
ip address 10.0.0.5 255.255.255.252
!
ip route 12.0.0.2 255.255.255.255 10.0.1.1
!
access-list 101 permit ip host 10.0.0.6 host 12.0.0.2

REMOTE:
-------
ip domain example.com
ip host LOCAL.example.com 10.0.0.2 10.0.1.2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key EXAMPLE address 10.0.1.2
crypto isakmp key EXAMPLE address 10.0.0.2
crypto isakmp identity hostname
!
crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
!
crypto map remote 11 ipsec-isakmp
decription FROM_REMOTE
set peer 10.0.0.2
set transform-set ggg
match address 100
!
interface Tunnel1
ip address 11.0.0.1 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 10.0.0.2
!
interface FastEthernet0/0
ip address 12.0.0.1 255.255.255.0
!
interface FastEthernet0/1
ip address 10.0.4.2 255.255.255.0
crypto map remote
!
interface GigabitEthernet1/0
ip address 10.0.0.5 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 10.0.4.1
!
access-list 100 permit ip host 12.0.0.2 host 10.0.0.6



More information about the cisco-nsp mailing list