[c-nsp] asymmetric VPN tunnel trouble

Michael Markstaller mm at elabnet.de
Tue Jan 4 06:40:50 EST 2005 

hmm, I'll try to suggest some things, although I havent' fully
understood what you try to achieve ;)

> adam.morrison at pobox.com
> Sent: Monday, January 03, 2005 10:34 PM
> 
> Hi,
> 
> I'm running into trouble setting up an asymmetric IPSEC VPN 
> between two
> 3745 boxes running 12.2(15)T.  I have a REMOTE router which is simply
I'd currently rather use 12.3(9b) which is running quite perfectly on my
37xx;
with everything above 12.2(13)T and below 12.3(3) had some major
problems (but in different environment)

> a gateway to some network (i.e. has two interfaces, internal and
> external) and a LOCAL router which is a multihomed gateway (3
> interfaces).
> 
> I want to encrypt only traffic flowing from the REMOTE router to the
> LOCAL router; the way routing is set up dictates that the encrypted
> traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets
> sent
> from LOCAL to REMOTE will be sent using the IP address of interface
> FastEthernet 0/0.
> 
> According to the documentation, this scenario is what "identity
> hostname"
> is for --- but I can't set up the tunnel.  Turning on debugging, I see
> that
> authentication works (almost) fine:
> 
> LOCAL:	ISAKMP (0:1): SA has been authenticated with 10.0.4.2
> ISAKMP (0:1): peer matches *none* of the profiles
> REMOTE:	ISAKMP (0:1): SA has been authenticated with 10.0.1.2
> ISAKMP (0:1): peer matches *none* of the profiles
> 
> But encryption doesn't seem to work, apparently because the packets
> arrive from the wrong IP:
> 
> REMOTE:	IPSEC(validate_transform_proposal): peer 
> address 10.0.1.2 not
> found
> ISAKMP (0:1): IPSec policy invalidated proposal
> ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2
> remote 10.0.1.2)
> 
> 
> Any ideas?  What am I missing?
> 
> Below the relevant configuration excerpts; note that for the
> experiments
> I created a setup where the tunnel can be used by a single 
> host on each
> side.
> 
> LOCAL:
> ------
> ip domain example.com
> ip host REMOTE.example.com 10.0.4.2
> !
> crypto isakmp policy 10
> encr 3des

your transform-set is DES ?

> authentication pre-share
> group 2
> crypto isakmp key EXAMPLE address 10.0.4.2
> crypto isakmp identity hostname

So your're setting addressed keys but set "crypto isakmp identity
hostname"
Just leave all the hostname stuff out, it creates troubles. If you have
dynamic IP's it won't work either, then use dynamic crypto maps.
think about using certs or at least rsa-encr, PSK is insecure..

> !
> crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
You normally don't need AH and I had some troubles with md5 hashes back
with 12.2T, 
probably nothing that matters but SHA with DES works fine. You can use
transport-mode in your tunnel-setup, saves some overhead and therefore
MTU-issues:
crypto ipsec transform-set TRANS-3DES esp-3des esp-sha-hmac
  mode transport

> !
> crypto map remote 10 ipsec-isakmp
> decription TO_REMOTE
> set peer 10.0.4.2
> set transform-set ggg
> match address 101
> !
> interface Tunnel1
> ip address 11.0.0.2 255.255.255.0
> tunnel source FastEthernet0/1
> tunnel destination 10.0.4.2
> !
> interface FastEthernet0/0
> ip address 10.0.1.2 255.255.255.0
> crypto map remote
> !
> interface FastEthernet0/1
> ip address 10.0.0.2 255.255.255.252
> crypto map remote
> !
> interface GigabitEthernet1/0
> ip address 10.0.0.5 255.255.255.252
> !
> ip route 12.0.0.2 255.255.255.255 10.0.1.1
??? now when you want to encrypt/tunnel packets, route them into the
tunnel, I don't see enough from your net to see wether this makes sense
at all..

> !
> access-list 101 permit ip host 10.0.0.6 host 12.0.0.2

this should read:
access-list 101 permit gre host 10.0.0.2 host 10.0.4.2
at least when you want to encrypt the tunnel only. in case you want to
encrypt other traffic, omit the transport mode in transform above and
write any source/destination pair into the ACL. 

> 
> REMOTE:
> -------
> ip domain example.com
> ip host LOCAL.example.com 10.0.0.2 10.0.1.2
> !
> crypto isakmp policy 10
> encr 3des
your transform-set is DES ?

> authentication pre-share
> group 2
> crypto isakmp key EXAMPLE address 10.0.1.2
> crypto isakmp key EXAMPLE address 10.0.0.2
see above

> crypto isakmp identity hostname
> !
> crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac

see above 

> !
> crypto map remote 11 ipsec-isakmp
> decription FROM_REMOTE
> set peer 10.0.0.2
depending on your routing, set both as peers.

> set transform-set ggg
> match address 100
> !
> interface Tunnel1
> ip address 11.0.0.1 255.255.255.0
> tunnel source FastEthernet0/1
> tunnel destination 10.0.0.2
> !
> interface FastEthernet0/0
> ip address 12.0.0.1 255.255.255.0
> !
> interface FastEthernet0/1
> ip address 10.0.4.2 255.255.255.0
> crypto map remote
> !
> interface GigabitEthernet1/0
> ip address 10.0.0.5 255.255.255.252
> !
> ip route 0.0.0.0 0.0.0.0 10.0.4.1
> !
> access-list 100 permit ip host 12.0.0.2 host 10.0.0.6

swap ACL 101 from above or, depending on what you want to achieve, 


Michael

More information about the cisco-nsp mailing list