[c-nsp] set peer in crypto map
Andriy A. Yerofyeyev
andriy.yerofyeyev at gmail.com
Thu Sep 21 10:49:32 EDT 2006
Deal All,
May be somebody could explain the reason why I cant use Loopback
address in "set peer" crypto-map subcommand ?
Pretty straightforward ipsec tunnel wont work when I pointed it to
Loopback address of peer router. Look like isakmp sa successfully
established but ipsec sa wont.
When I chosen Interface address instead , ipsec sa established like charm .
Any links to documentation will greatly appreciated.
debug crypto ipsec (Lo used)
(...skip...)
Sep 21 2006 10:22:38: IPSEC(key_engine): got a queue event with 1 kei
messages
Sep 21 2006 10:22:39: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.10.1, remote= 24.185.59.70,
local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),
remote_proxy= 30.30.30.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Sep 21 2006 10:22:39: IPSEC(validate_transform_proposal): invalid local
address 10.10.10.1
Sep 21 2006 10:22:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick
mode failed with peer at 24.185.59.70
--
Best regards,
Andriy A. Yerofyeyev.
Senior Network Engineer.
More information about the cisco-nsp
mailing list