[c-nsp] set peer in crypto map

Andriy A. Yerofyeyev andriy.yerofyeyev at gmail.com
Thu Sep 21 10:49:32 EDT 2006


Deal All,

    May be somebody could explain the reason why I cant use Loopback
address in "set peer"  crypto-map subcommand ?
    Pretty straightforward ipsec tunnel wont work when I pointed it to
Loopback address of peer router. Look like isakmp sa successfully
established but ipsec sa wont.
When I chosen Interface address instead , ipsec sa established like charm .
    Any links to documentation will greatly appreciated.

debug crypto ipsec (Lo used)

(...skip...)
Sep 21 2006 10:22:38: IPSEC(key_engine): got a queue event with 1 kei
messages
Sep 21 2006 10:22:39: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 10.10.10.1, remote= 24.185.59.70,
    local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 30.30.30.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Sep 21 2006 10:22:39: IPSEC(validate_transform_proposal): invalid local
address 10.10.10.1
Sep 21 2006 10:22:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick
mode failed with peer at 24.185.59.70


-- 

Best regards,

Andriy A. Yerofyeyev.
Senior Network Engineer.





More information about the cisco-nsp mailing list