[c-nsp] set peer in crypto map

Mark Kelly markk at indigo.ie
Thu Sep 21 20:11:08 EDT 2006


You want to use the

'rypto map local-address' command on the peer on which you want the 
Loopback as the source of the SA's, otherwise it will use the physical 
interface to which the crypto map is applied

http://www.cisco.com/en/US/products/ps6441/products_command_reference_chapter09186a00804ae499.html#wp1264087

Andriy A. Yerofyeyev wrote:
> Deal All,
>
>     May be somebody could explain the reason why I cant use Loopback
> address in "set peer"  crypto-map subcommand ?
>     Pretty straightforward ipsec tunnel wont work when I pointed it to
> Loopback address of peer router. Look like isakmp sa successfully
> established but ipsec sa wont.
> When I chosen Interface address instead , ipsec sa established like charm .
>     Any links to documentation will greatly appreciated.
>
> debug crypto ipsec (Lo used)
>
> (...skip...)
> Sep 21 2006 10:22:38: IPSEC(key_engine): got a queue event with 1 kei
> messages
> Sep 21 2006 10:22:39: IPSEC(validate_proposal_request): proposal part #1,
>   (key eng. msg.) INBOUND local= 10.10.10.1, remote= 24.185.59.70,
>     local_proxy= 20.20.20.1/255.255.255.255/0/0 (type=1),
>     remote_proxy= 30.30.30.1/255.255.255.255/0/0 (type=1),
>     protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
>     lifedur= 0s and 0kb,
>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
> Sep 21 2006 10:22:39: IPSEC(validate_transform_proposal): invalid local
> address 10.10.10.1
> Sep 21 2006 10:22:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick
> mode failed with peer at 24.185.59.70
>
>
>   


More information about the cisco-nsp mailing list