[c-nsp] VPN Tunnel Question

O n i xerusian at gmail.com
Mon Dec 28 22:58:55 EST 2009 

thanks!

ok, we got the configure now but we cant connect to the other router, we
setting up a router to router connection

basically we have our first policy 10 which uses DES and everything works
fine on that part
now we have added a new one ,policy 20, which uses 3des , but seems we
getting a problem, the other router is giving them this message

710003 111.111.111.111 xxxx 222.222.222.222 xx TCP access denied by ACL from
111.111.111.11/ xxxx <http://111.111.111.11/3880> to OUTSIDE:
222.222.222.222/xx <http://222.222.222.222/22>





111.111.111.111 – originating address (fake)

222.222.222.222 – destination address (fake)


here is a ping command issued to the destinantion router

NOCBackup#ping 172.xx.x.xxx source 172.xx.xxx.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.xx.x.xxx, timeout is 2 seconds:

Packet sent with a source address of 172.xx.xxx.x

040880: *Dec 28 22:09:53.811 UTC: ISAKMP:(0): SA request profile is (NULL)

040881: *Dec 28 22:09:53.811 UTC: ISAKMP: Created a peer struct for
222.222.222.222, peer port 500

040882: *Dec 28 22:09:53.811 UTC: ISAKMP: New peer created peer = 0x84998D48
peer_handle = 0x80000147

040883: *Dec 28 22:09:53.811 UTC: ISAKMP: Locking peer struct 0x84998D48,
refcount 1 for isakmp_initiator

040884: *Dec 28 22:09:53.811 UTC: ISAKMP: local port 500, remote port 500

040885: *Dec 28 22:09:53.815 UTC: ISAKMP: set new node 0 to QM_IDLE

040886: *Dec 28 22:09:53.815 UTC: insert sa successfully sa = 836D4A9C

040887: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Can not start Aggressive mode,
trying Main mode.

040888: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):found peer pre-shared key
matching 222.222.222.222

040889: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T
vendor-rfc3947 ID

040890: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID

040891: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID

040892: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID

040893: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM

040894: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Old State = IKE_READY  New
State = IKE_I_MM1

040895: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): beginning Main Mode exchange

040896: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): sending packet to
222.222.222.222 my_port 500 peer_port 500 (I) MM_NO_STATE

040897: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.

040898: *Dec 28 22:09:53.831 UTC: ISAKMP (0:0): received packet from
222.222.222.222 dport 500 sport 500 Global (I) MM_NO_STATE

040899: *Dec 28 22:09:53.831 UTC: ISAKMP:(0):Notify has no hash. Rejected.

040900: *Dec 28 22:09:53.831 UTC: ISAKMP (0:0): Unknown Input
IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

040901: *Dec 28 22:09:53.831 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER,
IKE_INFO_NOTIFY

040902: *Dec 28 22:09:53.831 UTC: ISAKMP:(0):Old State = IKE_I_MM1  New
State = IKE_I_MM1

040903: *Dec 28 22:09:53.835 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed with peer at 222.222.222.222.....

Success rate is 0 percent (0/5)

i can post the partial config after i edite out some details

On Thu, Dec 24, 2009 at 15:50, swap m <ccie19804 at gmail.com> wrote:

> ios default to DES..
>
> you can always use "sh crypto isakmp policy" to verify.
>
> On Thu, Dec 24, 2009 at 7:44 AM, O n i <xerusian at gmail.com> wrote:
>
>> Good Evening Everyone
>>
>> can this policy support a esp-3des setup? or only a esp-des? usually i do
>> a
>> put in a "encryption des" or "encryption 3des", but not sure if not
>> putting
>> in one could default to a des? inf theres an existing policy like the one
>> below, should i create a new policy or just include the command
>> "encryption
>> 3des" hope you understand, since my english is bad.
>>
>>
>> crypto isakmp policy 10
>>  hash md5
>>  authentication pre-share
>>  group 2
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

More information about the cisco-nsp mailing list