[c-nsp] Help with IPSEC setup
Pedro Matusse
malissende at gmail.com
Fri Apr 23 11:18:13 EDT 2010
Hi there,
Can someone please help with Cisco Easy VPN Server troubleshooting on the
following setup?
It seems that everything run smoothly with IKE Phase 1 process and ISAKMP SA
and even with all other steps until it comes to IPSec SA establishment.
My server is a Cisco 1841 running c1841-advsecurityk9-mz.124-3g.bin image.
I’m not comfortable with the fact that my p2p connection with my ISP is done
with private IP addresses and the public IP address on my LAN interface is a
secondary one. Can this be the reason that generates the “invalid local
address 196.AA.BB.CC <http://aa.bb.cc/>” as can be seen on the debug crypto
IPSec below?
Thanks in advance
Kind regards
Pedro Matusse
------------------------------------------------------------------- Relevant
config lines ------------------
aaa authentication login default local
aaa authorization network MY_USERS local
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group MY_GROUP
key MY_KEY
domain MY_DOMAIN
pool MY_POOL
acl 199
crypto isakmp profile MY_PROFILE
description VPN clients profile
match identity group MY_GROUP
client authentication list MY_GROUP
isakmp authorization list MY_USERS
client configuration address respond
!
!
crypto ipsec transform-set local esp-3des esp-md5-hmac comp-lzs
!
crypto dynamic-map MY_MAP 255
set transform-set local
set isakmp-profile MY_PROFILE
reverse-route
!
!
crypto map vpn 255 ipsec-isakmp dynamic MY_MAP
!!
!
interface FastEthernet0/0
description HQ LAN
ip address 196.AA.BB.CC <http://196.aa.bb.cc/> 255.255.255.248 secondary
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map vpn
interface Serial0/0/0
description Connection to MY_ISP
ip address 10.0.22.26 255.255.255.252
ip nat outside
ip virtual-reassembly
no fair-queue
no cdp enable
========= #debug crypto ipsec excerpt ====================================
007019: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):Checking IPSec proposal
1
007020: *Apr 23 16:10:57.083 GMT: ISAKMP: transform 1, ESP_AES
007021: *Apr 23 16:10:57.083 GMT: ISAKMP: attributes in transform:
007022: *Apr 23 16:10:57.083 GMT: ISAKMP: authenticator is HMAC-MD5
007023: *Apr 23 16:10:57.083 GMT: ISAKMP: key length is 256
007024: *Apr 23 16:10:57.083 GMT: ISAKMP: encaps is 61443 (Tunnel-UDP)
007025: *Apr 23 16:10:57.083 GMT: ISAKMP: SA life type in seconds
007026: *Apr 23 16:10:57.083 GMT: ISAKMP: SA life duration (VPI) of
0x0 0x20 0xC4 0x9B
007027: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):atts are acceptable.
007028: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):Checking IPSec proposal
1
007029: *Apr 23 16:10:57.083 GMT: ISAKMP:(0:6:SW:1):transform 1, IPPCP LZS
007030: *Apr 23 16:10:57.083 GMT: ISAKMP: attributes in transform:
007031: *Apr 23 16:10:57.083 GMT: ISAKMP: encaps is 61443 (Tunnel-UDP)
007032: *Apr 23 16:10:57.083 GMT: ISAKMP: SA life type in seconds
007033: *Apr 23 16:10:57.083 GMT: ISAKMP: SA life duration (VPI) of
0x0 0x20 0xC4 0x9B
007034: *Apr 23 16:10:57.087 GMT: ISAKMP:(0:6:SW:1):atts are acceptable.
007035: *Apr 23 16:10:57.087 GMT: IPSEC(validate_proposal_request): proposal
part #1,
(key eng. msg.) INBOUND local= 196.AA.BB.CC <http://196.aa.bb.cc/> ,
remote= 196.YY.WW.ZZ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.10.102/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
007036: *Apr 23 16:10:57.087 GMT: IPSEC(validate_proposal_request): proposal
part #2,
(key eng. msg.) INBOUND local= 196..AA.BB.CC <http://aa.bb.cc/> , remote=
196.YY.WW.ZZ,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.10.102/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
007037: *Apr 23 16:10:57.087 GMT: IPSEC(validate_transform_proposal):
invalid local address 196..AA.BB.CC <http://aa.bb.cc/>
007038: *Apr 23 16:10:57.087 GMT: ISAKMP:(0:6:SW:1): IPSec policy
invalidated proposal
More information about the cisco-nsp
mailing list