CCM 5 IPSec with IOS Gateway

Unanswered Question
Jul 19th, 2007
User Badges:

Hello everyone,


I'm trying to create IPSec connection from CCM 5.0.2 to IOS H323 GW. I've created IPSec policy from CCM IPT Platform web page and tryed to create compatible IPSec policy on IOS GW but I can't establish SAs. Does anyone have a advice or a tip how to configure CCM5 IPSec policy and IOS IPSec policy? Just paste me running config from router and maybe advice what to select/choose from IPSec config page on CallManager?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thisisshanky Thu, 07/19/2007 - 07:57
User Badges:
  • Purple, 4500 points or more

Hello,


Never tried this on CCM 5.x, but i have played lots with IPSEC on CM 4.x with MGCP and H323 gateways and usually the tool i have used to troubleshoot IKE or IPSEC negotiation issues is "debug cryptop isakmp sa" and "debug crypto ipsec". This will usually show you what phase is failing and what parameter is not matching.


Here is a sample config for CCM 4.x and IOS router. 10.1.1.1 and .2 are the callmanagers.


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 10800

crypto isakmp key cisco address 10.1.1.1

crypto isakmp key cisco address 10.1.1.2


!

!

crypto ipsec transform-set CM esp-3des esp-sha-hmac

mode transport

!

crypto map CM 1 ipsec-isakmp

set peer 10.1.1.1

set transform-set CM

match address 101

crypto map CM 2 ipsec-isakmp

set peer 10.1.1.2

set transform-set CM

match address 102


!

access-list 101 permit ip host 10.2.2.2 host 10.1.1.1


access-list 102 permit ip host 10.2.2.2 host 10.1.1.2


interface Serial0/0.101 point-to-point

ip address 10.2.2.2 255.255.255.0

frame-relay interface-dlci 101

crypto map CM




Hope that helps!


Sankar.


PS: please remember to rate posts!

miloskv Thu, 07/19/2007 - 08:05
User Badges:

Hi Sankar, thanks for reply


I've already done all of this you have wrote, but I can't pass IKE Phase 1. On CCM 5 the problem is that it it Linux and CCM5(under the shell is using RACOON). So in difference to CCM4.X (Which uses windows and it is much more easier to configure IPSec between windows and Cisco), CCM5 have this stupid web admin page on which I need to configure CCM5 side for IPSec. If you have free time, I can make some screenshots which I can email to you, just to show You what I need to do on CCM5 for IPSec creation. I mean, I'm almost 100% sure that the problem is at the CCM side not router.

thisisshanky Thu, 07/19/2007 - 08:06
User Badges:
  • Purple, 4500 points or more

go ahead and attach the screen shots and output of debug crypto isakmp sa in your next post.



miloskv Thu, 07/19/2007 - 08:25
User Badges:

Ok...


First attachment would be my IPSec policy on CCM web page. I've also attached RTMT syslog as second attachment


Here is my router configuration:


crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600


crypto isakmp key BLA address 192.168.200.100

!

crypto isakmp peer address 192.168.200.100

!

!

crypto ipsec transform-set ts1 ah-md5-hmac esp-des

mode transport

(I've also did this after transform set ah-md5 and esp-des hasn't worked:

crypto ipsec transform-set ts1 esp-des esp-md5-hmac

mode transport


P.S. I'm confused becose on the IPSec web page they say: AH Algorithm (as AH is used, not only ESP)

They also say: ESP algorithm, so I choose DES... but there is no place to choose ESP-MD5 or ESP-SHA.

I don't understand why anyone make tools like this IPSec tool is (completely confusing)

)


!

crypto map map1 10 ipsec-isakmp

set peer 192.168.200.100

set transform-set ts1

match address 100


interface FastEthernet0/0

ip address 192.168.200.5 255.255.255.0

duplex auto

speed auto

crypto map map1


access-list 100 permit ip host 192.168.200.5 host 192.168.200.100



If you want, I can paste you complete debug of debug crypto isakmp



Attachment: 
miloskv Thu, 07/19/2007 - 08:50
User Badges:

Do you mean: set security-association lifetime seconds 3600 to enter at the crypto map map1 ?


here's the debug (debug crypto isakmp)


(find it attached)



Attachment: 
thisisshanky Thu, 07/19/2007 - 08:42
User Badges:
  • Purple, 4500 points or more

Yes please do post the debug output.


Set the transform set security-association life time to 3600 since you have 3600 as lifetime for phase1 and phase2. This command should be with in the transform set mode.


All other settings look ok to me.

thisisshanky Thu, 07/19/2007 - 11:20
User Badges:
  • Purple, 4500 points or more

I will get back to you shortly. I have forwarded the outputs to our security experts (:D)

thisisshanky Thu, 07/19/2007 - 11:28
User Badges:
  • Purple, 4500 points or more

What IOS are you running (sh version output please)

miloskv Thu, 07/19/2007 - 23:39
User Badges:

Hi again, here is the output of show version command on my voice gateway:


R2821#sh version

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3a),

RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2005 by Cisco Systems, Inc.

Compiled Fri 30-Sep-05 13:24 by hqluong


ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)


R2821 uptime is 17 hours, 53 minutes

System returned to ROM by reload at 14:44:47 UTC Thu Jul 19 2007

System restarted at 15:44:53 UTC Thu Jul 19 2007

System image file is "flash:c2800nm-advipservicesk9-mz.124-3a.bin"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to

[email protected].


Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.

Processor board ID FHK0916F0V2

2 FastEthernet interfaces

2 Low-speed serial(sync/async) interfaces

1 Channelized E1/PRI port

1 Channelized T1/PRI port

2 Virtual Private Network (VPN) Modules

2 Voice FXO interfaces

2 Voice FXS interfaces

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)


Configuration register is 0x2102


thisisshanky Fri, 07/20/2007 - 03:44
User Badges:
  • Purple, 4500 points or more

Can you change your mode from transport to tunnel and see if that helps ?

miloskv Fri, 07/20/2007 - 08:07
User Badges:

I've did that right now, but same problem again.


Do You maybe know what "peer does not do paranoid keepalives" means? (it is in my debug crypto isakmp)


And again, I'm completly not sure if I'm making transform set as I should. Currently, my transform set is esp-des and esp-md5. I don't now if I should disable esp-md5 and start ah-md5 or start ah-md5 and keep esp-md5. I mean, it is so confusing to create IPSec policy on CCM5 so I'm not sure what to enter on router so it can be compatible with CCM. Can You please look again on screenshot of CCM IPSec configuration to see if I'm wrong in configuration of transform set on router?

Actions

This Discussion