cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
5
Replies

IPsec and ACS problem at router 3845

omyma1234
Level 1
Level 1

hi every body

recently we replace old cisco router model 2522 with model 3845 to apply IPsec configuration . it was as the following

crypto isakamp policy X

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxx@adress x.y.z.w

after applying the previous configuration , we discover that login to the router through ACS gives failed authentication .

my question is , how ipsec configuration affected logging through ACS server?

i appreciate your prompt response to solve this problem.

omy

5 Replies 5

royalblues
Level 10
Level 10

Do you see any reason in the failed authentication attempts in the ACS

can you post the AAA config as well as the interresting traffic that is used for the encryption?

Narayan

omy

I wonder if the authentication request is perhaps matching the access list used to identify traffic for IPSec encryption and that is causing it to fail at ACS.

If that is the case I suspect that there will not be anything useful in the logs of ACS (since ACS would not have known that it was an authentication request) but Narayan's suggestion to check the logs is a good place to start. His request for configuration details would also be helpful.

HTH

Rick

HTH

Rick

Hi Narayan

Actually we have peer to peer routers one of then model 2811 and the other is 3845

the aaa configuration on 3845 router is

aaa authentication login default group acs local

aaa authentication ppp default group tacacs+

aaa authorization exec default group acs local

aaa authorizathion network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

tacacs-server host x.y.z.w

tacacs-server host s.d.f.g

tacacs-server key -----------

wait your reply

omy

1- does AAA traffics go through the IPSec tunnel?

2- if it does, you may have to source AAA traffic

from one of the interfaces that will also be part

of the IPSec interesting traffics,

3- if #2 is correct, you also need to change

the AAA setting on the ACS to reflect the

IP address that will be coming from the Cisco 3845.

hi every body

could you please give me more details about

ACS interesting traffic configuration .

about your recommendation :also you need to change the AAA setting on the ACS to reflect the IP address that will be coming from the Cisco 3845

do you mean that add new entry to ACS server by using IP address of ipsec tunnel ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: