VPN site-to site with rsa-encr

Unanswered Question
Apr 16th, 2010
User Badges:

Hello,


in the course of my education i have got the task to connect two geographical separated companies through a vpn sit-to-site configuration. (fictive project)


I got the tunnel running with a simple PSK.
I have read that you can use a rsa encryption (nonce) without the need of a CA.
I tried it four days but it doesnt work.


I used following cisco configuration guide to issue the vpn tunnel: Link (page 11 and following)


I post the two shortened configurations an the isakmp error message in the hope that anyone can give me a hint whats wrong.


excuse my bad english and thanks in advance!



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-Hauptsitz
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
crypto key pubkey-chain rsa
addressed-key 200.0.0.2
  address 200.0.0.2
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
  00A99BA4 21BED4BF 4A0448CE 3122370D 32428F9F 39E0E32D 37598927 DD3827DE
   3F23F185 B9C38DB3 80831AD7 D9654D09 48CAA1E8 F1F8665D 69499702 45100A2F
   67C54172 54F57EAD A49001DB 76B501F1 6404E172 E03248E0 7D5FC555 5C0149CB
   ACF85DC0 A2CEC53C 7991B0A5 CE85E3EF A99EA9D4 43984A1E 2761E679 ECD4CD15
   9260BA63 D195C7E1 3CA23D9C ABED2410 12F516D1 D00DB793 8A01314E 1C919D31
   97184C7E D07383FF 0C3B04EE 0FC411E0 14C46BF7 FC7029A3 5C5F10BA B6F2FFE8
   9BB42BE4 77DBD344 EFB23662 AE6D2BA8 C5C00B93 596C5F51 B3317470 28533626
   072B34F8 0EA6E481 469725AD F96794D9 86C283CB 5E05594B 3A686525 8983A72E
   C7020301 0001
  quit
!
!
!
crypto isakmp policy 10
encr 3des
authentication rsa-encr
group 2
!
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 200.0.0.2
set transform-set VPN
set pfs group2
match address 110
!
!
!
!
interface FastEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
no ip http server
no ip http secure-server
ip nat inside source list 120 interface Serial0/0 overload
!
access-list 110 deny   udp any any eq isakmp
access-list 110 permit ip 10.0.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 110 remark VPN
access-list 120 deny   ip 10.0.0.0 0.0.255.255 10.1.0.0 0.0.255.255
access-list 120 permit ip 10.0.0.0 0.0.255.255 any
access-list 120 remark NAT
access-list 130 permit ip host 10.0.200.200 any
access-list 130 deny   ip host 10.0.200.200 10.1.10.0 0.0.0.255
!
route-map kein-NAT permit 10
match ip address 130
!
!
end



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-Filiale
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
crypto key pubkey-chain rsa
addressed-key 200.0.0.1
  address 200.0.0.1
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   009D750E 11BB8BE3 2E0CD254 21D2020B 29DECCE5 86E10104 99F6DC23 53CAFBAF
   F729A222 8CB07DB1 3DBED09C 00D0E938 843078C6 04651609 BE7D4A5E 3548D7F9
  3FE748BD 670E1A87 C14D0B00 0C5201D2 61C328F2 398F0726 BF8DEAC5 F5501FA8
   8CEA5992 DE06F546 302F2B47 EE13707E 09F9E534 9F5E1FF3 197782B6 EC126A81
   6E357535 9D12F5FE 5076C97A E6E41B2F D79662E5 BE918A15 7E1B6318 E4F2B9BC
   83AC52CC 97D1A470 02C61BEB 7735332E 7698A6AC F3867C2C F8405A72 06E51607
   1FC31B56 C0D14E10 79C3287E B7544D4F FEE4F8D6 F848FC5A EE9FB3F6 B5BDADD2
   84D72C8A 2A340DFA B65466BB 9F65B1B6 03C94955 EE986A69 2BF06D3F 0E4F13C4
   D3020301 0001
  quit
!
!
!
crypto isakmp policy 10
encr 3des
authentication rsa-encr
group 2
!
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 200.0.0.1
set transform-set VPN
set pfs group2
match address 110
!
!
!
!
interface FastEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
ip address 200.0.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly
clock rate 128000
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 120 interface Serial0/0 overload
!
access-list 110 deny   udp any any eq isakmp
access-list 110 permit ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 110 remark VPN
access-list 120 deny   ip 10.1.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 120 permit ip 10.1.0.0 0.0.255.255 any
access-list 120 remark NAT



isakmp error message



*Mar  1 04:10:19.148: ISAKMP:(0:0:N/A:0):No pre-shared key with 200.0.0.2!
*Mar  1 04:10:19.412: ISAKMP:(0:3:SW:1):Unable to get router cert or routerdoes
not have a cert: needed to find DN!
*Mar 1 04:10:29.193: ISAKMP:(0:3:SW:1):deleting SA reason "Death by retransmiss
ion P1" state (I) MM_SA_SETUP (peer 200.0.0.2)
*Mar  1 04:10:29.193: ISAKMP:(0:3:SW:1):deleting SA reason "Death by retransmiss
ion P1" state (I) MM_SA_SETUP (peer 200.0.0.2)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion