08-24-2010 01:11 PM - edited 03-16-2019 12:27 AM
I am using CUCM 7.1 and a 2821 ISR with the c2800nm-advipservicesk9-mz.124-24.T3.bin IOS.
I'm trying to make it so that I can place secure calls from my phones to my MGCP gateway. The phones can already place secure calls to each other and to the voicemail server.
Here are what I think are the relavant configurations.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 10800
crypto isakmp key cisco address 192.168.1.8
crypto isakmp key cisco address 192.168.1.9
!
!
crypto ipsec transform-set CM esp-3des esp-sha-hmac
mode transport
!
crypto map CM 1 ipsec-isakmp
set peer 192.168.1.8
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 192.168.1.9
set transform-set CM
match address 102
!
interface Loopback0
ip address 192.168.1.225 255.255.255.255
crypto map CM
!
interface GigabitEthernet0/0
ip address 192.168.1.202 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.206 255.255.255.252
duplex auto
speed auto
!
access-list 101 permit ip host 192.168.1.225 host 192.168.1.8
access-list 102 permit ip host 192.168.1.225 host 192.168.1.9
!
!
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 192.168.1.8
ccm-manager config
!
mgcp
mgcp call-agent 192.168.1.9 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
mgcp default-package fxr-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 ecm
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!
When I do the following commands, I get the output listed below...
debug crypto isakmp
*Aug 24 20:01:14.895: No peer struct to get peer description
show crypto session
Interface: Loopback0
Session status: DOWN
Peer: 172.16.72.9 port 500
IPSEC FLOW: permit ip host 172.16.72.225 host 172.16.72.9
Active SAs: 0, origin: crypto map
...so it looks like it's not working.
There's really precious little information about this anywhere. If someone can help, I think it will help a lot of other people too.
One last point, the key in the line "crypto isakmp key cisco" is not really "cisco". What should it be? I have the platform administrator password. Is that correct?
Solved! Go to Solution.
08-24-2010 01:25 PM
Hi
It's been a while since I had to configure this stuff; but basically the IPSEC tunnel is configured on both GW and the CCM; you configure it via CM Platform Admin (https://server/cmplatform) under one of the menus.
I hit a LOT of bugs on 6.1 code when I was setting this up..
Regards
Aaron
Please rate helpful posts...
08-24-2010 01:25 PM
Hi
It's been a while since I had to configure this stuff; but basically the IPSEC tunnel is configured on both GW and the CCM; you configure it via CM Platform Admin (https://server/cmplatform) under one of the menus.
I hit a LOT of bugs on 6.1 code when I was setting this up..
Regards
Aaron
Please rate helpful posts...
08-24-2010 01:49 PM
That felt awful good, and it's probably a large part of the issue, but it's still not working. I gave you an "answered" because you got the main disconnect, I think. Still, there's something missing. Any more place to go to look?
08-24-2010 01:59 PM
Hi
So your config doesn't look too bad; but this snippet has random IP addresses in that don't seem to be this router or your CCM :
show crypto session
Interface: Loopback0
Session status: DOWN
Peer: 172.16.72.9 port 500
IPSEC FLOW: permit ip host 172.16.72.225 host 172.16.72.9
Active SAs: 0, origin: crypto map
What's that about?
Maybe post up your latest config, status of the VPNs on the gateway end, and screen grab your IPSEC config from CCM?
Aaron
08-24-2010 02:38 PM
Here you go. By the way, the weird IPs in the last post were just a matter of me copying things incorrectly. The correct output is below.
Thanks again.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 10800
crypto isakmp key cisco address 192.168.1.8
crypto isakmp key cisco address 192.168.1.9
!
!
crypto ipsec transform-set CM esp-3des esp-sha-hmac
mode transport
!
crypto map CM 1 ipsec-isakmp
set peer 192.168.1.8
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 192.168.1.9
set transform-set CM
match address 102
!
!
interface Loopback0
ip address 192.168.1.225 255.255.255.255
crypto map CM
!
interface GigabitEthernet0/0
ip address 192.168.1.202 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.206 255.255.255.252
duplex auto
speed auto
!
access-list 101 permit ip host 192.168.1.225 host 192.168.1.8
access-list 102 permit ip host 192.168.1.225 host 192.168.1.9
!
!
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 192.168.1.8
ccm-manager config
!
mgcp
mgcp call-agent 192.168.1.9 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
mgcp default-package fxr-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 ecm
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!
!
end
Router2#show crypto session
Crypto session current status
Interface: Loopback0
Session status: DOWN
Peer: 192.168.1.8 port 500
IPSEC FLOW: permit ip host 192.168.1.225 host 192.168.1.8
Active SAs: 0, origin: crypto map
Interface: Loopback0
Session status: DOWN
Peer: 192.168.1.9 port 500
IPSEC FLOW: permit ip host 192.168.1.225 host 192.168.1.9
Active SAs: 0, origin: crypto map
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide