I'm trying to create IPSec connection from CCM 5.0.2 to IOS H323 GW. I've created IPSec policy from CCM IPT Platform web page and tryed to create compatible IPSec policy on IOS GW but I can't establish SAs. Does anyone have a advice or a tip how to configure CCM5 IPSec policy and IOS IPSec policy? Just paste me running config from router and maybe advice what to select/choose from IPSec config page on CallManager?
Never tried this on CCM 5.x, but i have played lots with IPSEC on CM 4.x with MGCP and H323 gateways and usually the tool i have used to troubleshoot IKE or IPSEC negotiation issues is "debug cryptop isakmp sa" and "debug crypto ipsec". This will usually show you what phase is failing and what parameter is not matching.
Here is a sample config for CCM 4.x and IOS router. 10.1.1.1 and .2 are the callmanagers.
crypto isakmp policy 1
crypto isakmp key cisco address 10.1.1.1
crypto isakmp key cisco address 10.1.1.2
crypto ipsec transform-set CM esp-3des esp-sha-hmac
crypto map CM 1 ipsec-isakmp
set peer 10.1.1.1
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 10.1.1.2
set transform-set CM
match address 102
access-list 101 permit ip host 10.2.2.2 host 10.1.1.1
access-list 102 permit ip host 10.2.2.2 host 10.1.1.2
interface Serial0/0.101 point-to-point
ip address 10.2.2.2 255.255.255.0
frame-relay interface-dlci 101
crypto map CM
Hope that helps!
PS: please remember to rate posts!
Hi Sankar, thanks for reply
I've already done all of this you have wrote, but I can't pass IKE Phase 1. On CCM 5 the problem is that it it Linux and CCM5(under the shell is using RACOON). So in difference to CCM4.X (Which uses windows and it is much more easier to configure IPSec between windows and Cisco), CCM5 have this stupid web admin page on which I need to configure CCM5 side for IPSec. If you have free time, I can make some screenshots which I can email to you, just to show You what I need to do on CCM5 for IPSec creation. I mean, I'm almost 100% sure that the problem is at the CCM side not router.
First attachment would be my IPSec policy on CCM web page. I've also attached RTMT syslog as second attachment
Here is my router configuration:
crypto isakmp policy 1
crypto isakmp key BLA address 192.168.200.100
crypto isakmp peer address 192.168.200.100
crypto ipsec transform-set ts1 ah-md5-hmac esp-des
(I've also did this after transform set ah-md5 and esp-des hasn't worked:
crypto ipsec transform-set ts1 esp-des esp-md5-hmac
P.S. I'm confused becose on the IPSec web page they say: AH Algorithm (as AH is used, not only ESP)
They also say: ESP algorithm, so I choose DES... but there is no place to choose ESP-MD5 or ESP-SHA.
I don't understand why anyone make tools like this IPSec tool is (completely confusing)
crypto map map1 10 ipsec-isakmp
set peer 192.168.200.100
set transform-set ts1
match address 100
ip address 192.168.200.5 255.255.255.0
crypto map map1
access-list 100 permit ip host 192.168.200.5 host 192.168.200.100
If you want, I can paste you complete debug of debug crypto isakmp
Yes please do post the debug output.
Set the transform set security-association life time to 3600 since you have 3600 as lifetime for phase1 and phase2. This command should be with in the transform set mode.
All other settings look ok to me.
Hi again, here is the output of show version command on my voice gateway:
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3a),
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 30-Sep-05 13:24 by hqluong
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
R2821 uptime is 17 hours, 53 minutes
System returned to ROM by reload at 14:44:47 UTC Thu Jul 19 2007
System restarted at 15:44:53 UTC Thu Jul 19 2007
System image file is "flash:c2800nm-advipservicesk9-mz.124-3a.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FHK0916F0V2
2 FastEthernet interfaces
2 Low-speed serial(sync/async) interfaces
1 Channelized E1/PRI port
1 Channelized T1/PRI port
2 Virtual Private Network (VPN) Modules
2 Voice FXO interfaces
2 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
I've did that right now, but same problem again.
Do You maybe know what "peer does not do paranoid keepalives" means? (it is in my debug crypto isakmp)
And again, I'm completly not sure if I'm making transform set as I should. Currently, my transform set is esp-des and esp-md5. I don't now if I should disable esp-md5 and start ah-md5 or start ah-md5 and keep esp-md5. I mean, it is so confusing to create IPSec policy on CCM5 so I'm not sure what to enter on router so it can be compatible with CCM. Can You please look again on screenshot of CCM IPSec configuration to see if I'm wrong in configuration of transform set on router?