Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can I use this IOS for IPSEC?

Hi all,

I try to form an IPSEC between 1 1751 and 1 2600, but I fail. I had tried any method even my setting is the same as the reference book and cisco web site. So I suspect that the router is not support IPSEC( but there is all the IPSEC command including debug).I am sure the 1751 can use for ipsec because it has 3DES IPPLUS feature. So I suspect the 2600. The IOS filename is c2620-jk8o3s-mz.122-7a.bin. so can it use for IPSEC (I just tried to use preshared key and esp-des)? Thank You!

Best Regards

Teru Lei

3 REPLIES
New Member

Re: Can I use this IOS for IPSEC?

Hi all,

Here is the debug message from 2600. by command debug crypto ipsec.

Router#ping 192.1680 .0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

.

00:40:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:

idbtype 0, encaps_size 84, header size 36, avail 84....

Success rate is 0 percent (0/5)

Router#

00:40:23: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,

local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:40:23: IPSEC(validate_transform_proposal): proxy identities not supported

00:40:23: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.18.2.1

Router#

Router#telnet 18 92.168.0.1

Trying 192.168.0.1 ...

00:40:52: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,

local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:40:52: IPSEC(validate_transform_proposal): proxy identities not supported

00:41:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:

idbtype 0, encaps_size 84, header size 36, avail 84

% Connection timed out; remote host not responding

Router#

00:42:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:

idbtype 0, encaps_size 84, header size 36, avail 84

Thank You!

Best Regards

Teru Lei

New Member

Re: Can I use this IOS for IPSEC?

This debug shows you who the initiator is and where its trying to go as well as the network you are trying to connect to. On 172.18.1.1 router your access-list you are using for interesting traffic states 192.168.0.0/16 to any.

key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,

local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

This next error message says that your access-list dont match basically. Check the peer 172.18.2.1 and make sure your access list match identically.

00:40:52: IPSEC(validate_transform_proposal): proxy identities not supported

Kurtis Durrett

New Member

Re: Can I use this IOS for IPSEC?

Hi Teru;

go to the following page for IOS features

http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl?Introduction=True

284
Views
0
Helpful
3
Replies
CreatePlease login to create content