11-22-2002 04:25 AM - edited 02-21-2020 12:11 PM
Hi all,
I try to form an IPSEC between 1 1751 and 1 2600, but I fail. I had tried any method even my setting is the same as the reference book and cisco web site. So I suspect that the router is not support IPSEC( but there is all the IPSEC command including debug).I am sure the 1751 can use for ipsec because it has 3DES IPPLUS feature. So I suspect the 2600. The IOS filename is c2620-jk8o3s-mz.122-7a.bin. so can it use for IPSEC (I just tried to use preshared key and esp-des)? Thank You!
Best Regards
Teru Lei
11-22-2002 04:30 AM
Hi all,
Here is the debug message from 2600. by command debug crypto ipsec.
Router#ping 192.1680 .0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.
00:40:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:
idbtype 0, encaps_size 84, header size 36, avail 84....
Success rate is 0 percent (0/5)
Router#
00:40:23: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:40:23: IPSEC(validate_transform_proposal): proxy identities not supported
00:40:23: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.18.2.1
Router#
Router#telnet 18 92.168.0.1
Trying 192.168.0.1 ...
00:40:52: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:40:52: IPSEC(validate_transform_proposal): proxy identities not supported
00:41:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:
idbtype 0, encaps_size 84, header size 36, avail 84
% Connection timed out; remote host not responding
Router#
00:42:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:
idbtype 0, encaps_size 84, header size 36, avail 84
Thank You!
Best Regards
Teru Lei
11-22-2002 06:27 AM
This debug shows you who the initiator is and where its trying to go as well as the network you are trying to connect to. On 172.18.1.1 router your access-list you are using for interesting traffic states 192.168.0.0/16 to any.
key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,
local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
This next error message says that your access-list dont match basically. Check the peer 172.18.2.1 and make sure your access list match identically.
00:40:52: IPSEC(validate_transform_proposal): proxy identities not supported
Kurtis Durrett
11-24-2002 10:37 PM
Hi Teru;
go to the following page for IOS features
http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl?Introduction=True
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide