Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
3
Replies

Can I use this IOS for IPSEC?

teru-lei
Level 1
Level 1

‎11-22-2002 04:25 AM - edited ‎02-21-2020 12:11 PM

Hi all,

I try to form an IPSEC between 1 1751 and 1 2600, but I fail. I had tried any method even my setting is the same as the reference book and cisco web site. So I suspect that the router is not support IPSEC( but there is all the IPSEC command including debug).I am sure the 1751 can use for ipsec because it has 3DES IPPLUS feature. So I suspect the 2600. The IOS filename is c2620-jk8o3s-mz.122-7a.bin. so can it use for IPSEC (I just tried to use preshared key and esp-des)? Thank You!

Best Regards

Teru Lei

Labels:
0 Helpful
3 Replies 3

teru-lei
Level 1
Level 1

‎11-22-2002 04:30 AM

Hi all,

Here is the debug message from 2600. by command debug crypto ipsec.

Router#ping 192.1680 .0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

.

00:40:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:

idbtype 0, encaps_size 84, header size 36, avail 84....

Success rate is 0 percent (0/5)

Router#

00:40:23: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,

local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:40:23: IPSEC(validate_transform_proposal): proxy identities not supported

00:40:23: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.18.2.1

Router#

Router#telnet 18 92.168.0.1

Trying 192.168.0.1 ...

00:40:52: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,

local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:40:52: IPSEC(validate_transform_proposal): proxy identities not supported

00:41:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:

idbtype 0, encaps_size 84, header size 36, avail 84

% Connection timed out; remote host not responding

Router#

00:42:04: IPSEC(encapsulate): encaps area too small, moving to new buffer:

idbtype 0, encaps_size 84, header size 36, avail 84

Thank You!

Best Regards

Teru Lei

0 Helpful

kdurrett
Level 3
Level 3
In response to teru-lei

‎11-22-2002 06:27 AM

This debug shows you who the initiator is and where its trying to go as well as the network you are trying to connect to. On 172.18.1.1 router your access-list you are using for interesting traffic states 192.168.0.0/16 to any.

key eng. msg.) INBOUND local= 172.18.1.1, remote= 172.18.2.1,

local_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

This next error message says that your access-list dont match basically. Check the peer 172.18.2.1 and make sure your access list match identically.

00:40:52: IPSEC(validate_transform_proposal): proxy identities not supported

Kurtis Durrett

0 Helpful

hchebli
Level 1
Level 1

‎11-24-2002 10:37 PM

Hi Teru;

go to the following page for IOS features

http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl?Introduction=True

0 Helpful
Customers Also Viewed These Support Documents