05-14-2003 09:49 PM - edited 03-09-2019 03:17 AM
I have two 2501 routers connected together via ethernet. Both routers run IOS Version 12.1(15). When I setup both routers with static crypto maps everything works. When I configure one of the routers with a dynamic crypto map it doesn't work.
XXXXXXXXXXXXXXXXXXXXXX
Following is the configuration for one of the routers called initiator:
hostname initiator
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 152.1.8.2
!
crypto ipsec transform-set my_transform_set esp-des
!
crypto map my_working_crypto_map 10 ipsec-isakmp
set peer 152.1.8.2
set transform-set my_transform_set
match address 100
!
interface Ethernet0
ip address 152.1.8.1 255.255.255.192
crypto map my_working_crypto_map
!
access-list 100 permit icmp any any
!
XXXXXXXXXXXXXXXXX
Here is the other configuration for router called acceptor:
!
hostname acceptor
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set my_transform_set esp-des
!
crypto dynamic-map my_dynamic_crypto_map 10
set transform-set my_transform_set
!
crypto map my_working_crypto_map 10 ipsec-isakmp
set peer 152.1.8.1
set transform-set my_transform_set
match address 100
!
crypto map my_bad_crypto_map 10 ipsec-isakmp dynamic my_dynamic_crypto_map
!
interface Ethernet0
ip address 152.1.8.2 255.255.255.192
crypto map my_working_crypto_map
access-list 100 permit icmp any any
XXXXXXXXXXXXXXXXXXXXX
Following is what happens when i use static crypto map and i ping from router
called initiator - it works!!! Sorry i had to cut out some of the debug to save room....but it should still be clear what is going on...
acceptor#
23:24:59: ISAKMP (0:4): atts are acceptable.
23:24:59: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 152.1.8.2, src= 152.1.8.1,
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
23:24:59: ISAKMP (0:4): processing NONCE payload. message ID = -238079936
23:24:59: ISAKMP (0:4): processing ID payload. message ID = -238079936
23:24:59: ISAKMP (4): ID_IPV4_ADDR_SUBNET src 0.0.0.0/0.0.0.0 prot 1 port 0
23:24:59: ISAKMP (0:4): processing ID payload. message ID = -238079936
23:24:59: ISAKMP (4): ID_IPV4_ADDR_SUBNET dst 0.0.0.0/0.0.0.0 prot 1 port 0
23:24:59: ISAKMP (0:4): asking for 1 spis from ipsec
23:24:59: IPSEC(key_engine): got a queue event...
23:24:59: IPSEC(spi_response): getting spi 417664320 for SA
from 152.1.8.1 to 152.1.8.2 for prot 3
23:24:59: ISAKMP: received ke message (2/1)
23:24:59: ISAKMP (4): sending packet to 152.1.8.1 (R) QM_IDLE
23:24:59: ISAKMP (4): received packet from 152.1.8.1 (R) QM_IDLE
23:24:59: ISAKMP (0:4): Creating IPSec SAs
23:24:59: inbound SA from 152.1.8.1 to 152.1.8.2 (proxy 0.0.0.0 to 0.0.0.0 )
23:24:59: has spi 417664320 and conn_id 2000 and flags 4
23:24:59: lifetime of 3600 seconds
23:24:59: lifetime of 4608000 kilobytes
23:24:59: outbound SA from 152.1.8.2 to 152.1.8.1 (proxy 0.0.0.0 to 0.0.0.0 )
23:24:59: has spi 219817073 and conn_id 2001 and flags 4
23:24:59: lifetime of 3600 seconds
23:24:59: lifetime of 4608000 kilobytes
23:24:59: ISAKMP (0:4): deleting node -238079936 error FALSE reason "quick mode done (await()"
23:24:59: IPSEC(key_engine): got a queue event...
23:24:59: IPSEC(initialize_sas): ,
(key eng. msg.) dest= 152.1.8.2, src= 152.1.8.1,
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x18E50D40(417664320), conn_id= 2000, keysize= 0, flags= 0x4
23:24:59: IPSEC(initialize_sas): ,
(key eng. msg.) src= 152.1.8.2, dest= 152.1.8.1,
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0xD1A2471(219817073), conn_id= 2001, keysize= 0, flags= 0x4
23:24:59: IPSEC(create_sa): sa created,
(sa) sa_dest= 152.1.8.2, sa_prot= 50,
sa_spi= 0x18E50D40(417664320),
sa_trans= esp-des , sa_conn_id= 2000
23:24:59: IPSEC(create_sa): sa created,
(sa) sa_dest= 152.1.8.1, sa_prot= 50,
sa_spi= 0xD1A2471(219817073),
sa_trans= esp-des , sa_conn_id= 2001
23:24:59: ICMP: echo reply sent, src 152.1.8.2, dst 152.1.8.1
XXXXXXXXXXX
Now I configure to use my dynamic crypto map
acceptor#config t
Enter configuration commands, one per line. End with CNTL/Z.
acceptor(config)#int e0
acceptor(config-if)#crypto map my_bad_crypto_map
acceptor(config-if)#^Z
acceptor#
XXXXXXXXXX
Now I ping from router called initiator - it doesn' t work!!!
acceptor#clear crypto sa
acceptor#clear crypto isakmp
acceptor#
acceptor#
23:25:48: ISAKMP (0:5): atts are acceptable.
23:25:48: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 152.1.8.2, src= 152.1.8.1,
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
23:25:48: IPSEC(validate_transform_proposal): proxy identities not supported
23:25:48: ISAKMP: IPSec policy invalidated proposal
23:25:48: ISAKMP (0:5): SA not acceptable!
23:25:48: ISAKMP (5): sending packet to 152.1.8.1 (R) QM_IDLE
23:25:48: ISAKMP (0:5): purging node 1456154023
23:25:48: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 152.1.8.1
23:25:48: ISAKMP (0:5): deleting node 878439662 error FALSE reason "IKMP_NO_ERR_NO_TRANS"
23:25:49: ISAKMP (0:4): purging node -238079936
acceptor#
XXXXXXXXXXXXXX
Please shed some light on this problem! Thanks!
05-14-2003 10:07 PM
This is the debug for the initiator router when the ping doesn't work:
initiator#ping 152.1.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.1.8.2, timeout is 2 seconds:
1d00h: IPSEC(sa_request): ,
(key eng. msg.) src= 152.1.8.1, dest= 152.1.8.2,
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x20FB260A(553330186), conn_id= 0, keysize= 0, flags= 0x4004
1d00h: ISAKMP: received ke message (1/1)
1d00h: ISAKMP: local port 500, remote port 500
1d00h: ISAKMP (0:1): beginning Main Mode exchange
1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) MM_NO_STATE.
1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) MM_NO_STATE
1d00h: ISAKMP (0:1): processing SA payload. message ID = 0
1d00h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
1d00h: ISAKMP: encryption DES-CBC
1d00h: ISAKMP: hash SHA
1d00h: ISAKMP: default group 1
1d00h: ISAKMP: auth pre-share
1d00h: ISAKMP (0:1): atts are acceptable. Next payload is 0
1d00h: ISAKMP (0:1): SA is doing pre-shared key authentication
1d00h: ISAKMP (1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) MM_SA_SETUP...
1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) MM_SA_SETUP
1d00h: ISAKMP (0:1): processing KE payload. message ID = 0
1d00h: ISAKMP (0:1): processing NONCE payload. message ID = 0
1d00h: ISAKMP (0:1): SKEYID state generated
1d00h: ISAKMP (0:1): processing vendor id payload
1d00h: ISAKMP (0:1): speaking to another IOS box!
1d00h: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
1d00h: ISAKMP (1): Total payload length: 12
1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) MM_KEY_EXCH
1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) MM_KEY_EXCH
1d00h: ISAKMP (0:1): processing ID payload. message ID = 0
1d00h: ISAKMP (0:1): processing HASH payload. message ID = 0
1d00h: ISAKMP (0:1): SA has been authenticated with 152.1.8.2
1d00h: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1454019134
1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) QM_IDLE
1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) QM_IDLE
1d00h: ISAKMP (1): processing NOTIFY payload 14 protocol 3
spi 553330186, message ID = 2102102761
1d00h: ISAKMP (1): deleting spi 553330186 message ID = 1454019134
1d00h: ISAKMP (0:1): deleting node 1454019134 error TRUE reason "delete_larval"
1d00h: ISAKMP (0:1): deleting node 2102102761 error FALSE reason "informational (in) state 1".
Success rate is 0 percent (0/5)
05-16-2003 06:34 AM
Hi,
you have to use only "one" crypto map per interface .
you cannot use both my_bad_crypto_map and my_working_crypto_map on interface E0.
don't change "my_working_crypto_map" just increase the sequence number :
replace the line : crypto map my_bad_crypto_map 10 ipsec-isakmp dynamic my_dynamic_crypto_map
with : crypto map my_working_crypto_map 150 ipsec-isakmp dynamic my_dynamic_crypto_map .
regards,
05-16-2003 12:01 PM
Thanks raydakis for your response.
Even after updating the config as you suggested I am still having the same exact problem. I ve tried including the "match" command, clearing the security associations, but I still can't get it to work. Just to clarify, from initiator router, I am attempting to ping the acceptor router. Any other ideas? Anybody? Following is the updated config:
hostname acceptor
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set my_transform_set esp-des
!
crypto dynamic-map my_dynamic_crypto_map 10
set transform-set my_transform_set
!
crypto map my_working_crypto_map 10 ipsec-isakmp
set peer 152.1.8.1
set transform-set my_transform_set
match address 100
crypto map my_working_crypto_map 150 ipsec-isakmp dynamic my_dynamic_crypto_map
!
interface Ethernet0
ip address 152.1.8.2 255.255.255.192
crypto map my_working_crypto_map
access-list 100 permit icmp any any
05-18-2003 08:51 AM
crypto dynamic-map my_dynamic_crypto_map 10
set transform-set my_transform_set
I think you need to add a match address 100
statement there on the acceptor. I think the echo request packet initializes the process, but there is no allowance for matching traffic on the other end, so the tunnel never comes up
05-18-2003 07:50 PM
Mostiguy, thanks for your response....I' ve tried including a "match address" statement in the dynamic crypto map but I had the same problems....I will try these configurations on some other router models/IOS to see what happens....any other suggestions/ideas?....anyone?....
05-21-2003 03:24 AM
Hi John,
I tested your configuration and made some changes for the crypto configurations. I have come out successful in creating an IPSec SA between 2 routers one with Static map and one with Dynamic map.
See the following configurations for both the routers.
hostname initiator
!
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
lifetime 300
crypto isakmp key cisco address 152.1.8.2
!
crypto ipsec transform-set proposal1 esp-des
!
crypto map STATMAP 10 ipsec-isakmp
set peer 152.1.8.2
set transform-set proposal1
set security-association lifetime sec 1000
match address 101
!
interface Ethernet0
ip address 152.1.8.1 255.255.255.192
crypto map STATMAP
!
access-list 101 permit ip host 152.1.8.1 host 152.1.8.2
!
Here is the other configuration for router called acceptor:
!
hostname acceptor
!
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
lifetime 300
crypto isakmp key cisco address 152.1.8.1
!
crypto ipsec transform-set proposal1 esp-des
!
crypto dynamic-map DYNMAP 10
set transform-set proposal1
match address 102
!
crypto map STATMAP 20 ipsec-isakmp dynamic DYNMAP
!
interface Ethernet0
ip address 152.1.8.2 255.255.255.192
crypto map STATMAP
access-list 102 permit ip host 152.1.8.2 host 152.1.8.1
Once you have applied this configuration to the running config, all that you have to is ping from any router to the other. You will see that the SAs will be up.
Let me know if you have any issues.
Naveen.
05-21-2003 03:12 PM
Naveen,
It works!!!!...But why must I specify a source host on router initiator? I found that the most general access lists I can use are the following:
On router initiator: access-list 101 permit icmp host 152.1.8.2 any
On router acceptor: access-list 102 permit icmp any any
P.S. How do I use the neighbor command with PIX OS 6.2 so that I don't have to use a GRE tunnel for my routing protocol? Is it only possible to use RIP without a GRE tunnel? It would be great if you could direct me to a link with a configuration.
John
05-21-2003 07:34 PM
Hi John,
The configuration I gave you was just bare minimum configs to get a Static and Dynamic map up and running. You can change the access-list to match any traffic that needs to be encrypted. Remember if you give 'permit icmp' then only icmp echoes and replies will be encrypted and go through the IPSec tunnel. In fact only icmp traffic will trigger the creation of the SA b/n the crypto peers. You can try with a different access-list and please avoid giving 'any any' in a crypto access-list.
I'm not very sure of using the neighbor command. I need to check it out...
Meanwhile, if your dynamic crypto map problem is solved, can you please give ratings to my reply. This is the first rating I'll get to start with. I'm very excited !!
Naveen.
05-21-2003 08:25 PM
Hi Naveen,
You have been a great help! Very much appreciated! I will repost my PIX question in the correct forum(Security) so that everyone can benefit from my question.
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: