Re: Dynamic crypto map difficulties

johncheung · ‎05-14-2003

I have two 2501 routers connected together via ethernet. Both routers run IOS Version 12.1(15). When I setup both routers with static crypto maps everything works. When I configure one of the routers with a dynamic crypto map it doesn't work.

XXXXXXXXXXXXXXXXXXXXXX

Following is the configuration for one of the routers called initiator:

hostname initiator

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 152.1.8.2

!

crypto ipsec transform-set my_transform_set esp-des

!

crypto map my_working_crypto_map 10 ipsec-isakmp

set peer 152.1.8.2

set transform-set my_transform_set

match address 100

!

interface Ethernet0

ip address 152.1.8.1 255.255.255.192

crypto map my_working_crypto_map

!

access-list 100 permit icmp any any

!

XXXXXXXXXXXXXXXXX

Here is the other configuration for router called acceptor:

!

hostname acceptor

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 0.0.0.0

!

crypto ipsec transform-set my_transform_set esp-des

!

crypto dynamic-map my_dynamic_crypto_map 10

set transform-set my_transform_set

!

crypto map my_working_crypto_map 10 ipsec-isakmp

set peer 152.1.8.1

set transform-set my_transform_set

match address 100

!

crypto map my_bad_crypto_map 10 ipsec-isakmp dynamic my_dynamic_crypto_map

!

interface Ethernet0

ip address 152.1.8.2 255.255.255.192

crypto map my_working_crypto_map

access-list 100 permit icmp any any

XXXXXXXXXXXXXXXXXXXXX

Following is what happens when i use static crypto map and i ping from router

called initiator - it works!!! Sorry i had to cut out some of the debug to save room....but it should still be clear what is going on...

acceptor#

23:24:59: ISAKMP (0:4): atts are acceptable.

23:24:59: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 152.1.8.2, src= 152.1.8.1,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

23:24:59: ISAKMP (0:4): processing NONCE payload. message ID = -238079936

23:24:59: ISAKMP (0:4): processing ID payload. message ID = -238079936

23:24:59: ISAKMP (4): ID_IPV4_ADDR_SUBNET src 0.0.0.0/0.0.0.0 prot 1 port 0

23:24:59: ISAKMP (0:4): processing ID payload. message ID = -238079936

23:24:59: ISAKMP (4): ID_IPV4_ADDR_SUBNET dst 0.0.0.0/0.0.0.0 prot 1 port 0

23:24:59: ISAKMP (0:4): asking for 1 spis from ipsec

23:24:59: IPSEC(key_engine): got a queue event...

23:24:59: IPSEC(spi_response): getting spi 417664320 for SA

from 152.1.8.1 to 152.1.8.2 for prot 3

23:24:59: ISAKMP: received ke message (2/1)

23:24:59: ISAKMP (4): sending packet to 152.1.8.1 (R) QM_IDLE

23:24:59: ISAKMP (4): received packet from 152.1.8.1 (R) QM_IDLE

23:24:59: ISAKMP (0:4): Creating IPSec SAs

23:24:59: inbound SA from 152.1.8.1 to 152.1.8.2 (proxy 0.0.0.0 to 0.0.0.0 )

23:24:59: has spi 417664320 and conn_id 2000 and flags 4

23:24:59: lifetime of 3600 seconds

23:24:59: lifetime of 4608000 kilobytes

23:24:59: outbound SA from 152.1.8.2 to 152.1.8.1 (proxy 0.0.0.0 to 0.0.0.0 )

23:24:59: has spi 219817073 and conn_id 2001 and flags 4

23:24:59: lifetime of 3600 seconds

23:24:59: lifetime of 4608000 kilobytes

23:24:59: ISAKMP (0:4): deleting node -238079936 error FALSE reason "quick mode done (await()"

23:24:59: IPSEC(key_engine): got a queue event...

23:24:59: IPSEC(initialize_sas): ,

(key eng. msg.) dest= 152.1.8.2, src= 152.1.8.1,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x18E50D40(417664320), conn_id= 2000, keysize= 0, flags= 0x4

23:24:59: IPSEC(initialize_sas): ,

(key eng. msg.) src= 152.1.8.2, dest= 152.1.8.1,

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0xD1A2471(219817073), conn_id= 2001, keysize= 0, flags= 0x4

23:24:59: IPSEC(create_sa): sa created,

(sa) sa_dest= 152.1.8.2, sa_prot= 50,

sa_spi= 0x18E50D40(417664320),

sa_trans= esp-des , sa_conn_id= 2000

23:24:59: IPSEC(create_sa): sa created,

(sa) sa_dest= 152.1.8.1, sa_prot= 50,

sa_spi= 0xD1A2471(219817073),

sa_trans= esp-des , sa_conn_id= 2001

23:24:59: ICMP: echo reply sent, src 152.1.8.2, dst 152.1.8.1

XXXXXXXXXXX

Now I configure to use my dynamic crypto map

acceptor#config t

Enter configuration commands, one per line. End with CNTL/Z.

acceptor(config)#int e0

acceptor(config-if)#crypto map my_bad_crypto_map

acceptor(config-if)#^Z

acceptor#

XXXXXXXXXX

Now I ping from router called initiator - it doesn' t work!!!

acceptor#clear crypto sa

acceptor#clear crypto isakmp

acceptor#

23:25:48: ISAKMP (0:5): atts are acceptable.

23:25:48: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 152.1.8.2, src= 152.1.8.1,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

23:25:48: IPSEC(validate_transform_proposal): proxy identities not supported

23:25:48: ISAKMP: IPSec policy invalidated proposal

23:25:48: ISAKMP (0:5): SA not acceptable!

23:25:48: ISAKMP (5): sending packet to 152.1.8.1 (R) QM_IDLE

23:25:48: ISAKMP (0:5): purging node 1456154023

23:25:48: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 152.1.8.1

23:25:48: ISAKMP (0:5): deleting node 878439662 error FALSE reason "IKMP_NO_ERR_NO_TRANS"

23:25:49: ISAKMP (0:4): purging node -238079936

acceptor#

XXXXXXXXXXXXXX

Please shed some light on this problem! Thanks!

johncheung · ‎05-14-2003

This is the debug for the initiator router when the ping doesn't work:

initiator#ping 152.1.8.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 152.1.8.2, timeout is 2 seconds:

1d00h: IPSEC(sa_request): ,

(key eng. msg.) src= 152.1.8.1, dest= 152.1.8.2,

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x20FB260A(553330186), conn_id= 0, keysize= 0, flags= 0x4004

1d00h: ISAKMP: received ke message (1/1)

1d00h: ISAKMP: local port 500, remote port 500

1d00h: ISAKMP (0:1): beginning Main Mode exchange

1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) MM_NO_STATE.

1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) MM_NO_STATE

1d00h: ISAKMP (0:1): processing SA payload. message ID = 0

1d00h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy

1d00h: ISAKMP: encryption DES-CBC

1d00h: ISAKMP: hash SHA

1d00h: ISAKMP: default group 1

1d00h: ISAKMP: auth pre-share

1d00h: ISAKMP (0:1): atts are acceptable. Next payload is 0

1d00h: ISAKMP (0:1): SA is doing pre-shared key authentication

1d00h: ISAKMP (1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) MM_SA_SETUP...

1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) MM_SA_SETUP

1d00h: ISAKMP (0:1): processing KE payload. message ID = 0

1d00h: ISAKMP (0:1): processing NONCE payload. message ID = 0

1d00h: ISAKMP (0:1): SKEYID state generated

1d00h: ISAKMP (0:1): processing vendor id payload

1d00h: ISAKMP (0:1): speaking to another IOS box!

1d00h: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

1d00h: ISAKMP (1): Total payload length: 12

1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) MM_KEY_EXCH

1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) MM_KEY_EXCH

1d00h: ISAKMP (0:1): processing ID payload. message ID = 0

1d00h: ISAKMP (0:1): processing HASH payload. message ID = 0

1d00h: ISAKMP (0:1): SA has been authenticated with 152.1.8.2

1d00h: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1454019134

1d00h: ISAKMP (1): sending packet to 152.1.8.2 (I) QM_IDLE

1d00h: ISAKMP (1): received packet from 152.1.8.2 (I) QM_IDLE

1d00h: ISAKMP (1): processing NOTIFY payload 14 protocol 3

spi 553330186, message ID = 2102102761

1d00h: ISAKMP (1): deleting spi 553330186 message ID = 1454019134

1d00h: ISAKMP (0:1): deleting node 1454019134 error TRUE reason "delete_larval"

1d00h: ISAKMP (0:1): deleting node 2102102761 error FALSE reason "informational (in) state 1".

Success rate is 0 percent (0/5)

raydakis · ‎05-16-2003

Hi,

you have to use only "one" crypto map per interface .

you cannot use both my_bad_crypto_map and my_working_crypto_map on interface E0.

don't change "my_working_crypto_map" just increase the sequence number :

replace the line : crypto map my_bad_crypto_map 10 ipsec-isakmp dynamic my_dynamic_crypto_map

with : crypto map my_working_crypto_map 150 ipsec-isakmp dynamic my_dynamic_crypto_map .

regards,

johncheung · ‎05-16-2003

Thanks raydakis for your response.

Even after updating the config as you suggested I am still having the same exact problem. I ve tried including the "match" command, clearing the security associations, but I still can't get it to work. Just to clarify, from initiator router, I am attempting to ping the acceptor router. Any other ideas? Anybody? Following is the updated config:

hostname acceptor

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 0.0.0.0

!

crypto ipsec transform-set my_transform_set esp-des

!

crypto dynamic-map my_dynamic_crypto_map 10

set transform-set my_transform_set

!

crypto map my_working_crypto_map 10 ipsec-isakmp

set peer 152.1.8.1

set transform-set my_transform_set

match address 100

crypto map my_working_crypto_map 150 ipsec-isakmp dynamic my_dynamic_crypto_map

!

interface Ethernet0

ip address 152.1.8.2 255.255.255.192

crypto map my_working_crypto_map

access-list 100 permit icmp any any

mostiguy · ‎05-18-2003

crypto dynamic-map my_dynamic_crypto_map 10

set transform-set my_transform_set

I think you need to add a match address 100

statement there on the acceptor. I think the echo request packet initializes the process, but there is no allowance for matching traffic on the other end, so the tunnel never comes up

johncheung · ‎05-18-2003

Mostiguy, thanks for your response....I' ve tried including a "match address" statement in the dynamic crypto map but I had the same problems....I will try these configurations on some other router models/IOS to see what happens....any other suggestions/ideas?....anyone?....

mnaveen · ‎05-21-2003

Hi John,

I tested your configuration and made some changes for the crypto configurations. I have come out successful in creating an IPSec SA between 2 routers one with Static map and one with Dynamic map.

See the following configurations for both the routers.

hostname initiator

!

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

lifetime 300

crypto isakmp key cisco address 152.1.8.2

!

crypto ipsec transform-set proposal1 esp-des

!

crypto map STATMAP 10 ipsec-isakmp

set peer 152.1.8.2

set transform-set proposal1

set security-association lifetime sec 1000

match address 101

!

interface Ethernet0

ip address 152.1.8.1 255.255.255.192

crypto map STATMAP

!

access-list 101 permit ip host 152.1.8.1 host 152.1.8.2

!

Here is the other configuration for router called acceptor:

!

hostname acceptor

!

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

lifetime 300

crypto isakmp key cisco address 152.1.8.1

!

crypto ipsec transform-set proposal1 esp-des

!

crypto dynamic-map DYNMAP 10

set transform-set proposal1

match address 102

!

crypto map STATMAP 20 ipsec-isakmp dynamic DYNMAP

!

interface Ethernet0

ip address 152.1.8.2 255.255.255.192

crypto map STATMAP

access-list 102 permit ip host 152.1.8.2 host 152.1.8.1

Once you have applied this configuration to the running config, all that you have to is ping from any router to the other. You will see that the SAs will be up.

Let me know if you have any issues.

Naveen.

mnaveen@cisco.com

johncheung · ‎05-21-2003

Naveen,

It works!!!!...But why must I specify a source host on router initiator? I found that the most general access lists I can use are the following:

On router initiator: access-list 101 permit icmp host 152.1.8.2 any

On router acceptor: access-list 102 permit icmp any any

P.S. How do I use the neighbor command with PIX OS 6.2 so that I don't have to use a GRE tunnel for my routing protocol? Is it only possible to use RIP without a GRE tunnel? It would be great if you could direct me to a link with a configuration.

John

mnaveen · ‎05-21-2003

Hi John,

The configuration I gave you was just bare minimum configs to get a Static and Dynamic map up and running. You can change the access-list to match any traffic that needs to be encrypted. Remember if you give 'permit icmp' then only icmp echoes and replies will be encrypted and go through the IPSec tunnel. In fact only icmp traffic will trigger the creation of the SA b/n the crypto peers. You can try with a different access-list and please avoid giving 'any any' in a crypto access-list.

I'm not very sure of using the neighbor command. I need to check it out...

Meanwhile, if your dynamic crypto map problem is solved, can you please give ratings to my reply. This is the first rating I'll get to start with. I'm very excited !!

Naveen.

johncheung · ‎05-21-2003

Hi Naveen,

You have been a great help! Very much appreciated! I will repost my PIX question in the correct forum(Security) so that everyone can benefit from my question.

John