cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
0
Helpful
3
Replies

Tunnel Cascading

jerry.roy
Level 1
Level 1

Hi All,

Does anyone know if IOS supports Tunnel cascading between non-crypto mapped end points. What I am asking is: If A trusts b and A trusts C can B trust C through A?

To Clarify:

I have a tunnel between A and B.

I have a tunnel between A and C.

Since Both B and C can get to A, Can B now get to C?

How do I enable this if it does work?

Thanks,

Jerry

3 Replies 3

smalkeric
Level 6
Level 6

B should not be able to get to C through A. I would simply build a tunnel from B to C and visa versa but if you want everything to go through A, that will have to be crypto-mapped. You might call tac for help with this one.

I want to TFTP my Config back to my TFTP Server through the tunnels. The Path would be from the remote router through the Hub Router on the head end and then finally through a management router to the tftp server as the final destination.

TFTP_Config_Router<--Tunnel-->HuB_Router<--Tunnel-->Manage_Router-->TFTP Server.

Tunnels from TFTP_Config_Router to HuB_Router work great and Vice Versa

Tunnels from HuB_Router to Manage_Router work great and vice versa.

I believe this should work. I have added the route to the tftp server on the TFTP_Config_Router. The HuB Router (Hub and spoke design) sees the traffic but gives me the following message.

6d23h: ISAKMP (0:0): received packet from 64.169.222.54 (N) NEW SA

6d23h: ISAKMP: local port 500, remote port 500

6d23h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_READY New State = IKE_R_MM1

6d23h: ISAKMP (0:1): processing SA payload. message ID = 0

6d23h: ISAKMP (0:1): found peer pre-shared key matching 64.169.222.54

6d23h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

6d23h: ISAKMP: encryption 3DES-CBC

6d23h: ISAKMP: hash SHA

6d23h: ISAKMP: default group 2

6d23h: ISAKMP: auth pre-share

6d23h: ISAKMP: life type in seconds

6d23h: ISAKMP: life duration (basic) of 28800

6d23h: ISAKMP (0:1): atts are acceptable. Next payload is 0

6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM1 New State = IKE_R_MM1

6d23h: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) MM_SA_SETUP

6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM1 New State = IKE_R_MM2

6d23h: ISAKMP (0:1): received packet from 64.169.222.54 (R) MM_SA_SETUP

6d23h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_R_MM2 New State = IKE_R_MM3

6d23h: ISAKMP (0:1): processing KE payload. message ID = 0

6d23h: ISAKMP (0:1): processing NONCE payload. message ID = 0

6d23h: ISAKMP (0:1): found peer pre-shared key matching 64.169.222.54

6d23h: ISAKMP (0:1): SKEYID state generated

6d23h: ISAKMP (0:1): processing vendor id payload

6d23h: ISAKMP (0:1): speaking to another IOS box!

6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM3 New State = IKE_R_MM3

6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) MM_KEY_EXCH

6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM3 New State = IKE_R_MM4

6d23h: ISAKMP (0:1): received packet from 64.169.222.54 (R) MM_KEY_EXCH

6d23h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_R_MM4 New State = IKE_R_MM5

6d23h: ISAKMP (0:1): processing ID payload. message ID = 0

6d23h: ISAKMP (0:1): processing HASH payload. message ID = 0

6d23h: ISAKMP:received payload type 14

6d23h: ISAKMP (0:1): processing keep alive: proposal=1800/2 sec., actual=1800/2 sec.

6d23h: ISAKMP (0:1): peer knows about the keepalive extension mechanism.

6d23h: ISAKMP (0:1): read keepalive extended attribute VPI: /0x2/0x4

6d23h: ISAKMP (0:1): peer keepalives capabilities: 0x1

6d23h: ISAKMP (0:1): SA has been authenticated with 64.169.222.54

6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Old State = IKE_R_MM5 New State = IKE_R_MM5

6d23h: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

6d23h: ISAKMP (1): Total payload length: 12

6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) QM_IDLE

6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

6d23h: ISAKMP (0:1): received packet from 64.169.222.54 (R) QM_IDLE

6d23h: ISAKMP (0:1): processing HASH payload. message ID = 1977196283

6d23h: ISAKMP (0:1): processing SA payload. message ID = 1977196283

6d23h: ISAKMP (0:1): Checking IPSec proposal 1

6d23h: ISAKMP: transform 1, AH_SHA

6d23h: ISAKMP: attributes in transform:

6d23h: ISAKMP: encaps is 1

6d23h: ISAKMP: SA life type in seconds

6d23h: ISAKMP: SA life duration (basic) of 10800

6d23h: ISAKMP: SA life type in kilobytes

6d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

6d23h: ISAKMP: group is 2

6d23h: ISAKMP: authenticator is HMAC-SHA

6d23h: ISAKMP (0:1): atts are acceptable.

6d23h: ISAKMP (0:1): Checking IPSec proposal 1

6d23h: ISAKMP: transform 1, ESP_3DES

6d23h: ISAKMP: attributes in transform:

6d23h: ISAKMP: encaps is 1

6d23h: ISAKMP: SA life type in seconds

6d23h: ISAKMP: SA life duration (basic) of 10800

6d23h: ISAKMP: SA life type in kilobytes

6d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

6d23h: ISAKMP: group is 2

6d23h: ISAKMP (0:1): atts are acceptable.

6d23h: ISAKMP (0:1): IPSec policy invalidated proposal

6d23h: ISAKMP (0:1): phase 2 SA not acceptable!

6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) QM_IDLE

6d23h: ISAKMP (0:1): purging node -2135807601

6d23h: ISAKMP (0:1): Unknown Input for node 1977196283: state = IKE_QM_READY, major = 0x00000001, minor = 0x0000000C

6d23h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 64.169.222.54

alan.basinger
Level 1
Level 1

What do you mean non-crypto maped end points? Are you talking GRE tunnels? If so are you running any dynamic routing protocols through the tunnels?

I would think if the networks were advertised to a routing protocol then you would be able to route the traffic from B to C through A whether they are encrypted or not.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: