Hi,
Try removing the "set peer 135.25.3.1" under crypto map of isdn1, and
also "set peer 135.25.4.1" on isdn2.
They are not necessary and make you confused. Your purpose is to protect
the telnet traffic on the link between the 2 routers. Hence just creating
ipsec tunnel between the 2 routers should be fairly enough.
Cheers,
YY
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Cisco Lover
Sent: Wednesday, August 29, 2001 6:28 PM
To: [EMAIL PROTECTED]
Subject: RE: IPSEC Q's [7:17646]
Dion,
Thanks a lot for detailed analysis of my problem.
In order to match my access lists..I put on both routers the command..
ip telnet source interface loopback0
BUT What happened???Just after putting these Im no more able to telnet from
one router to another router Loopback interface,although I can still telnet
using interface addresses.Below is debug output..
Please advise...
Thanks a lot.....:)
[Connection to 135.25.11.1 closed by foreign host]
ISDN1# telnet 135.25.3.1
Trying 135.25.3.1 ...
04:43:20: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
sending
04:43:20: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44, output
cry
pto map check failed.
04:43:22: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
sending
04:43:22: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44, output
cry
pto map check failed.
04:43:26: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
sending
04:43:26: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44, output
cry
pto map check failed.
04:43:34: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
sending
04:43:34: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44, output
cry
pto map check failed.
% Connection timed out; remote host not responding
ISDN2#telnet 135.25.4.1
Trying 135.25.4.1 ...
04:43:14: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
sending
04:43:14: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:14: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44, output
cry
pto map check failed.
04:43:14: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:16: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
sending
04:43:16: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:16: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44, output
cry
pto map check failed.
04:43:16: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:20: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
sending
04:43:20: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:20: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44, output
cry
pto map check failed.
04:43:20: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:28: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
sending
04:43:28: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:28: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44, output
cry
pto map check failed.
04:43:28: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:29: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
failed w
ith peer at 135.25.11.2
04:43:30: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 135.25.11.2
failed it
s sanity check or is malformed
04:43:44: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
sending
04:43:44: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
04:43:44: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44, output
cry
pto map check failed.
04:43:44: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
% Connection timed out; remote host not responding
>From: "Radford Dion"
>Reply-To: "Radford Dion"
>To: [EMAIL PROTECTED]
>Subject: RE: IPSEC Q's [7:17646]
>Date: Wed, 29 Aug 2001 05:28:29 -0400
>
>The access-list is the important point - if you traffic doesn't get caught
>by the access-list it wont be encrypted.
>
>Your access list encrypts telnet traffic that is sourced from the loopback
>address. Now I could be wrong, but if you are on router ISDN1 and telnet to
>the loopback address of ISDN2, the source address will be the ISDN1 routers
>S0/0 interface IP address, NOT the ISDN1 loopback address.
>
>I would change your access-list. You can easily tell if your traffic is
>matching your access list by doing a 'debug ip packet detail 110'. You can
>see how many encrypted packets using the 'sh crypto engine connections
>active'
>
>The 3DES IPSEC image is not easy to get a hold of if you're not in the US.
>
> > -----Original Message-----
> > From: Cisco Lover [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, August 29, 2001 9:51 AM
> > To: [EMAIL PROTECTED]
> > Subject: IPSEC Q's [7:17646]
> >
> > Hi Guys..
> >
> > Can you please help for some IPSEC Stuf.....
> >
> > Q1. Which ALgo in IPSEC supports 128Bit/Tripple DES??
> > Q2. Is there any way to confirm if Our VPN/IPSEC setup is working
> > properly..
> >
> > I used commands show crypto ipsec sa+show crypto isakmp sa ,But cant
> > see any thing coming.Below is my config and Show command results.
> > My concern is to protect Telnet traffic b/w thess two guys.
> >
> >
> >
> >
> > ISDN1#sh run
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname ISDN1
> > !
> > enable secret 5 $1$LYk/$PJGs8FlVtZXjf/dcBrwcO/
> > !
> > !
> > !
> > !
> > !
> > memory-size iomem 7
> > ip subnet-zero
> > no ip domain-lookup
> > !
> > isdn voice-call-failure 0
> > cns event-service server
> > !
> > !
> > !
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > crypto isakmp key cisco address 135.25.3.1 255.255.255.255
> > crypto isakmp key cisco address 135.25.11.1 255.255.255.252
> > !
> > !
> > crypto ipsec transform-set Cisco ah-md5-hmac esp-des
> > crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
> > !
> > !
> > crypto map CCIE 10 ipsec-isakmp
> > set peer 135.25.11.1
> > set peer 135.25.3.1
> > set transform-set Cisco2
> > match address 110
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 135.25.4.1 255.255.255.255
> > no ip directed-broadcast
> > !
> > interface FastEthernet0/0
> > ip address 10.1.1.1 255.255.255.0
> > no ip directed-broadcast
> > ip nat inside
> > duplex auto
> > speed auto
> > !
> > interface Serial0/0
> > ip address 135.25.11.2 255.255.255.252
> > no ip directed-broadcast
> > ip nat outside
> > no ip mroute-cache
> > no fair-queue
> > crypto map CCIE
> > !
> > interface BRI0/0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > isdn guard-timer 0 on-expiry accept
> > !
> > interface FastEthernet0/1
> > ip address 135.25.11.9 255.255.255.252
> > no ip directed-broadcast
> > duplex auto
> > speed auto
> > !
> > router ospf 64
> > network 135.25.4.1 0.0.0.0 area 0
> > network 135.25.11.2 0.0.0.0 area 0
> > network 135.25.11.9 0.0.0.0 area 0
> > !
> > ip nat pool CCIE 135.25.11.2 135.25.11.2 prefix-length 30
> > ip nat inside source list 1 pool CCIE overload
> > ip classless
> > no ip http server
> > !
> > access-list 1 permit 10.1.1.0 0.0.0.255
> > access-list 110 permit tcp host 135.25.4.1 host 135.25.3.1 eq telnet
> > !
> > !
> > voice-port 1/0/0
> > !
> > voice-port 1/0/1
> > !
> > voice-port 1/1/0
> > !
> > voice-port 1/1/1
> > !
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > password cisco
> > transport input none
> > line aux 0
> > line vty 0 4
> > password cisco
> > login
> >
> >
> > ISDN2#sh run
> > Building configuration...
> >
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname ISDN2
> > !
> > enable secret 5 $1$so9r$GFjeRLyea2vUgn2HbMvOG1
> > !
> > !
> > !
> > !
> > !
> > ip subnet-zero
> > no ip domain-lookup
> > !
> > isdn voice-call-failure 0
> > cns event-service server
> > !
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > crypto isakmp key cisco address 135.25.11.2
> > crypto isakmp key cisco address 135.25.4.1
> > !
> > !
> > crypto ipsec transform-set Cisco ah-md5-hmac esp-des
> > crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
> > !
> > !
> > crypto map CCIE 10 ipsec-isakmp
> > set peer 135.25.11.2
> > set peer 135.25.4.1
> > set transform-set Cisco2
> > match address 110
> > partition flash 2 16 8
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 135.25.3.1 255.255.255.255
> > no ip directed-broadcast
> > !
> > interface Ethernet0/0
> > ip address 10.1.1.2 255.255.255.0
> > no ip directed-broadcast
> > no keepalive
> > !
> > interface Serial0/0
> > no ip address
> > no ip directed-broadcast
> > no ip mroute-cache
> > shutdown
> > no fair-queue
> > !
> > interface BRI0/0
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > isdn guard-timer 0 on-expiry accept
> > !
> > interface Ethernet0/1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/0
> > ip address 135.25.9.1 255.255.255.252
> > no ip directed-broadcast
> > fair-queue 64 32 1
> > clockrate 72000
> > ip rsvp bandwidth 16 13
> > !
> > interface Serial1/1
> > ip address 135.25.11.1 255.255.255.252
> > no ip directed-broadcast
> > clockrate 72000
> > crypto map CCIE
> > !
> > interface Serial1/2
> > ip address 135.25.9.5 255.255.255.252
> > no ip directed-broadcast
> > clockrate 72000
> > !
> > interface Serial1/3
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/4
> > ip address 135.25.11.5 255.255.255.252
> > no ip directed-broadcast
> > !
> > interface Serial1/5
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/6
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/7
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > router ospf 64
> > network 135.25.3.1 0.0.0.0 area 0
> > network 135.25.9.1 0.0.0.0 area 0
> > network 135.25.9.5 0.0.0.0 area 0
> > network 135.25.11.1 0.0.0.0 area 0
> > network 135.25.11.5 0.0.0.0 area 0
> > !
> > ip classless
> > no ip http server
> > !
> > access-list 110 permit tcp host 135.25.3.1 host 135.25.4.1 eq telnet
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > password cisco
> > transport input none
> > line aux 0
> > line vty 0 4
> > password cisco
> > login
> > !
> > end
> > ISDN2# sh crypto ipsec sa
> > ISDN2# sh crypto ipsec sa
> >
> > interface: Serial1/1
> > Crypto map tag: CCIE, local addr. 135.25.11.1
> >
> > local ident (addr/mask/prot/port): (135.25.3.1/255.255.255.255/6/0)
> > remote ident (addr/mask/prot/port): (135.25.4.1/255.255.255.255/6/23)
> > current_peer: 135.25.11.2
> > PERMIT, flags={origin_is_acl,reassembly_needed,ident_port_range,}
> > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> > #pkts compressed: 0, #pkts decompressed: 0
> > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> > failed: 0
> > #send errors 0, #recv errors 0
> >
> > local crypto endpt.: 135.25.11.1, remote crypto endpt.: 135.25.11.2
> > path mtu 1500, media mtu 1500
> > current outbound spi: 0
> >
> > inbound esp sas:
> >
> >
> > inbound ah sas:
> >
> >
> > inbound pcp sas:
> >
> >
> > outbound esp sas:
> >
> >
> > outbound ah sas:
> >
> >
> > outbound pcp sas:
> >
> >
> > local crypto endpt.: 135.25.11.1, remote crypto endpt.: 135.25.4.1
> > path mtu 1500, media mtu 1500
> > current outbound spi: 0
> >
> > inbound esp sas:
> >
> >
> > inbound ah sas:
> >
> >
> > inbound pcp sas:
> >
> >
> > outbound esp sas:
> >
> >
> > outbound ah sas:
> >
> >
> > outbound pcp sas:
> >
> >
> > ISDN2#sh crypto isakmp sa
> > dst src state conn-id slot
> >
> > ISDN2#
> > !
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
>http://explorer.msn.com/intl.asp
>*****************************************************************
>DISCLAIMER: The information contained in this e-mail may be confidential
>and is intended solely for the use of the named addressee. Access, copying
>or re-use of the e-mail or any information contained therein by any other
>person is not authorized. If you are not the intended recipient please
>notify us immediately by returning the e-mail to the originator.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17679&t=17646
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
