Since I want the crypto to flow over a tunnel that is where I placed the crypto maps. I realize that Fa0 on these two machines is the same subnet, but it won't be when I place one of them in Omaha and the other in Houston - hence the tunnel structure.
I found the IPsec stuff in the Hutnik & Satterlee CCIE Lab Study Guide(cool book!) after I learned to do it the hard way - my config appears correct but doesn't work. I removed the startup-config and I'm going to go at it from scratch later today. Nigel Taylor wrote: > > Neal, > I you'll also need to have the crypto maps added to the physical > interface through which the tunnels are built. Paste a copy of the complete > configs without the debug output. However, what I noted seems to be the > only thing that stands out! Watch the word wrap... > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur > _c/scprt4/scipsec.htm#xtocid2141729 > > HTH > Nigel > > ----- Original Message ----- > From: "Neal Rauhauser" > To: > Sent: Saturday, September 07, 2002 7:41 PM > Subject: IPsec - what is wrong with this config? [7:52865] > > > I have two 1750s sharing an ethernet hub - just trying to get IPsec on > > a tunnel between ethernet interfaces and I am having trouble. This > > config seems close but I don't know what to do next > > > > > > Here is the error I am getting when I try to ping the opposite end of > > the tunnel > > > > 01:05:29: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... > > 01:05:29: ISAKMP (0:1): incrementing error counter on sa: retransmit > > phase 1 > > 01:05:29: ISAKMP (1): sending packet to 192.168.6.50 (I) MM_NO_STATE. > > > > -- this router is at the bottom of a three router stack > > crypto isakmp policy 1 > > authentication pre-share > > crypto isakmp key duh address 192.168.6.51 > > ! > > ! > > crypto ipsec transform-set MIDDLE ah-sha-hmac esp-des > > ! > > crypto key pubkey-chain rsa > > named-key middle > > key-string > > 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF > > 26BC7013 > > 448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1 > > 12EEA345 > > 8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001 > > quit > > addressed-key 192.168.6.51 > > address 192.168.6.51 > > key-string > > 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF > > 26BC7013 > > 448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1 > > 12EEA345 > > 8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001 > > quit > > ! > > crypto map MIDDLE2 local-address Tunnel0 > > crypto map MIDDLE2 10 ipsec-isakmp > > set peer 192.168.6.51 > > set transform-set MIDDLE > > match address middle > > > > interface Tunnel0 > > ip address 192.168.6.50 255.255.255.0 > > tunnel source 192.168.1.50 > > tunnel destination 192.168.1.51 > > tunnel mode ipip > > crypto map MIDDLE2 > > ! > > interface FastEthernet0 > > ip address 192.168.1.50 255.255.255.0 > > speed auto > > > > > > --- this router is in the middle of a three router stack > > > > crypto isakmp policy 1 > > authentication pre-share > > crypto isakmp key duh address 192.168.6.50 > > ! > > ! > > crypto ipsec transform-set BOTTOM ah-sha-hmac esp-des > > ! > > crypto key pubkey-chain rsa > > named-key bottom > > key-string > > 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA > > 8C44F60C > > 76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0 > > 338E77AE > > F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001 > > quit > > addressed-key 192.168.1.50 > > address 192.168.1.50 > > key-string > > 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA > > 8C44F60C > > 76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0 > > 338E77AE > > F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001 > > quit > > ! > > crypto map BOTTOM2 local-address Tunnel0 > > crypto map BOTTOM2 10 ipsec-isakmp > > set peer 192.168.6.50 > > set transform-set BOTTOM > > match address bottom > > interface Tunnel0 > > ip address 192.168.6.51 255.255.255.0 > > tunnel source 192.168.1.51 > > tunnel destination 192.168.1.50 > > tunnel mode ipip > > crypto map BOTTOM2 > > ! > > interface Serial0 > > ip address 192.168.3.1 255.255.255.0 > > clockrate 1000000 > > ! > > interface FastEthernet0 > > ip address 192.168.1.51 255.255.255.0 > > speed auto > > > > > > > > > > -- > > Neal Rauhauser CCNP, CCDP voice: 402-301-9555 > > mailto:[EMAIL PROTECTED] fcc : k0bsd > > "I've seen the angels wearing their disguise, > > ordinary people leading ordinary lives" - Tracy Chapman -- Neal Rauhauser CCNP, CCDP voice: 402-301-9555 mailto:[EMAIL PROTECTED] fcc : k0bsd "I've seen the angels wearing their disguise, ordinary people leading ordinary lives" - Tracy Chapman Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52892&t=52865 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
