 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
2 messages in net.nether.puck.cisco-nsp[c-nsp] asymmetric VPN tunnel trouble| From | Sent On | Attachments |
|---|---|---|
| adam...@pobox.com | Jan 3, 2005 4:35 pm | |
| Michael Markstaller | Jan 4, 2005 6:41 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [c-nsp] asymmetric VPN tunnel trouble | Actions... |
|---|---|---|
| From: | Michael Markstaller (mm...@elabnet.de) | |
| Date: | Jan 4, 2005 6:41:06 am | |
| List: | net.nether.puck.cisco-nsp | |
hmm, I'll try to suggest some things, although I havent' fully understood what you try to achieve ;)
adam...@pobox.com Sent: Monday, January 03, 2005 10:34 PM
Hi,
I'm running into trouble setting up an asymmetric IPSEC VPN between two 3745 boxes running 12.2(15)T. I have a REMOTE router which is simply
I'd currently rather use 12.3(9b) which is running quite perfectly on my 37xx; with everything above 12.2(13)T and below 12.3(3) had some major problems (but in different environment)
a gateway to some network (i.e. has two interfaces, internal and external) and a LOCAL router which is a multihomed gateway (3 interfaces).
I want to encrypt only traffic flowing from the REMOTE router to the LOCAL router; the way routing is set up dictates that the encrypted traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets sent from LOCAL to REMOTE will be sent using the IP address of interface FastEthernet 0/0.
According to the documentation, this scenario is what "identity hostname" is for --- but I can't set up the tunnel. Turning on debugging, I see that authentication works (almost) fine:
LOCAL: ISAKMP (0:1): SA has been authenticated with 10.0.4.2 ISAKMP (0:1): peer matches *none* of the profiles REMOTE: ISAKMP (0:1): SA has been authenticated with 10.0.1.2 ISAKMP (0:1): peer matches *none* of the profiles
But encryption doesn't seem to work, apparently because the packets arrive from the wrong IP:
REMOTE: IPSEC(validate_transform_proposal): peer address 10.0.1.2 not found ISAKMP (0:1): IPSec policy invalidated proposal ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2 remote 10.0.1.2)
Any ideas? What am I missing?
Below the relevant configuration excerpts; note that for the experiments I created a setup where the tunnel can be used by a single host on each side.
LOCAL:
------ ip domain example.com ip host REMOTE.example.com 10.0.4.2 ! crypto isakmp policy 10 encr 3des
your transform-set is DES ?
authentication pre-share group 2 crypto isakmp key EXAMPLE address 10.0.4.2 crypto isakmp identity hostname
So your're setting addressed keys but set "crypto isakmp identity hostname" Just leave all the hostname stuff out, it creates troubles. If you have dynamic IP's it won't work either, then use dynamic crypto maps. think about using certs or at least rsa-encr, PSK is insecure..
! crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
You normally don't need AH and I had some troubles with md5 hashes back with 12.2T, probably nothing that matters but SHA with DES works fine. You can use transport-mode in your tunnel-setup, saves some overhead and therefore MTU-issues: crypto ipsec transform-set TRANS-3DES esp-3des esp-sha-hmac mode transport
! crypto map remote 10 ipsec-isakmp decription TO_REMOTE set peer 10.0.4.2 set transform-set ggg match address 101 ! interface Tunnel1 ip address 11.0.0.2 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 10.0.4.2 ! interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 crypto map remote ! interface FastEthernet0/1 ip address 10.0.0.2 255.255.255.252 crypto map remote ! interface GigabitEthernet1/0 ip address 10.0.0.5 255.255.255.252 ! ip route 12.0.0.2 255.255.255.255 10.0.1.1
??? now when you want to encrypt/tunnel packets, route them into the tunnel, I don't see enough from your net to see wether this makes sense at all..
! access-list 101 permit ip host 10.0.0.6 host 12.0.0.2
this should read: access-list 101 permit gre host 10.0.0.2 host 10.0.4.2 at least when you want to encrypt the tunnel only. in case you want to encrypt other traffic, omit the transport mode in transform above and write any source/destination pair into the ACL.
REMOTE:
------- ip domain example.com ip host LOCAL.example.com 10.0.0.2 10.0.1.2 ! crypto isakmp policy 10 encr 3des
your transform-set is DES ?
authentication pre-share group 2 crypto isakmp key EXAMPLE address 10.0.1.2 crypto isakmp key EXAMPLE address 10.0.0.2
see above
crypto isakmp identity hostname ! crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
see above
! crypto map remote 11 ipsec-isakmp decription FROM_REMOTE set peer 10.0.0.2
depending on your routing, set both as peers.
set transform-set ggg match address 100 ! interface Tunnel1 ip address 11.0.0.1 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 10.0.0.2 ! interface FastEthernet0/0 ip address 12.0.0.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.0.4.2 255.255.255.0 crypto map remote ! interface GigabitEthernet1/0 ip address 10.0.0.5 255.255.255.252 ! ip route 0.0.0.0 0.0.0.0 10.0.4.1 ! access-list 100 permit ip host 12.0.0.2 host 10.0.0.6
swap ACL 101 from above or, depending on what you want to achieve,
Michael