 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
2 messages in net.nether.puck.cisco-nsp[c-nsp] asymmetric VPN tunnel trouble| From | Sent On | Attachments |
|---|---|---|
| adam...@pobox.com | Jan 3, 2005 4:35 pm | |
| Michael Markstaller | Jan 4, 2005 6:41 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [c-nsp] asymmetric VPN tunnel trouble | Actions... |
|---|---|---|
| From: | adam...@pobox.com (adam...@pobox.com) | |
| Date: | Jan 3, 2005 4:35:29 pm | |
| List: | net.nether.puck.cisco-nsp | |
Hi,
I'm running into trouble setting up an asymmetric IPSEC VPN between two 3745 boxes running 12.2(15)T. I have a REMOTE router which is simply a gateway to some network (i.e. has two interfaces, internal and external) and a LOCAL router which is a multihomed gateway (3 interfaces).
I want to encrypt only traffic flowing from the REMOTE router to the LOCAL router; the way routing is set up dictates that the encrypted traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets sent from LOCAL to REMOTE will be sent using the IP address of interface FastEthernet 0/0.
According to the documentation, this scenario is what "identity hostname" is for --- but I can't set up the tunnel. Turning on debugging, I see that authentication works (almost) fine:
LOCAL: ISAKMP (0:1): SA has been authenticated with 10.0.4.2 ISAKMP (0:1): peer matches *none* of the profiles REMOTE: ISAKMP (0:1): SA has been authenticated with 10.0.1.2 ISAKMP (0:1): peer matches *none* of the profiles
But encryption doesn't seem to work, apparently because the packets arrive from the wrong IP:
REMOTE: IPSEC(validate_transform_proposal): peer address 10.0.1.2 not found ISAKMP (0:1): IPSec policy invalidated proposal ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2 remote 10.0.1.2)
Any ideas? What am I missing?
Below the relevant configuration excerpts; note that for the experiments I created a setup where the tunnel can be used by a single host on each side.
LOCAL:
------ ip domain example.com ip host REMOTE.example.com 10.0.4.2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key EXAMPLE address 10.0.4.2 crypto isakmp identity hostname ! crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac ! crypto map remote 10 ipsec-isakmp decription TO_REMOTE set peer 10.0.4.2 set transform-set ggg match address 101 ! interface Tunnel1 ip address 11.0.0.2 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 10.0.4.2 ! interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 crypto map remote ! interface FastEthernet0/1 ip address 10.0.0.2 255.255.255.252 crypto map remote ! interface GigabitEthernet1/0 ip address 10.0.0.5 255.255.255.252 ! ip route 12.0.0.2 255.255.255.255 10.0.1.1 ! access-list 101 permit ip host 10.0.0.6 host 12.0.0.2
REMOTE:
------- ip domain example.com ip host LOCAL.example.com 10.0.0.2 10.0.1.2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key EXAMPLE address 10.0.1.2 crypto isakmp key EXAMPLE address 10.0.0.2 crypto isakmp identity hostname ! crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac ! crypto map remote 11 ipsec-isakmp decription FROM_REMOTE set peer 10.0.0.2 set transform-set ggg match address 100 ! interface Tunnel1 ip address 11.0.0.1 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 10.0.0.2 ! interface FastEthernet0/0 ip address 12.0.0.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.0.4.2 255.255.255.0 crypto map remote ! interface GigabitEthernet1/0 ip address 10.0.0.5 255.255.255.252 ! ip route 0.0.0.0 0.0.0.0 10.0.4.1 ! access-list 100 permit ip host 12.0.0.2 host 10.0.0.6