Hi all, I am really confused that when ipsec sa negotiation takes place, does
crypto acl is also sent as part of it ? Pls consider my following scenario a
very basic vpn site to site
R1 is connected to R2. R1 ip is 10.0.0.1/8 and R2 is 10.0.0.2/8
R1 crypto config is
crypto isakmp key 0 cisco123 address 10.0.0.2
crypto isakmp policy 1
auth pre
en de
grou 2
has md
life 60
crypto ipsec trans set esp-des
access-list 111 per ip 1.1.0.0 0.0.255.255 3.3.3.0 0.0.0.255
crypto map my 10 ipsec-isa
mat add 111
set peer 10.0.0.2
set transform-set set
(1.1.1.1/8 is on R1 loopback 0 and 3.3.3.3/8 is on R2 loopback0)
R2 crypto config is
crypto isakmp key 0 cisco123 address 10.0.0.1
crypto isakmp policy 1
auth pre
en de
grou 2
has md
life 60
crypto ipsec trans set esp-des
access-list 111 per ip 2.2.0.0 0.0.255.255 6.6.6.0 0.0.0.255
crypto map my 10 ipsec-isa
mat add 111
set peer 10.0.0.1
set transform-set set
As you can see there is a clear mismatch in both routers ACL. Now when i do
debug crypto ipsec on R2 this is the result i got
R2#
*Mar 1 00:09:19.867: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar 1 00:09:47.247: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 00:09:47.479: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.0.0.2, remote= 10.0.0.1,
local_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4),
remote_proxy= 1.1.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-des (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:09:47.491: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi
sts for local address 10.0.0.2
R2#
*Mar 1 00:09:47.503: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
failed with peer at 10.0.0.1
See !! how come R2 got the crypto acl ( with their correct masks) ? does it
mean that at the time of sa exchange, acls or proxies are also exchanged ?
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
