Hi All,
I am trying to setup IOS (12.4T) IKE with aggressive mode & hostname as IKE
ID between two routers and ASA in-between them. Following is the diagram:
Fa0/1 *Router : R1* Fa0/0 ------------------- Inside
*ASA *Outside ---------------------------------Fa0/0 *Router: R2* Fa0/1
------------------------------------------Fa0/0* Router : R3 *Fa0/1
(192.168.1.1/24) (136.1.121.13) 136.1.121.12
136.1.123.12 136.1.123.13
136.1.23.12 136.1.23.13
Some of the main points about this setup:
- ASA is doing PAT for inside hosts using outside interface IP address
- Hostname is used as IKE ID
- Router R1 will initiate VPN connection.
- ISAKMP profile is used on router R1 to initiate Aggressive mode.
I have attached routers and ASA configurations for your reference.
I am getting following error in Router R1 when I send ping traffic from R1
with source interface Fa0/1
R1#ping 136.1.23.13 source fa0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.23.13, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
*Sep 20 03:04:22.892: ISAKMP:(0): SA request profile is AGR
*Sep 20 03:04:22.892: ISAKMP: Created a peer struct for 136.1.123.13, peer
port
500
*Sep 20 03:04:22.892: ISAKMP: New peer created peer = 0x46E0C9E8 peer_handle
= 0
x8000001F
*Sep 20 03:04:22.896: ISAKMP: Locking peer struct 0x46E0C9E8, refcount 1 for
isa
kmp_initiator
*Sep 20 03:04:22.896: ISAKMP: local port 500, remote port 500
*Sep 20 03:04:22.896: ISAKMP: set new node 0 to QM_IDLE
*Sep 20 03:04:22.896: insert sa successfully sa = 47356FC8
*Sep 20 03:04:22.896: ISAKMP:(0):Can not start Aggressive mode, trying Main
mode
.
*Sep 20 03:04:22.896: ISAKMP:(0): No Cert or pre-shared address key.
*Sep 20 03:04:22.896: ISAKMP:(0): construct_initial_message: Can not start
Main
mode
*Sep 20 03:04:22.896: ISAKMP: Unlocking peer struct 0x46E0C9E8 for
isadb_unlock_
peer_delete_sa(), count 0
*Sep 20 03:04:22.896: ISAKMP: Deleting peer node by peer_reap for
136.1.123.13:
46E0C9E8
*Sep 20 03:04:22.896: ISAKMP:(0):purging SA., sa=47356FC8, delme=47356FC8
*Sep 20 03:04:22.896: ISAKMP:(0):purging node -98067428
*Sep 20 03:04:22.896: ISAKMP: Error while processing SA request: Failed to
initi
alize SA
*Sep 20 03:04:22.896: ISAKMP: Error while processing KMI message 0, error
2.....
.
Success rate is 0 percent (0/5)
I am not able to figure out what is the mistake. Also I could not find out
configuration example for aggressive mode in 12.4T IOS.
Kindly help me in this problem.
Regards,
D.M.Gore
R1#sh run
Building configuration...
Current configuration : 1916 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 $1$V7fb$CHDyoEq3RFImtJjtdeCAs0
!
no aaa new-model
no network-clock-participate wic 3
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO hostname R2.cisco.com
crypto isakmp identity hostname
crypto isakmp profile AGR
keyring default
self-identity fqdn
match identity host domain cisco.com
initiate mode aggressive
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto map DMG isakmp-profile AGR
crypto map DMG 1 ipsec-isakmp
set peer 136.1.123.13
set transform-set test
match address test2
!
!
!
controller E1 0/3/0
!
!
!
!
!
interface Loopback0
ip address 150.1.1.1 255.255.255.0
!
interface Loopback100
ip address 100.100.100.2 255.255.255.255
!
interface FastEthernet0/0
ip address 136.1.121.13 255.255.255.0
duplex auto
speed auto
crypto map DMG
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 136.1.0.0
network 150.1.0.0
network 192.168.1.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended test2
permit ip host 192.168.1.1 136.1.23.0 0.0.0.255
!
access-list 110 permit icmp any any
access-list 110 deny ip any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
!
end
R2#sh run
Building configuration...
Current configuration : 7896 bytes
!
! Last configuration change at 19:21:24 UTC Sat Sep 19 2009
! NVRAM config last updated at 08:58:44 UTC Sat Sep 19 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 $1$dYmQ$KiZ1eKMXnWNM9GD4itEx01
!
no aaa new-model
clock timezone UTC 5 30
no network-clock-participate wic 3
dot11 syslog
!
!
ip cef
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TEST2
enrollment mode ra
enrollment url http://10.0.0.13:80/certsrv/mscep/mscep.dll
revocation-check none
!
!
crypto pki certificate chain TEST2
certificate 14382A0800000000000A
30820543 3082042B A0030201 02020A14 382A0800 00000000 0A300D06 092A8648
86F70D01 01050500 303C3113 3011060A 09922689 93F22C64 01191603 636F6D31
18301606 0A099226 8993F22C 64011916 084D5944 4F4D4149 4E310B30 09060355
04031302 4341301E 170D3039 30393132 30363030 34335A17 0D313130 39313230
36303034 335A3020 311E301C 06092A86 4886F70D 01090213 0F52322E 6D79646F
6D61696E 2E636F6D 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081
89028181 00D02CE4 04A59BA1 FBE18557 555C7AC6 27BA365E 0061263D 7E074897
11C9E551 BF6A0042 D6D46560 9A3BA6BB 689D0E59 CFABBBE2 AD913875 4049996B
CAC39A49 1696A974 656CDFA4 D3917E8D 539582D0 C39A652D 9826D393 ADC6A1EC
8A5ADBFC 7366C6E5 33A7CB54 5E22A9FD 86331359 C608192B 943B626B 8AAE936E
1C2A3D90 09020301 0001A382 02E53082 02E1300B 0603551D 0F040403 0205A030
1D060355 1D0E0416 04142453 8BEA47B9 8B0FC680 47C5C9B3 1D8F50FE 477D301F
0603551D 23041830 1680141D 18D5BFA8 BCD8133C 897C4432 4370090C E422ED30
81FA0603 551D1F04 81F23081 EF3081EC A081E9A0 81E68681 AF6C6461 703A2F2F
2F434E3D 43412C43 4E3D6773 70736563 2D616373 2D312C43 4E3D4344 502C434E
3D507562 6C696325 32304B65 79253230 53657276 69636573 2C434E3D 53657276
69636573 2C434E3D 436F6E66 69677572 6174696F 6E2C4443 3D4D5944 4F4D4149
4E2C4443 3D636F6D 3F636572 74696669 63617465 5265766F 63617469 6F6E4C69
73743F62 6173653F 6F626A65 6374436C 6173733D 63524C44 69737472 69627574
696F6E50 6F696E74 86326874 74703A2F 2F677370 7365632D 6163732D 312E6D79
646F6D61 696E2E63 6F6D2F43 65727445 6E726F6C 6C2F4341 2E63726C 30820110
06082B06 01050507 01010482 01023081 FF3081A2 06082B06 01050507 30028681
956C6461 703A2F2F 2F434E3D 43412C43 4E3D4149 412C434E 3D507562 6C696325
32304B65 79253230 53657276 69636573 2C434E3D 53657276 69636573 2C434E3D
436F6E66 69677572 6174696F 6E2C4443 3D4D5944 4F4D4149 4E2C4443 3D636F6D
3F634143 65727469 66696361 74653F62 6173653F 6F626A65 6374436C 6173733D
63657274 69666963 6174696F 6E417574 686F7269 74793058 06082B06 01050507
3002864C 68747470 3A2F2F67 73707365 632D6163 732D312E 6D79646F 6D61696E
2E636F6D 2F436572 74456E72 6F6C6C2F 67737073 65632D61 63732D31 2E4D5944
4F4D4149 4E2E636F 6D5F4341 2E637274 301D0603 551D1101 01FF0413 3011820F
52322E6D 79646F6D 61696E2E 636F6D30 3F06092B 06010401 82371402 04321E30
00490050 00530045 00430049 006E0074 00650072 006D0065 00640069 00610074
0065004F 00660066 006C0069 006E0065 300C0603 551D1301 01FF0402 30003013
0603551D 25040C30 0A06082B 06010505 08020230 0D06092A 864886F7 0D010105
05000382 01010095 6DEC4360 4379994C EC4B26CE 041A8512 EBC2750E BFBB3511
AE78FF6C F86FC559 F2F249D8 31D0EC1D 1B6C5995 8D0599F9 1AABEE5F C13658C8
343D1551 461BE034 421406AF 1DF739E5 D3C1D77D F197ED6B B3509FC9 4F62AC8A
963C74F6 FAEB472F 7CBC904B 33399433 175F4795 EC71E98E CF9DF31A A7B3FF15
CEA6E353 9C771071 FA8A599A 250AB7CB 1B39B910 C81B14A9 FD463CAD FB9FBB8C
183DC6BD 6F8C2F61 92B035A6 1EBBC44A 99B56D53 54831328 8E7BBF10 44CEF269
DEADCD10 1446B768 24A855C2 41C9996B 115268A1 9B774740 F415A8C6 686E0535
08506380 ACC7B996 B7827922 06FE57D2 8BEA1397 4A0A3DA6 42379412 1F7E480A
31B19039 8A003C
quit
certificate ca 197AEE2E4812AB8B4EA2D073E99524BC
30820454 3082033C A0030201 02021019 7AEE2E48 12AB8B4E A2D073E9 9524BC30
0D06092A 864886F7 0D010105 0500303C 31133011 060A0992 268993F2 2C640119
1603636F 6D311830 16060A09 92268993 F22C6401 1916084D 59444F4D 41494E31
0B300906 03550403 13024341 301E170D 30393039 31313130 34383435 5A170D31
34303931 31313035 3832335A 303C3113 3011060A 09922689 93F22C64 01191603
636F6D31 18301606 0A099226 8993F22C 64011916 084D5944 4F4D4149 4E310B30
09060355 04031302 43413082 0122300D 06092A86 4886F70D 01010105 00038201
0F003082 010A0282 010100A1 6DE5EA34 9FBD3AF5 ED8DAF8A 441C6528 9C6601CD
B462E4E6 73BFC8CC F4D35720 5AE8D905 4A9979F4 680843B2 8DE6C84C 38EB0869
89992AB9 3C51A9C0 E2CC2F7A FB5BF2CC 007973E6 5B6532DA 1837B7AE 872F78CC
A3146CE3 87495312 52E10275 ECBB382D 9E482421 A74C6099 EC50B186 864392DB
3F2EBCC0 9D2045F1 36F3B198 FF1A12B0 B366BFF7 84A1372D 50F7E38A 29F0749B
DF583570 74F6CE8B E772DDCB 165B2739 3DF50660 E647E2F9 2BA406E5 7E1000A2
64E6C183 B4B8FF08 75ED9F1E 6DB90A28 1B4607C9 0028FFC6 6BFD215A E0EE8793
8DB5AF8E 31F55EF2 EFEECE7E 446244AE 6FCFF986 105A9823 55112D59 F3EC1A9C
ACCF4236 4FEE3028 06762302 03010001 A3820150 3082014C 300B0603 551D0F04
04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604
141D18D5 BFA8BCD8 133C897C 44324370 090CE422 ED3081FA 0603551D 1F0481F2
3081EF30 81ECA081 E9A081E6 8681AF6C 6461703A 2F2F2F43 4E3D4341 2C434E3D
67737073 65632D61 63732D31 2C434E3D 4344502C 434E3D50 75626C69 63253230
4B657925 32305365 72766963 65732C43 4E3D5365 72766963 65732C43 4E3D436F
6E666967 75726174 696F6E2C 44433D4D 59444F4D 41494E2C 44433D63 6F6D3F63
65727469 66696361 74655265 766F6361 74696F6E 4C697374 3F626173 653F6F62
6A656374 436C6173 733D6352 4C446973 74726962 7574696F 6E506F69 6E748632
68747470 3A2F2F67 73707365 632D6163 732D312E 6D79646F 6D61696E 2E636F6D
2F436572 74456E72 6F6C6C2F 43412E63 726C3010 06092B06 01040182 37150104
03020100 300D0609 2A864886 F70D0101 05050003 82010100 48E1FC08 B3B68E16
D6253538 49155A5E 9CBA5BAC 92807ED2 ADCF6669 0A882689 97EA4B72 0C4A1367
DF94BF00 716643A1 7C125A3F E3380729 93E1B590 93B53525 B0C7CEA1 23A50801
81446EE5 10924A3A A0D8611D 389CD36E 18739F50 7E3E3AFA 7AE063CF F83A2D85
E7A0153F 225C5DDB 2B63D0CF DBB83C4C 8DF0509B 1EF9C7E0 63148599 331D06D6
50BD3CD9 D4F56A95 1039851C A423D48A 1679CE61 7A47AB9E 87E53EC5 29C0B0A8
12A81559 5EAF029E 950AB03A 0F3626FE ED6B32F9 DA9B09FB 8B35ABFD 029B0B81
98FD0802 A0CB22DA 51C219A0 92B05B84 AF2D5DD0 CAA95F54 9A1F74A6 806AAB65
EB276476 8FBFB248 CA132F24 3EB90119 3ECE70B0 479A962E
quit
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO hostname R1.cisco.com
crypto isakmp identity hostname
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 2
set transform-set test
!
!
crypto map DMG 20 ipsec-isakmp dynamic DYNAMIC
!
!
!
controller E1 0/3/0
!
controller E1 0/3/1
!
!
!
!
!
interface Loopback0
ip address 150.1.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 136.1.123.13 255.255.255.0
duplex auto
speed auto
crypto map DMG
!
interface FastEthernet0/1
ip address 136.1.23.12 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 136.1.0.0
network 150.1.0.0
no auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended test2
permit ip 136.1.23.0 0.0.0.255 host 192.168.1.1
!
access-list 101 permit ip 136.1.23.0 0.0.0.255 136.1.121.0 0.0.0.255
access-list 110 permit icmp any any
access-list 110 deny ip any any
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line 1/0 1/31
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
!
endsonablr-sec-ts#asa-2
Trying asa-2 (10.76.247.187, 2020)... Open
ciscoasa# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password Vu3F10Q4Qg80anwQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 136.1.123.12 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 136.1.121.12 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.0.12 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list OUTSIDE_IN extended permit esp any any
access-list OUTSIDE_IN extended permit udp any any eq isakmp
access-list OUTSIDE_IN extended permit udp any any eq 4500
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN in interface outside
!
router rip
network 136.1.0.0
version 2
no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a54090b6385508832bd1474cebe9219b
: end
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
