I'm trying to add/modify an isakmp policy map to match a remote VPN
peer, and it keep deleting itself! :)
Here is the config:
! this section adds fine
access-list 100 permit ip any 172.25.101.0 255.255.255.0
access-list TO_RKON permit ip any 172.25.101.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 40 ipsec-isakmp
crypto map MAP 40 match address TO_RKON
crypto map MAP 40 set peer x.x.x.x
crypto map MAP 40 set transform-set ESP-3DES-MD5
isakmp key xxxxxx address x.x.x.x netmask 255.255.255.255 no-xauth
no-config-mode
! this section keeps deleting itself after changing the authentication
to PSK.
isakmp policy 40 authentication pre-share !as soon as I add this, policy
40 deletes itself.
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
It doesn't matter, but the remote end is a Netscreen and a VPN WAS
established just fine, but I'm 'breaking' it to expand the encrypted
traffic traversing the VPN tunnel.When doing a 'sh crypto ipsec sa' I
see that there are IPSEC SA's established for the OLD phase 2 networks
(proxy ids in Netscreen). Maybe clear the crypto sa's? See below.
ELM-xxx(config)# sh cry isa sa
Total : 3
Embryonic : 0
dst src state pending created
my.firewall re.mo.t.e QM_IDLE 0 1
ELM-xxx(config)# sh cry ips sa
interface: outside
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.25.101.0/255.255.255.0/0/0)
current_peer: 205.234.155.253:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3273, #pkts decrypt: 3273, #pkts verify 3273
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 65.166.255.1, remote crypto endpt.:
205.234.155.253
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 27954c37
inbound esp sas:
spi: 0x55528ec4(1431473860)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 10, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4607643/446)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x27954c37(664095799)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 9, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4608000/452)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
All comments welcome,
Chris Serafin
[email protected]
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
