thanks! ok, we got the configure now but we cant connect to the other router, we setting up a router to router connection
basically we have our first policy 10 which uses DES and everything works fine on that part now we have added a new one ,policy 20, which uses 3des , but seems we getting a problem, the other router is giving them this message 710003 111.111.111.111 xxxx 222.222.222.222 xx TCP access denied by ACL from 111.111.111.11/ xxxx <http://111.111.111.11/3880> to OUTSIDE: 222.222.222.222/xx <http://222.222.222.222/22> 111.111.111.111 – originating address (fake) 222.222.222.222 – destination address (fake) here is a ping command issued to the destinantion router NOCBackup#ping 172.xx.x.xxx source 172.xx.xxx.x Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.xx.x.xxx, timeout is 2 seconds: Packet sent with a source address of 172.xx.xxx.x 040880: *Dec 28 22:09:53.811 UTC: ISAKMP:(0): SA request profile is (NULL) 040881: *Dec 28 22:09:53.811 UTC: ISAKMP: Created a peer struct for 222.222.222.222, peer port 500 040882: *Dec 28 22:09:53.811 UTC: ISAKMP: New peer created peer = 0x84998D48 peer_handle = 0x80000147 040883: *Dec 28 22:09:53.811 UTC: ISAKMP: Locking peer struct 0x84998D48, refcount 1 for isakmp_initiator 040884: *Dec 28 22:09:53.811 UTC: ISAKMP: local port 500, remote port 500 040885: *Dec 28 22:09:53.815 UTC: ISAKMP: set new node 0 to QM_IDLE 040886: *Dec 28 22:09:53.815 UTC: insert sa successfully sa = 836D4A9C 040887: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 040888: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):found peer pre-shared key matching 222.222.222.222 040889: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID 040890: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID 040891: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID 040892: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID 040893: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 040894: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 040895: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): beginning Main Mode exchange 040896: *Dec 28 22:09:53.815 UTC: ISAKMP:(0): sending packet to 222.222.222.222 my_port 500 peer_port 500 (I) MM_NO_STATE 040897: *Dec 28 22:09:53.815 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. 040898: *Dec 28 22:09:53.831 UTC: ISAKMP (0:0): received packet from 222.222.222.222 dport 500 sport 500 Global (I) MM_NO_STATE 040899: *Dec 28 22:09:53.831 UTC: ISAKMP:(0):Notify has no hash. Rejected. 040900: *Dec 28 22:09:53.831 UTC: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 040901: *Dec 28 22:09:53.831 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 040902: *Dec 28 22:09:53.831 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 040903: *Dec 28 22:09:53.835 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 222.222.222.222..... Success rate is 0 percent (0/5) i can post the partial config after i edite out some details On Thu, Dec 24, 2009 at 15:50, swap m <[email protected]> wrote: > ios default to DES.. > > you can always use "sh crypto isakmp policy" to verify. > > On Thu, Dec 24, 2009 at 7:44 AM, O n i <[email protected]> wrote: > >> Good Evening Everyone >> >> can this policy support a esp-3des setup? or only a esp-des? usually i do >> a >> put in a "encryption des" or "encryption 3des", but not sure if not >> putting >> in one could default to a des? inf theres an existing policy like the one >> below, should i create a new policy or just include the command >> "encryption >> 3des" hope you understand, since my english is bad. >> >> >> crypto isakmp policy 10 >> hash md5 >> authentication pre-share >> group 2 >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
