Thanks for the reply..
ITs actually the Question requirments..
"ALso use Loopback interface as peer address" ???
>From: "YY"
>Reply-To: "YY"
>To: [EMAIL PROTECTED]
>Subject: RE: IPSEC Q's [7:17646]
>Date: Wed, 29 Aug 2001 10:31:56 -0400
>
>Hi,
> Try removing the "set peer 135.25.3.1" under crypto map of isdn1, and
>also "set peer 135.25.4.1" on isdn2.
>They are not necessary and make you confused. Your purpose is to protect
>the telnet traffic on the link between the 2 routers. Hence just creating
>ipsec tunnel between the 2 routers should be fairly enough.
>
>Cheers,
>YY
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Cisco Lover
>Sent: Wednesday, August 29, 2001 6:28 PM
>To: [EMAIL PROTECTED]
>Subject: RE: IPSEC Q's [7:17646]
>
>
>Dion,
>
>Thanks a lot for detailed analysis of my problem.
>
>In order to match my access lists..I put on both routers the command..
>
>
>ip telnet source interface loopback0
>
>BUT What happened???Just after putting these Im no more able to telnet from
>one router to another router Loopback interface,although I can still telnet
>using interface addresses.Below is debug output..
>
>Please advise...
>
>Thanks a lot.....:)
>
>[Connection to 135.25.11.1 closed by foreign host]
>ISDN1# telnet 135.25.3.1
>Trying 135.25.3.1 ...
>04:43:20: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>sending
>04:43:20: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>output
>cry
>pto map check failed.
>04:43:22: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>sending
>04:43:22: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>output
>cry
>pto map check failed.
>04:43:26: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>sending
>04:43:26: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>output
>cry
>pto map check failed.
>04:43:34: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>sending
>04:43:34: IP: s=135.25.4.1 (local), d=135.25.3.1 (Serial0/0), len 44,
>output
>cry
>pto map check failed.
>% Connection timed out; remote host not responding
>ISDN2#telnet 135.25.4.1
>Trying 135.25.4.1 ...
>04:43:14: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>sending
>04:43:14: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:14: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>output
>cry
>pto map check failed.
>04:43:14: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:16: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>sending
>04:43:16: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:16: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>output
>cry
>pto map check failed.
>04:43:16: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:20: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>sending
>04:43:20: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:20: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>output
>cry
>pto map check failed.
>04:43:20: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:28: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>sending
>04:43:28: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:28: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>output
>cry
>pto map check failed.
>04:43:28: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:29: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
>failed w
>ith peer at 135.25.11.2
>04:43:30: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 135.25.11.2
>failed it
>s sanity check or is malformed
>04:43:44: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>sending
>04:43:44: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>04:43:44: IP: s=135.25.3.1 (local), d=135.25.4.1 (Serial1/1), len 44,
>output
>cry
>pto map check failed.
>04:43:44: TCP src=11013, dst=23, seq=819906755, ack=0, win=4128 SYN
>% Connection timed out; remote host not responding
>
>
>
>
>
>
>
>
>
> >From: "Radford Dion"
> >Reply-To: "Radford Dion"
> >To: [EMAIL PROTECTED]
> >Subject: RE: IPSEC Q's [7:17646]
> >Date: Wed, 29 Aug 2001 05:28:29 -0400
> >
> >The access-list is the important point - if you traffic doesn't get
>caught
> >by the access-list it wont be encrypted.
> >
> >Your access list encrypts telnet traffic that is sourced from the
>loopback
> >address. Now I could be wrong, but if you are on router ISDN1 and telnet
>to
> >the loopback address of ISDN2, the source address will be the ISDN1
>routers
> >S0/0 interface IP address, NOT the ISDN1 loopback address.
> >
> >I would change your access-list. You can easily tell if your traffic is
> >matching your access list by doing a 'debug ip packet detail 110'. You
>can
> >see how many encrypted packets using the 'sh crypto engine connections
> >active'
> >
> >The 3DES IPSEC image is not easy to get a hold of if you're not in the
>US.
> >
> > > -----Original Message-----
> > > From: Cisco Lover [SMTP:[EMAIL PROTECTED]]
> > > Sent: Wednesday, August 29, 2001 9:51 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: IPSEC Q's [7:17646]
> > >
> > > Hi Guys..
> > >
> > > Can you please help for some IPSEC Stuf.....
> > >
> > > Q1. Which ALgo in IPSEC supports 128Bit/Tripple DES??
> > > Q2. Is there any way to confirm if Our VPN/IPSEC setup is working
> > > properly..
> > >
> > > I used commands show crypto ipsec sa+show crypto isakmp sa ,But cant
> > > see any thing coming.Below is my config and Show command results.
> > > My concern is to protect Telnet traffic b/w thess two guys.
> > >
> > >
> > >
> > >
> > > ISDN1#sh run
> > > Building configuration...
> > >
> > > Current configuration:
> > > !
> > > version 12.0
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname ISDN1
> > > !
> > > enable secret 5 $1$LYk/$PJGs8FlVtZXjf/dcBrwcO/
> > > !
> > > !
> > > !
> > > !
> > > !
> > > memory-size iomem 7
> > > ip subnet-zero
> > > no ip domain-lookup
> > > !
> > > isdn voice-call-failure 0
> > > cns event-service server
> > > !
> > > !
> > > !
> > > !
> > > crypto isakmp policy 10
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key cisco address 135.25.3.1 255.255.255.255
> > > crypto isakmp key cisco address 135.25.11.1 255.255.255.252
> > > !
> > > !
> > > crypto ipsec transform-set Cisco ah-md5-hmac esp-des
> > > crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
> > > !
> > > !
> > > crypto map CCIE 10 ipsec-isakmp
> > > set peer 135.25.11.1
> > > set peer 135.25.3.1
> > > set transform-set Cisco2
> > > match address 110
> > > !
> > > !
> > > !
> > > !
> > > interface Loopback0
> > > ip address 135.25.4.1 255.255.255.255
> > > no ip directed-broadcast
> > > !
> > > interface FastEthernet0/0
> > > ip address 10.1.1.1 255.255.255.0
> > > no ip directed-broadcast
> > > ip nat inside
> > > duplex auto
> > > speed auto
> > > !
> > > interface Serial0/0
> > > ip address 135.25.11.2 255.255.255.252
> > > no ip directed-broadcast
> > > ip nat outside
> > > no ip mroute-cache
> > > no fair-queue
> > > crypto map CCIE
> > > !
> > > interface BRI0/0
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > isdn guard-timer 0 on-expiry accept
> > > !
> > > interface FastEthernet0/1
> > > ip address 135.25.11.9 255.255.255.252
> > > no ip directed-broadcast
> > > duplex auto
> > > speed auto
> > > !
> > > router ospf 64
> > > network 135.25.4.1 0.0.0.0 area 0
> > > network 135.25.11.2 0.0.0.0 area 0
> > > network 135.25.11.9 0.0.0.0 area 0
> > > !
> > > ip nat pool CCIE 135.25.11.2 135.25.11.2 prefix-length 30
> > > ip nat inside source list 1 pool CCIE overload
> > > ip classless
> > > no ip http server
> > > !
> > > access-list 1 permit 10.1.1.0 0.0.0.255
> > > access-list 110 permit tcp host 135.25.4.1 host 135.25.3.1 eq telnet
> > > !
> > > !
> > > voice-port 1/0/0
> > > !
> > > voice-port 1/0/1
> > > !
> > > voice-port 1/1/0
> > > !
> > > voice-port 1/1/1
> > > !
> > > !
> > > !
> > > line con 0
> > > exec-timeout 0 0
> > > password cisco
> > > transport input none
> > > line aux 0
> > > line vty 0 4
> > > password cisco
> > > login
> > >
> > >
> > > ISDN2#sh run
> > > Building configuration...
> > >
> > > Current configuration:
> > > !
> > > version 12.0
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname ISDN2
> > > !
> > > enable secret 5 $1$so9r$GFjeRLyea2vUgn2HbMvOG1
> > > !
> > > !
> > > !
> > > !
> > > !
> > > ip subnet-zero
> > > no ip domain-lookup
> > > !
> > > isdn voice-call-failure 0
> > > cns event-service server
> > > !
> > > !
> > > crypto isakmp policy 10
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key cisco address 135.25.11.2
> > > crypto isakmp key cisco address 135.25.4.1
> > > !
> > > !
> > > crypto ipsec transform-set Cisco ah-md5-hmac esp-des
> > > crypto ipsec transform-set Cisco2 esp-des esp-md5-hmac
> > > !
> > > !
> > > crypto map CCIE 10 ipsec-isakmp
> > > set peer 135.25.11.2
> > > set peer 135.25.4.1
> > > set transform-set Cisco2
> > > match address 110
> > > partition flash 2 16 8
> > > !
> > > !
> > > !
> > > !
> > > !
> > > !
> > > !
> > > interface Loopback0
> > > ip address 135.25.3.1 255.255.255.255
> > > no ip directed-broadcast
> > > !
> > > interface Ethernet0/0
> > > ip address 10.1.1.2 255.255.255.0
> > > no ip directed-broadcast
> > > no keepalive
> > > !
> > > interface Serial0/0
> > > no ip address
> > > no ip directed-broadcast
> > > no ip mroute-cache
> > > shutdown
> > > no fair-queue
> > > !
> > > interface BRI0/0
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > isdn guard-timer 0 on-expiry accept
> > > !
> > > interface Ethernet0/1
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > interface Serial1/0
> > > ip address 135.25.9.1 255.255.255.252
> > > no ip directed-broadcast
> > > fair-queue 64 32 1
> > > clockrate 72000
> > > ip rsvp bandwidth 16 13
> > > !
> > > interface Serial1/1
> > > ip address 135.25.11.1 255.255.255.252
> > > no ip directed-broadcast
> > > clockrate 72000
> > > crypto map CCIE
> > > !
> > > interface Serial1/2
> > > ip address 135.25.9.5 255.255.255.252
> > > no ip directed-broadcast
> > > clockrate 72000
> > > !
> > > interface Serial1/3
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > interface Serial1/4
> > > ip address 135.25.11.5 255.255.255.252
> > > no ip directed-broadcast
> > > !
> > > interface Serial1/5
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > interface Serial1/6
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > interface Serial1/7
> > > no ip address
> > > no ip directed-broadcast
> > > shutdown
> > > !
> > > router ospf 64
> > > network 135.25.3.1 0.0.0.0 area 0
> > > network 135.25.9.1 0.0.0.0 area 0
> > > network 135.25.9.5 0.0.0.0 area 0
> > > network 135.25.11.1 0.0.0.0 area 0
> > > network 135.25.11.5 0.0.0.0 area 0
> > > !
> > > ip classless
> > > no ip http server
> > > !
> > > access-list 110 permit tcp host 135.25.3.1 host 135.25.4.1 eq telnet
> > > !
> > > !
> > > line con 0
> > > exec-timeout 0 0
> > > password cisco
> > > transport input none
> > > line aux 0
> > > line vty 0 4
> > > password cisco
> > > login
> > > !
> > > end
> > > ISDN2# sh crypto ipsec sa
> > > ISDN2# sh crypto ipsec sa
> > >
> > > interface: Serial1/1
> > > Crypto map tag: CCIE, local addr. 135.25.11.1
> > >
> > > local ident (addr/mask/prot/port):
>(135.25.3.1/255.255.255.255/6/0)
> > > remote ident (addr/mask/prot/port):
>(135.25.4.1/255.255.255.255/6/23)
> > > current_peer: 135.25.11.2
> > > PERMIT, flags={origin_is_acl,reassembly_needed,ident_port_range,}
> > > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> > > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
> > > #pkts compressed: 0, #pkts decompressed: 0
> > > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> > > failed: 0
> > > #send errors 0, #recv errors 0
> > >
> > > local crypto endpt.: 135.25.11.1, remote crypto endpt.:
>135.25.11.2
> > > path mtu 1500, media mtu 1500
> > > current outbound spi: 0
> > >
> > > inbound esp sas:
> > >
> > >
> > > inbound ah sas:
> > >
> > >
> > > inbound pcp sas:
> > >
> > >
> > > outbound esp sas:
> > >
> > >
> > > outbound ah sas:
> > >
> > >
> > > outbound pcp sas:
> > >
> > >
> > > local crypto endpt.: 135.25.11.1, remote crypto endpt.:
>135.25.4.1
> > > path mtu 1500, media mtu 1500
> > > current outbound spi: 0
> > >
> > > inbound esp sas:
> > >
> > >
> > > inbound ah sas:
> > >
> > >
> > > inbound pcp sas:
> > >
> > >
> > > outbound esp sas:
> > >
> > >
> > > outbound ah sas:
> > >
> > >
> > > outbound pcp sas:
> > >
> > >
> > > ISDN2#sh crypto isakmp sa
> > > dst src state conn-id slot
> > >
> > > ISDN2#
> > > !
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at
> >http://explorer.msn.com/intl.asp
> >*****************************************************************
> >DISCLAIMER: The information contained in this e-mail may be
>confidential
> >and is intended solely for the use of the named addressee. Access,
>copying
> >or re-use of the e-mail or any information contained therein by any other
> >person is not authorized. If you are not the intended recipient please
> >notify us immediately by returning the e-mail to the originator.
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17789&t=17646
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
