Neal,
I you'll also need to have the crypto maps added to the physical
interface through which the tunnels are built. Paste a copy of the complete
configs without the debug output. However, what I noted seems to be the
only thing that stands out! Watch the word wrap...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt4/scipsec.htm#xtocid2141729
HTH
Nigel
----- Original Message -----
From: "Neal Rauhauser"
To:
Sent: Saturday, September 07, 2002 7:41 PM
Subject: IPsec - what is wrong with this config? [7:52865]
> I have two 1750s sharing an ethernet hub - just trying to get IPsec on
> a tunnel between ethernet interfaces and I am having trouble. This
> config seems close but I don't know what to do next
>
>
> Here is the error I am getting when I try to ping the opposite end of
> the tunnel
>
> 01:05:29: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
> 01:05:29: ISAKMP (0:1): incrementing error counter on sa: retransmit
> phase 1
> 01:05:29: ISAKMP (1): sending packet to 192.168.6.50 (I) MM_NO_STATE.
>
> -- this router is at the bottom of a three router stack
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key duh address 192.168.6.51
> !
> !
> crypto ipsec transform-set MIDDLE ah-sha-hmac esp-des
> !
> crypto key pubkey-chain rsa
> named-key middle
> key-string
> 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF
> 26BC7013
> 448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1
> 12EEA345
> 8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001
> quit
> addressed-key 192.168.6.51
> address 192.168.6.51
> key-string
> 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF
> 26BC7013
> 448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1
> 12EEA345
> 8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001
> quit
> !
> crypto map MIDDLE2 local-address Tunnel0
> crypto map MIDDLE2 10 ipsec-isakmp
> set peer 192.168.6.51
> set transform-set MIDDLE
> match address middle
>
> interface Tunnel0
> ip address 192.168.6.50 255.255.255.0
> tunnel source 192.168.1.50
> tunnel destination 192.168.1.51
> tunnel mode ipip
> crypto map MIDDLE2
> !
> interface FastEthernet0
> ip address 192.168.1.50 255.255.255.0
> speed auto
>
>
> --- this router is in the middle of a three router stack
>
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key duh address 192.168.6.50
> !
> !
> crypto ipsec transform-set BOTTOM ah-sha-hmac esp-des
> !
> crypto key pubkey-chain rsa
> named-key bottom
> key-string
> 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA
> 8C44F60C
> 76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0
> 338E77AE
> F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001
> quit
> addressed-key 192.168.1.50
> address 192.168.1.50
> key-string
> 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA
> 8C44F60C
> 76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0
> 338E77AE
> F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001
> quit
> !
> crypto map BOTTOM2 local-address Tunnel0
> crypto map BOTTOM2 10 ipsec-isakmp
> set peer 192.168.6.50
> set transform-set BOTTOM
> match address bottom
> interface Tunnel0
> ip address 192.168.6.51 255.255.255.0
> tunnel source 192.168.1.51
> tunnel destination 192.168.1.50
> tunnel mode ipip
> crypto map BOTTOM2
> !
> interface Serial0
> ip address 192.168.3.1 255.255.255.0
> clockrate 1000000
> !
> interface FastEthernet0
> ip address 192.168.1.51 255.255.255.0
> speed auto
>
>
>
>
> --
> Neal Rauhauser CCNP, CCDP voice: 402-301-9555
> mailto:[EMAIL PROTECTED] fcc : k0bsd
> "I've seen the angels wearing their disguise,
> ordinary people leading ordinary lives" - Tracy Chapman
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52890&t=52865
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
