7200emu.hacki.at Forum Index 7200emu.hacki.at
Dynamips, Dynagen and all that stuff
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
7200emu.hacki.at Forum Index

hackibr>

IPSec problem with Dynamips

 
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> dynamips on windows
View previous topic :: View next topic  
Author Message
liaksey



Joined: 31 Mar 2010
Posts: 2
Location: Belarus, Minsk

PostPosted: Wed Mar 31, 2010 4:32 pm    Post subject: IPSec problem with Dynamips Reply with quote

Hello anyone.
I've tried to implement Site-to-Site IPSec VPN. It doesn't work, this is the output of debug crypto isakmp command:
...
ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 31 17:57:16.987: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar 31 17:57:16.991: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 170.10.20.1 remote 170.10.20.6)
*Mar 31 17:57:16.995: ISAKMP: set new node -283484586 to QM_IDLE
*Mar 31 17:57:17.003: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1701542520, message ID = -283484586
...
Here it is the part of configs from both routers:
R2
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key first address 170.10.20.6 255.255.255.252
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set VPN-TEST esp-3des esp-sha-hmac
!
crypto map VPN-TEST 10 ipsec-isakmp
set peer 170.10.20.6
set transform-set VPN-TEST
match address 101

interface Serial2/0
ip address 170.10.20.1 255.255.255.252
serial restart-delay 0
crypto map VPN-TEST

access-list 101 permit tcp 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 eq telnet
access-list 101 deny ip any any log

R4
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key first address 170.10.20.1 255.255.255.252
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set VPN-TEST esp-3des esp-sha-hmac
!
crypto map VPN-TEST 10 ipsec-isakmp
set peer 170.10.20.1
set transform-set VPN-TEST
match address 199

interface Serial1/0
ip address 170.10.20.6 255.255.255.252
serial restart-delay 0
no fair-queue
crypto map VPN-TEST

access-list 199 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet
access-list 199 deny ip any any log


I've tried whith two IOS (c7200-jk9s-mz.124-13b.bin and c7200-ik9s-mz.123-17b.bin) any combinations of encryption, hash, authentication, group in crypto isakmp policy part of config. Tunnel and transport modes. All without success.
Could anyone help me to solve this problem? May be it's known bug? Has anybody ever faced with similar problem?
If interesting, please, find in attachments full configs from both routers and full outputs of debug crypto isakpm command also from both routers.
Thanks in advance



R2&R4deb_isakmp.txt
 Description:
outputs of debug crypto isakmp command from both routers

Download
 Filename:  R2&R4deb_isakmp.txt
 Filesize:  25.25 KB
 Downloaded:  347 Time(s)


R4.txt
 Description:
R4 config

Download
 Filename:  R4.txt
 Filesize:  2.39 KB
 Downloaded:  284 Time(s)


R2.txt
 Description:
R2 config

Download
 Filename:  R2.txt
 Filesize:  2.41 KB
 Downloaded:  269 Time(s)


_________________
BR. Liaksey
Back to top
View user's profile Send private message
liaksey



Joined: 31 Mar 2010
Posts: 2
Location: Belarus, Minsk

PostPosted: Wed Apr 14, 2010 4:43 pm    Post subject: Reply with quote

Hi everyone.
I've found time for come back to my topology, and I've found mistake. It was simple, I've made mistake in ACL. Here it is correct ACL on R2:

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255

and, of course, mirrored ACL on R4.

This way IPSec works perfectly.

Ticket can be closed Smile))

_________________
BR. Liaksey
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    7200emu.hacki.at Forum Index -> dynamips on windows All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


 


Powered by phpBB © 2001, 2005 phpBB Group