[vpn] VPN and RSA keys

Eric Vyncke evyncke at cisco.com
Thu Jul 4 09:57:34 EDT 2002 

A couple of comments on your configurations:
- I'm puzzled by the static IP route for 192.168.0.2

- usually, the crypto ACL are protecting the whole subnet (but what you are 
doing should work anyway), I would have expected permit ip 192.168.0.0 
0.0.0.255 192.168.2.0 0.0.0.255

- the IKMP_NOT_ENCRYPTED alone is probably due to a bad key 
exchange/authentication

- you may want to issue the commands 'debug crypto isakmp' and 'terminal 
monitor' for more information

- did check that the TIME is correct on both routers ? 'show clock'

Hope this helps

-eric


At 11:50 3/07/2002 -0700, Jim Terry wrote:
>I got a little farther but still need assistance.  The request was pending
>on the server so I did approve it.
>
>Now the debug on the router shows it received a packet from the remote peer
>that was not encrypted but it should have been. My ACLs appear to me to be
>correct.
>
>The routers are connected by the S0 interfaces.  The ACLs are defined from
>E0 to E0.
>
>Here is what the debus says:
>%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.1.2     was not
>encrypted and it should've been.
>Here is the explanation:
>Contact remote peer!
>
>
>Since this is a lab situation here are my configs
>Router A:
>hostname routera>>
>!
>clock timezone pacific -7
>ip subnet-zero
>ip host sun.com 192.168.0.2
>ip host entrust.com 216.191.253.14
>ip host jt-xixngte70fxo 192.168.0.2
>ip domain-name jterry.net
>ip name-server 192.168.0.2
>!
>!
>!
>crypto ca identity sun.com
>  enrollment url http://192.168.0.2:80
>  query url ldap://192.168.0.2
>  crl optional
>crypto ca certificate chain sun.com
>  certificate 09
>   308201BF 30820169 A0030201 02020109 300D0609 2A864886 F70D0101 04050030
>   (truncated)
>   quit
>  certificate ca 01
>   30820231 308201DB A0030201 02020101 300D0609 2A864886
>   (truncated)
>quit
>!
>crypto isakmp policy 1
>  hash md5
>crypto isakmp identity hostname
>!
>!
>crypto ipsec transform-set myset esp-des esp-sha-hmac
>!
>crypto map vpn 10 ipsec-isakmp
>  set peer 192.168.1.2
>  set transform-set myset
>  match address 100
>!
>!
>!
>!
>interface Ethernet0
>  ip address 192.168.0.5 255.255.255.0
>  ip helper-address 192.168.0.2
>!
>interface Serial0
>  ip address 192.168.1.1 255.255.255.0
>  crypto map vpn
>!
>interface Serial1
>  no ip address
>  shutdown
>!
>router rip
>  network 192.168.0.0
>  network 192.168.1.0
>  no auto-summary
>!
>ip classless
>ip route 192.168.0.2 255.255.255.255 192.168.0.1
>ip http server
>!
>access-list 100 permit ip host 192.168.0.5 host 192.168.2.1
>!
>!
>line con 0
>  logging synchronous
>line aux 0
>line vty 0 4
>  login
>!
>end
>
>routera>>#
>Router B:
>hostname routerb>>
>!
>!
>!
>!
>!
>!
>clock timezone pacific -7
>ip subnet-zero
>ip host sun.com 192.168.0.2
>ip host jt-xixngte70fxo. 192.168.0.2
>ip host entrust.com 216.191.253.14
>ip domain-name jterry.net
>ip name-server 192.168.0.2
>!
>!
>!
>crypto ca identity sun.com
>  enrollment url http://192.168.0.2:80
>  query url ldap://192.168.0.2
>  crl optional
>crypto ca certificate chain sun.com
>  certificate 06
>   308201BF 30820169 A0030201 02020106 300D0609 2A864886
>   (truncated)
>quit
>  certificate ca 01
>   30820231 308201DB A0030201 02020101 300D0609 2A864886
>  (truncated)
>quit
>!
>crypto isakmp policy 1
>  hash md5
>crypto isakmp identity hostname
>!
>!
>crypto ipsec transform-set myset esp-des esp-sha-hmac
>!
>crypto map mymap 10 ipsec-isakmp
>  set peer 192.168.1.1
>  set transform-set myset
>  match address 100
>!
>!
>!
>!
>interface Ethernet0
>  ip address 192.168.2.1 255.255.255.0
>  no keepalive
>!
>interface Serial0
>  ip address 192.168.1.2 255.255.255.0
>  no fair-queue
>  clock rate 1300000
>  crypto map mymap
>!
>interface Serial1
>  no ip address
>  shutdown
>!
>router rip
>  network 192.168.1.0
>  network 192.168.2.0
>  no auto-summary
>!
>ip classless
>ip http server
>!
>access-list 100 permit ip host 192.168.2.1 host 192.168.0.5
>!
>!
>line con 0
>  logging synchronous
>line aux 0
>line vty 0 4
>  login
>!
>end
>
>routerb>>#
>
>JT
>
>----- Original Message -----
>From: <Lisa.K.Webster at mail.sprint.com>
>To: <jtixthus at attbi.com>
>Sent: Wednesday, July 03, 2002 11:31 AM
>Subject: RE: [vpn] VPN and RSA keys
>
>
> > Hi there...please be sure to copy everyone on what your findings are for
> > your situation.  We work with cisco routers and Sun iPlant soI'm very
> > interested to know how to fix.
> >
> > Thank You!
> > Lisa K. Webster
> >
> > Department Admin
> > Solutions Engineering Group
> > Sprint E-Solutions Support Team
> > 1510 E. Rochelle, 2nd FL
> > Irving, Texas  75039-4307
> > Mailstop:  TXIVGK0202
> > VM:     972-405-1368
> > PX:       972-405-3515
> > PCS:    214-274-9532
> > Email:   Lisa.K.Webster at mail.sprint.com
> >
> >
> > -----Original Message-----
> > From: jtixthus [mailto:jtixthus at attbi.com]
> > Sent: Wednesday, July 03, 2002 12:00 PM
> > To: vpn
> > Subject: [vpn] VPN and RSA keys
> >
> >
> > Hi all,
> >
> > I need help!  I am now trying to authenticate a VPN between 2 Cisco
> > routers
> > using Sun iPlanet.  Formerly I tried Microsoft CA server but someone on
> > this
> > list suggested I try this.
> >
> > Well it seems the cert is pending on the router which means the iPlanet
> > server is not releasing it.  Any suggestions?
> >
> > I am at the point if anyone is in the Los Angeles area I am willing to
> > either pay them for help or allow use of my routers(at my place only).
> > I
> > have two 2524 and one 2610.
> >
> > Please let me know.
> >
> > JT
> >
> >
> >
> > VPN is sponsored by SecurityFocus.com
> >
> >
> >
>
>
>VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list