[vpn] VPN and RSA keys
Eric Vyncke
evyncke at cisco.com
Thu Jul 4 09:57:34 EDT 2002
A couple of comments on your configurations:
- I'm puzzled by the static IP route for 192.168.0.2
- usually, the crypto ACL are protecting the whole subnet (but what you are
doing should work anyway), I would have expected permit ip 192.168.0.0
0.0.0.255 192.168.2.0 0.0.0.255
- the IKMP_NOT_ENCRYPTED alone is probably due to a bad key
exchange/authentication
- you may want to issue the commands 'debug crypto isakmp' and 'terminal
monitor' for more information
- did check that the TIME is correct on both routers ? 'show clock'
Hope this helps
-eric
At 11:50 3/07/2002 -0700, Jim Terry wrote:
>I got a little farther but still need assistance. The request was pending
>on the server so I did approve it.
>
>Now the debug on the router shows it received a packet from the remote peer
>that was not encrypted but it should have been. My ACLs appear to me to be
>correct.
>
>The routers are connected by the S0 interfaces. The ACLs are defined from
>E0 to E0.
>
>Here is what the debus says:
>%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.1.2 was not
>encrypted and it should've been.
>Here is the explanation:
>Contact remote peer!
>
>
>Since this is a lab situation here are my configs
>Router A:
>hostname routera>>
>!
>clock timezone pacific -7
>ip subnet-zero
>ip host sun.com 192.168.0.2
>ip host entrust.com 216.191.253.14
>ip host jt-xixngte70fxo 192.168.0.2
>ip domain-name jterry.net
>ip name-server 192.168.0.2
>!
>!
>!
>crypto ca identity sun.com
> enrollment url http://192.168.0.2:80
> query url ldap://192.168.0.2
> crl optional
>crypto ca certificate chain sun.com
> certificate 09
> 308201BF 30820169 A0030201 02020109 300D0609 2A864886 F70D0101 04050030
> (truncated)
> quit
> certificate ca 01
> 30820231 308201DB A0030201 02020101 300D0609 2A864886
> (truncated)
>quit
>!
>crypto isakmp policy 1
> hash md5
>crypto isakmp identity hostname
>!
>!
>crypto ipsec transform-set myset esp-des esp-sha-hmac
>!
>crypto map vpn 10 ipsec-isakmp
> set peer 192.168.1.2
> set transform-set myset
> match address 100
>!
>!
>!
>!
>interface Ethernet0
> ip address 192.168.0.5 255.255.255.0
> ip helper-address 192.168.0.2
>!
>interface Serial0
> ip address 192.168.1.1 255.255.255.0
> crypto map vpn
>!
>interface Serial1
> no ip address
> shutdown
>!
>router rip
> network 192.168.0.0
> network 192.168.1.0
> no auto-summary
>!
>ip classless
>ip route 192.168.0.2 255.255.255.255 192.168.0.1
>ip http server
>!
>access-list 100 permit ip host 192.168.0.5 host 192.168.2.1
>!
>!
>line con 0
> logging synchronous
>line aux 0
>line vty 0 4
> login
>!
>end
>
>routera>>#
>Router B:
>hostname routerb>>
>!
>!
>!
>!
>!
>!
>clock timezone pacific -7
>ip subnet-zero
>ip host sun.com 192.168.0.2
>ip host jt-xixngte70fxo. 192.168.0.2
>ip host entrust.com 216.191.253.14
>ip domain-name jterry.net
>ip name-server 192.168.0.2
>!
>!
>!
>crypto ca identity sun.com
> enrollment url http://192.168.0.2:80
> query url ldap://192.168.0.2
> crl optional
>crypto ca certificate chain sun.com
> certificate 06
> 308201BF 30820169 A0030201 02020106 300D0609 2A864886
> (truncated)
>quit
> certificate ca 01
> 30820231 308201DB A0030201 02020101 300D0609 2A864886
> (truncated)
>quit
>!
>crypto isakmp policy 1
> hash md5
>crypto isakmp identity hostname
>!
>!
>crypto ipsec transform-set myset esp-des esp-sha-hmac
>!
>crypto map mymap 10 ipsec-isakmp
> set peer 192.168.1.1
> set transform-set myset
> match address 100
>!
>!
>!
>!
>interface Ethernet0
> ip address 192.168.2.1 255.255.255.0
> no keepalive
>!
>interface Serial0
> ip address 192.168.1.2 255.255.255.0
> no fair-queue
> clock rate 1300000
> crypto map mymap
>!
>interface Serial1
> no ip address
> shutdown
>!
>router rip
> network 192.168.1.0
> network 192.168.2.0
> no auto-summary
>!
>ip classless
>ip http server
>!
>access-list 100 permit ip host 192.168.2.1 host 192.168.0.5
>!
>!
>line con 0
> logging synchronous
>line aux 0
>line vty 0 4
> login
>!
>end
>
>routerb>>#
>
>JT
>
>----- Original Message -----
>From: <Lisa.K.Webster at mail.sprint.com>
>To: <jtixthus at attbi.com>
>Sent: Wednesday, July 03, 2002 11:31 AM
>Subject: RE: [vpn] VPN and RSA keys
>
>
> > Hi there...please be sure to copy everyone on what your findings are for
> > your situation. We work with cisco routers and Sun iPlant soI'm very
> > interested to know how to fix.
> >
> > Thank You!
> > Lisa K. Webster
> >
> > Department Admin
> > Solutions Engineering Group
> > Sprint E-Solutions Support Team
> > 1510 E. Rochelle, 2nd FL
> > Irving, Texas 75039-4307
> > Mailstop: TXIVGK0202
> > VM: 972-405-1368
> > PX: 972-405-3515
> > PCS: 214-274-9532
> > Email: Lisa.K.Webster at mail.sprint.com
> >
> >
> > -----Original Message-----
> > From: jtixthus [mailto:jtixthus at attbi.com]
> > Sent: Wednesday, July 03, 2002 12:00 PM
> > To: vpn
> > Subject: [vpn] VPN and RSA keys
> >
> >
> > Hi all,
> >
> > I need help! I am now trying to authenticate a VPN between 2 Cisco
> > routers
> > using Sun iPlanet. Formerly I tried Microsoft CA server but someone on
> > this
> > list suggested I try this.
> >
> > Well it seems the cert is pending on the router which means the iPlanet
> > server is not releasing it. Any suggestions?
> >
> > I am at the point if anyone is in the Los Angeles area I am willing to
> > either pay them for help or allow use of my routers(at my place only).
> > I
> > have two 2524 and one 2610.
> >
> > Please let me know.
> >
> > JT
> >
> >
> >
> > VPN is sponsored by SecurityFocus.com
> >
> >
> >
>
>
>VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list