|
|
|
|
01-02-2005, 04:16 PM
|
#1 |
asymmetric VPN tunnel trouble
Hi,
I'm running into trouble setting up an asymmetric IPSEC VPN between two 3745 boxes running 12.2(15)T. I have a REMOTE router which is simply a gateway to some network (i.e. has two interfaces, internal and external) and a LOCAL router which is a multihomed gateway (3 interfaces). I want to encrypt only traffic flowing from the REMOTE router to the LOCAL router; the way routing is set up dictates that the encrypted traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets sent from LOCAL to REMOTE will be sent using the IP address of interface FastEthernet 0/0. According to the documentation, this scenario is what "identity hostname" is for --- but I can't set up the tunnel. Turning on debugging, I see that authentication works (almost) fine: LOCAL: ISAKMP (0:1): SA has been authenticated with 10.0.4.2 ISAKMP (0:1): peer matches *none* of the profiles REMOTE: ISAKMP (0:1): SA has been authenticated with 10.0.1.2 ISAKMP (0:1): peer matches *none* of the profiles But encryption doesn't seem to work, apparently because the packets arrive from the wrong IP: REMOTE: IPSEC(validate_transform_proposal): peer address 10.0.1.2 not found ISAKMP (0:1): IPSec policy invalidated proposal ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2 remote 10.0.1.2) Any ideas? What am I missing? Below the relevant configuration excerpts; note that for the experiments I created a setup where the tunnel can be used by a single host on each side. LOCAL: ------ ip domain example.com ip host REMOTE.example.com 10.0.4.2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key EXAMPLE address 10.0.4.2 crypto isakmp identity hostname ! crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac ! crypto map remote 10 ipsec-isakmp decription TO_REMOTE set peer 10.0.4.2 set transform-set ggg match address 101 ! interface Tunnel1 ip address 11.0.0.2 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 10.0.4.2 ! interface FastEthernet0/0 ip address 10.0.1.2 255.255.255.0 crypto map remote ! interface FastEthernet0/1 ip address 10.0.0.2 255.255.255.252 crypto map remote ! interface GigabitEthernet1/0 ip address 10.0.0.5 255.255.255.252 ! ip route 12.0.0.2 255.255.255.255 10.0.1.1 ! access-list 101 permit ip host 10.0.0.6 host 12.0.0.2 REMOTE: ------- ip domain example.com ip host LOCAL.example.com 10.0.0.2 10.0.1.2 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key EXAMPLE address 10.0.1.2 crypto isakmp key EXAMPLE address 10.0.0.2 crypto isakmp identity hostname ! crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac ! crypto map remote 11 ipsec-isakmp decription FROM_REMOTE set peer 10.0.0.2 set transform-set ggg match address 100 ! interface Tunnel1 ip address 11.0.0.1 255.255.255.0 tunnel source FastEthernet0/1 tunnel destination 10.0.0.2 ! interface FastEthernet0/0 ip address 12.0.0.1 255.255.255.0 ! interface FastEthernet0/1 ip address 10.0.4.2 255.255.255.0 crypto map remote ! interface GigabitEthernet1/0 ip address 10.0.0.5 255.255.255.252 ! ip route 0.0.0.0 0.0.0.0 10.0.4.1 ! access-list 100 permit ip host 12.0.0.2 host 10.0.0.6 adam.morrison@pobox.com |
|
|
