I have a Cisco 2600 (12.3) at one facility and I need to create an
IPSec tunnel to the main facility via the Internet. The main facility
has an OpenSWAN server for IPSec connectivity. Phase 1 completes but
the only way I can get Phase2 to complete is with an ACL like "permit
ip any any" attached to the crypto map. Clearly that breaks
everything.
ip cef
no ip domain lookup
ip audit po max-events 100
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key *********** address {REMOTEPUBLICIP}
crypto isakmp keepalive 10
crypto isakmp peer address {REMOTEIP}
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto ipsec profile VPN
set transform-set vpn
!
crypto map VPN 1 ipsec-isakmp
description USD-TO-GRD
set peer {REMOTEPUBLICIP}
set transform-set vpn
set pfs group2
match address 102
!
interface Ethernet0/0
ip address {LOCALPUBLICIP} 255.255.255.224
full-duplex
crypto map VPN
!
interface Ethernet0/1
ip address 192.168.24.19 255.255.255.0
full-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 {PUBLICGATEWAY)
access-list 102 permit ip any any
Otherwise Phase 2 fails with:
....
00:49:34: ISAKMP: transform 0, ESP_3DES
00:49:34: ISAKMP: attributes in transform:
00:49:34: ISAKMP: encaps is 1 (Tunnel)
00:49:34: ISAKMP: SA life type in seconds
00:49:34: ISAKMP: SA life duration (basic) of 28800
00:49:34: ISAKMP: authenticator is HMAC-MD5
00:49:34: ISAKMP (0:6): atts are acceptable.
00:49:34: ISAKMP (0:6): IPSec policy invalidated proposal
00:49:34: ISAKMP (0:6): phase 2 SA policy not acceptable! (local
216.120.174.238 remote 216.120.174.237)
00:49:34: ISAKMP: set new node -1915994121 to QM_IDLE
00:49:34: ISAKMP (0:6): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2197085600, message ID = -1915994121
....
Once the tunnel comes up with the any/any ACL rule "show crypto ipsec
sa" looks like:
interface: Ethernet0/0
Crypto map tag: VPN, local addr. X.X.X.X
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 216.120.174.237:500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 195, #recv errors 0
local crypto endpt.: X.X.X.X remote crypto endpt.: Y.Y.Y.Y
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
<<<<<<<<<<<<<<<
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
<<<<<<<<<<<<
current_peer: Y.Y.Y.Y:500
PERMIT, flags={}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: EC1E6E98
inbound esp sas:
spi: 0xE73EA0FB(3879641339)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4455016/2996)
IV size: 8 bytes
replay detection support: Y
I don't understand why the local ident is 192.0.0.0 in
....
local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
....
Can that be related to why no reasonable ACL rules work?
|
Similar Threads
