asymmetric VPN tunnel trouble

Discussion in 'Cisco' started by adam.morrison@pobox.com, Jan 2, 2005.

  1. Guest

    Hi,

    I'm running into trouble setting up an asymmetric IPSEC VPN between two
    3745 boxes running 12.2(15)T. I have a REMOTE router which is simply
    a gateway to some network (i.e. has two interfaces, internal and
    external) and a LOCAL router which is a multihomed gateway (3
    interfaces).

    I want to encrypt only traffic flowing from the REMOTE router to the
    LOCAL router; the way routing is set up dictates that the encrypted
    traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets
    sent
    from LOCAL to REMOTE will be sent using the IP address of interface
    FastEthernet 0/0.

    According to the documentation, this scenario is what "identity
    hostname"
    is for --- but I can't set up the tunnel. Turning on debugging, I see
    that
    authentication works (almost) fine:

    LOCAL: ISAKMP (0:1): SA has been authenticated with 10.0.4.2
    ISAKMP (0:1): peer matches *none* of the profiles
    REMOTE: ISAKMP (0:1): SA has been authenticated with 10.0.1.2
    ISAKMP (0:1): peer matches *none* of the profiles

    But encryption doesn't seem to work, apparently because the packets
    arrive from the wrong IP:

    REMOTE: IPSEC(validate_transform_proposal): peer address 10.0.1.2 not
    found
    ISAKMP (0:1): IPSec policy invalidated proposal
    ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2
    remote 10.0.1.2)


    Any ideas? What am I missing?

    Below the relevant configuration excerpts; note that for the
    experiments
    I created a setup where the tunnel can be used by a single host on each
    side.

    LOCAL:
    ------
    ip domain example.com
    ip host REMOTE.example.com 10.0.4.2
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key EXAMPLE address 10.0.4.2
    crypto isakmp identity hostname
    !
    crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
    !
    crypto map remote 10 ipsec-isakmp
    decription TO_REMOTE
    set peer 10.0.4.2
    set transform-set ggg
    match address 101
    !
    interface Tunnel1
    ip address 11.0.0.2 255.255.255.0
    tunnel source FastEthernet0/1
    tunnel destination 10.0.4.2
    !
    interface FastEthernet0/0
    ip address 10.0.1.2 255.255.255.0
    crypto map remote
    !
    interface FastEthernet0/1
    ip address 10.0.0.2 255.255.255.252
    crypto map remote
    !
    interface GigabitEthernet1/0
    ip address 10.0.0.5 255.255.255.252
    !
    ip route 12.0.0.2 255.255.255.255 10.0.1.1
    !
    access-list 101 permit ip host 10.0.0.6 host 12.0.0.2

    REMOTE:
    -------
    ip domain example.com
    ip host LOCAL.example.com 10.0.0.2 10.0.1.2
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key EXAMPLE address 10.0.1.2
    crypto isakmp key EXAMPLE address 10.0.0.2
    crypto isakmp identity hostname
    !
    crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
    !
    crypto map remote 11 ipsec-isakmp
    decription FROM_REMOTE
    set peer 10.0.0.2
    set transform-set ggg
    match address 100
    !
    interface Tunnel1
    ip address 11.0.0.1 255.255.255.0
    tunnel source FastEthernet0/1
    tunnel destination 10.0.0.2
    !
    interface FastEthernet0/0
    ip address 12.0.0.1 255.255.255.0
    !
    interface FastEthernet0/1
    ip address 10.0.4.2 255.255.255.0
    crypto map remote
    !
    interface GigabitEthernet1/0
    ip address 10.0.0.5 255.255.255.252
    !
    ip route 0.0.0.0 0.0.0.0 10.0.4.1
    !
    access-list 100 permit ip host 12.0.0.2 host 10.0.0.6
     
    , Jan 2, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brandon Hines

    Asymmetric Timeouts on ISDN

    Brandon Hines, Dec 15, 2003, in forum: Cisco
    Replies:
    1
    Views:
    462
    John Agosta
    Dec 15, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,166
  3. Alex
    Replies:
    3
    Views:
    1,138
  4. Trouble
    Replies:
    0
    Views:
    749
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    581
Loading...

Share This Page