asymmetric VPN tunnel trouble

Discussion in 'Cisco' started by adam.morrison, Jan 2, 2005.

  1. Hi,

    I'm running into trouble setting up an asymmetric IPSEC VPN between two
    3745 boxes running 12.2(15)T. I have a REMOTE router which is simply
    a gateway to some network (i.e. has two interfaces, internal and
    external) and a LOCAL router which is a multihomed gateway (3
    interfaces).

    I want to encrypt only traffic flowing from the REMOTE router to the
    LOCAL router; the way routing is set up dictates that the encrypted
    traffic will arrive on interface FastEthernet0/1 of LOCAL, but packets
    sent
    from LOCAL to REMOTE will be sent using the IP address of interface
    FastEthernet 0/0.

    According to the documentation, this scenario is what "identity
    hostname"
    is for --- but I can't set up the tunnel. Turning on debugging, I see
    that
    authentication works (almost) fine:

    LOCAL: ISAKMP (0:1): SA has been authenticated with 10.0.4.2
    ISAKMP (0:1): peer matches *none* of the profiles
    REMOTE: ISAKMP (0:1): SA has been authenticated with 10.0.1.2
    ISAKMP (0:1): peer matches *none* of the profiles

    But encryption doesn't seem to work, apparently because the packets
    arrive from the wrong IP:

    REMOTE: IPSEC(validate_transform_proposal): peer address 10.0.1.2 not
    found
    ISAKMP (0:1): IPSec policy invalidated proposal
    ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.0.4.2
    remote 10.0.1.2)


    Any ideas? What am I missing?

    Below the relevant configuration excerpts; note that for the
    experiments
    I created a setup where the tunnel can be used by a single host on each
    side.

    LOCAL:
    ------
    ip domain example.com
    ip host REMOTE.example.com 10.0.4.2
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key EXAMPLE address 10.0.4.2
    crypto isakmp identity hostname
    !
    crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
    !
    crypto map remote 10 ipsec-isakmp
    decription TO_REMOTE
    set peer 10.0.4.2
    set transform-set ggg
    match address 101
    !
    interface Tunnel1
    ip address 11.0.0.2 255.255.255.0
    tunnel source FastEthernet0/1
    tunnel destination 10.0.4.2
    !
    interface FastEthernet0/0
    ip address 10.0.1.2 255.255.255.0
    crypto map remote
    !
    interface FastEthernet0/1
    ip address 10.0.0.2 255.255.255.252
    crypto map remote
    !
    interface GigabitEthernet1/0
    ip address 10.0.0.5 255.255.255.252
    !
    ip route 12.0.0.2 255.255.255.255 10.0.1.1
    !
    access-list 101 permit ip host 10.0.0.6 host 12.0.0.2

    REMOTE:
    -------
    ip domain example.com
    ip host LOCAL.example.com 10.0.0.2 10.0.1.2
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key EXAMPLE address 10.0.1.2
    crypto isakmp key EXAMPLE address 10.0.0.2
    crypto isakmp identity hostname
    !
    crypto ipsec transform-set ggg ah-md5-hmac esp-des esp-md5-hmac
    !
    crypto map remote 11 ipsec-isakmp
    decription FROM_REMOTE
    set peer 10.0.0.2
    set transform-set ggg
    match address 100
    !
    interface Tunnel1
    ip address 11.0.0.1 255.255.255.0
    tunnel source FastEthernet0/1
    tunnel destination 10.0.0.2
    !
    interface FastEthernet0/0
    ip address 12.0.0.1 255.255.255.0
    !
    interface FastEthernet0/1
    ip address 10.0.4.2 255.255.255.0
    crypto map remote
    !
    interface GigabitEthernet1/0
    ip address 10.0.0.5 255.255.255.252
    !
    ip route 0.0.0.0 0.0.0.0 10.0.4.1
    !
    access-list 100 permit ip host 12.0.0.2 host 10.0.0.6
     
    adam.morrison, Jan 2, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.