Converting crypto map to unnumbered VTI
in [Cisco]
|
Prev: IOS Version - Which one do I need?
Next: Downgrading an Aeronet 1242 from Lightweight to autonomous?
From: Mike Gauthier on 8 Nov 2007 12:56 I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries. ### original config ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 ! crypto isakmp key xxxxxxxx address 10.1.1.10 ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto map CRYPTO 50 ipsec-isakmp set peer 10.1.1.10 set transform-set 3DES-SHA set pfs group2 match address VPN1 ! ip access-list extended VPN1 permit ip host 172.16.16.10 host 10.5.5.1 permit ip host 172.16.16.10 host 10.5.5.4 I only removed the crypto map and added the following. ### New Config crypto ipsec profile V1 set security-association lifetime seconds 28800 set transform-set 3DES-SHA set pfs group2 ! interface Tunnel0 ip unnumbered FastEthernet0/0 ip nat outside ip virtual-reassembly tunnel source 172.16.8.1 tunnel destination 10.1.1.10 tunnel mode ipsec ipv4 tunnel protection ipsec profile V1 I keep getting this ISAKMP error now. ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10) Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS. Thank you! MikeG
From: Darren Green on 9 Nov 2007 12:38 On 8 Nov, 17:56, Mike Gauthier <thalio...(a)3cx.org> wrote: > I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto > map has been working for months. The VTI... no so much. Here are the > applicable config entries. > > ### original config > ! > crypto isakmp policy 30 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp key xxxxxxxx address 10.1.1.10 > ! > crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac > ! > crypto map CRYPTO 50 ipsec-isakmp > set peer 10.1.1.10 > set transform-set 3DES-SHA > set pfs group2 > match address VPN1 > ! > ip access-list extended VPN1 > permit ip host 172.16.16.10 host 10.5.5.1 > permit ip host 172.16.16.10 host 10.5.5.4 > > I only removed the crypto map and added the following. > > ### New Config > crypto ipsec profile V1 > set security-association lifetime seconds 28800 > set transform-set 3DES-SHA > set pfs group2 > ! > interface Tunnel0 > ip unnumbered FastEthernet0/0 > ip nat outside > ip virtual-reassembly > tunnel source 172.16.8.1 > tunnel destination 10.1.1.10 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile V1 > > I keep getting this ISAKMP error now. > > ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state > (I) QM_IDLE (peer 10.1.1.10) > > Any help would be greatly appreciated. Also... I have no idea what is > running on the other end (it's a partner network), but I suspect it's a > crypto map on IOS. > > Thank you! > > MikeG Mike, Hi. Before you go any further I would recommend that you find out what you are connecting to. Using VTI's is different from using static crypto maps. On a VTI you do not define (AFAIK) a crypto ACL. Using a VTI is like saying permit ip any any in a crypto acl. On the remote end if they are running e.g a PIX or router with a standard crypto map, there will be a crypto-acl which you should be mirroring, I suspect this is not the case though. Any reason why you wanted to use a VTI ? Regards Darren
From: Merv on 10 Nov 2007 03:34 You may want to compare debug isakmp form working and non-working setups: 1. post show version and show interface tu 0 2. return to original config 3. capture debug isakmp sa 4.configure IPSEC profile with crypto map 5. capture debug isakmp sa with this setup 6. config new config with VTI setup 7.capture debug isakmp sa with this setup In main mode, there will be an exchange of 6 IIKE packets. >From the debugs you should see how far you are getting The VTI tunnel interface will not come up until the SA are built (i.e it will be in up - down state)
From: Mike Gauthier on 11 Nov 2007 10:35 On Fri, 09 Nov 2007 09:38:02 -0800, Darren Green wrote: > On 8 Nov, 17:56, Mike Gauthier <thalio...(a)3cx.org> wrote: >> I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The >> crypto map has been working for months. The VTI... no so much. Here are >> the applicable config entries. >> >> ### original config >> ! >> crypto isakmp policy 30 >> encr 3des >> authentication pre-share >> group 2 >> ! >> crypto isakmp key xxxxxxxx address 10.1.1.10 ! >> crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! >> crypto map CRYPTO 50 ipsec-isakmp >> set peer 10.1.1.10 >> set transform-set 3DES-SHA >> set pfs group2 >> match address VPN1 >> ! >> ip access-list extended VPN1 >> permit ip host 172.16.16.10 host 10.5.5.1 permit ip host 172.16.16.10 >> host 10.5.5.4 >> >> I only removed the crypto map and added the following. >> >> ### New Config >> crypto ipsec profile V1 >> set security-association lifetime seconds 28800 set transform-set >> 3DES-SHA >> set pfs group2 >> ! >> interface Tunnel0 >> ip unnumbered FastEthernet0/0 >> ip nat outside >> ip virtual-reassembly >> tunnel source 172.16.8.1 >> tunnel destination 10.1.1.10 >> tunnel mode ipsec ipv4 >> tunnel protection ipsec profile V1 >> >> I keep getting this ISAKMP error now. >> >> ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" >> state (I) QM_IDLE (peer 10.1.1.10) >> >> Any help would be greatly appreciated. Also... I have no idea what is >> running on the other end (it's a partner network), but I suspect it's a >> crypto map on IOS. >> >> Thank you! >> >> MikeG > > Mike, > > Hi. > > Before you go any further I would recommend that you find out what you > are connecting to. > > Using VTI's is different from using static crypto maps. On a VTI you do > not define (AFAIK) a crypto ACL. Using a VTI is like saying permit ip > any any in a crypto acl. > > On the remote end if they are running e.g a PIX or router with a > standard crypto map, there will be a crypto-acl which you should be > mirroring, I suspect this is not the case though. > > Any reason why you wanted to use a VTI ? > > Regards > > Darren Actually, not knowing what's on the other end is part of the exercise. My employer has thought it a good idea to offer VPN connectivity to our clients. Clients can mean a large corporation and a proper networking team, but mostly it means a small to medium sized business with limited network skills. Then... there can also be a language barrier as we're a global company. I understand what you mean about not having a crypto ACL on a VTI. There is a permit ip any any (you'll see it if you do a show crypto sesseion), but you can apply an ACL to the tun interface to simulate one. This is how I suspect one would mirror the crypto ACL. I want to use a VTI for monitoring purposes. Since it is an interface, it can be monitored (both state and bandwith). I'm trying to make what could turn into a large number of VPNs much easier for our support team to support. With a VTI, we can show support a green or red light per VPN tunnel. We can't really do that with a crypto map (that I'm aware of). Thanks for the reply BTW. Appreciate it Farren. Regards, MikeG
From: Mike Gauthier on 11 Nov 2007 11:00 On Sat, 10 Nov 2007 00:34:44 -0800, Merv wrote: > You may want to compare debug isakmp form working and non-working > setups: > > 1. post show version and show interface tu 0 -- Router#sho ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) qsv-cvpnc1 uptime is 3 days, 15 hours, 28 minutes System returned to ROM by reload at 00:39:57 UTC Thu Nov 8 2007 System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export(a)cisco.com. Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory. Processor board ID FTX1048A3RX 2 FastEthernet interfaces 2 Serial interfaces 2 Virtual Private Network (VPN) Modules DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 -- Can't do a show int tun0 right now because... > 2. return to original config .. . .I've done just this. > 3. capture debug isakmp sa I did that, but the only error I was seeing was > 4.configure IPSEC profile with crypto map > > 5. capture debug isakmp sa with this setup > > 6. config new config with VTI setup > > 7.capture debug isakmp sa with this setup > > > In main mode, there will be an exchange of 6 IIKE packets. > >>From the debugs you should see how far you are getting > > The VTI tunnel interface will not come up until the SA are built (i.e > it will be in up - down state)
|
Next
|
Last
Pages: 1 2 3 4 Prev: IOS Version - Which one do I need? Next: Downgrading an Aeronet 1242 from Lightweight to autonomous? |