|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Mike Gauthier
Guest
|
 Posted: Thu Nov 08, 2007 11:25 pm Post subject: Converting crypto map to unnumbered VTI |
 |
|
I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto
map has been working for months. The VTI... no so much. Here are the
applicable config entries.
### original config
!
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
!
crypto isakmp key xxxxxxxx address 10.1.1.10
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map CRYPTO 50 ipsec-isakmp
set peer 10.1.1.10
set transform-set 3DES-SHA
set pfs group2
match address VPN1
!
ip access-list extended VPN1
permit ip host 172.16.16.10 host 10.5.5.1
permit ip host 172.16.16.10 host 10.5.5.4
I only removed the crypto map and added the following.
### New Config
crypto ipsec profile V1
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set pfs group2
!
interface Tunnel0
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
tunnel source 172.16.8.1
tunnel destination 10.1.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile V1
I keep getting this ISAKMP error now.
ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state
(I) QM_IDLE (peer 10.1.1.10)
Any help would be greatly appreciated. Also... I have no idea what is
running on the other end (it's a partner network), but I suspect it's a
crypto map on IOS.
Thank you!
MikeG |
|
| Back to top |
|
 |
|
|
Mike Gauthier
Guest
|
| Posted: Wed Nov 28, 2007 1:55 am Post subject: Re: Converting crypto map to unnumbered VTI |
|
|
On Tue, 27 Nov 2007 02:42:08 -0600, Mike Gauthier wrote:
| Quote: | On Fri, 16 Nov 2007 03:43:03 -0600, Mike Gauthier wrote:
On Wed, 14 Nov 2007 02:40:26 -0800, Merv wrote:
Mike,
Please post your results as the Cisco docs are pretty thin when it
comes to VTI especially in the presence of NAT.
Merv
It's been one fire after another this week (down lines in the
Philippines, AC out in our lab, etc.). Hopefully I'll get to play
around on Friday.
MikeG
I was finally able to devote some time to this! YAY!
Here is my bottom line: monitoring VPN status on IOS routers pretty much
sucks.
I cannot convert my crypto maps to static VTIs because the crypto ACL
cannot be modified. Usually this would not be a big deal, but I do not
control the other end of the tunnel. Because of the static VTIs
inherent "permit ip any any" encryption domain, this is not an option.
I tried to use dynamic VTIs, but the encryption domain is a problem with
this as well. With a DVTI, one can have *ONLY* a single line crypto
ACL. Again, a problem because I do not control the other end of the
tunnel.
It really looks to me like it's best if I stick with the crypto map
tunnels. They are definitely the most flexible and are pretty much
guaranteed to work with whatever may be on the other end (given it does
proper IPSEC).
So... my new problem. My lab router is running 12.4(17) (c3825-
advipservicek9-mz.124-17.bin). I have a working crypto map VPN running.
I make the VPN go up. I make the VPN go down (clear crypto session).
What happened to the %CRYPTO-5-SESSION_STATUS log messages? They used
to show up (I set crazy debugging, but they're gone). I guess this no
longer applies?
http://cisco.com/en/US/products/ps6350/
products_configuration_guide_chapter09186a0080455af9.html
How can I monitor these tunnels now without the log entries?
Thanks again for the help Merv. If anyone can shed some light on this,
I'd really appreciate it.CRYPTO-5-SESSION_STATUS
MikeG
|
After speaking with TAC and their doing a little research, it turns out
that the CRYPTO-5-SESSION_STATUS log messages must be turned on.
According to TAC, this doesn't appear to be documented anywhere. Huh...
interesting.
conf t
crypto logging session
end
Mike |
|
| Back to top |
|
|
|
|
