272 Chapter 5: Security Protocols
Example 5-21 R1’s Full Configuration (Continued)
20.ip split-horizon
21.ip ospf network point-to-point
22.frame-relay map ip 131.108.255.2 102 broadcast
23.frame-relay interface-dlci 102
24.frame-relay lmi-type ansi
25.crypto map anyname1
26.interface Ethernet0/1
27.ip address 131.108.101.1 255.255.255.0
28.router ospf 1
29.network 131.108.0.0 0.0.255.255 area 0
30.access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255
31.end
Example 5-22 displays the working configuration of R2 numbered from 1 through 29.
Example 5-22 R2’s Full Configuration
1.Version 12.2
2.hostname R2
3.enable password cisco
4.crypto isakmp policy 1
5.hash md5
6.authentication pre-share
7.crypto isakmp key CCIe address 131.108.255.1
8.crypto ipsec transform-set anyname esp-des esp-sha-hmac
9.mode transport
10.crypto map anyname1 1 ipsec-isakmp
11.set peer 131.108.255.1
12.set security-association lifetime seconds 180
13.set transform-set anyname
14.match address 100
15.interface Ethernet0/0
16.ip address 131.108.200.1 255.255.255.0
17.interface Serial0/0
18.ip address 131.108.255.2 255.255.255.252
19.encapsulation frame-relay
20.ip split-horizon
21.ip ospf network point-to-point
22.frame-relay map ip 131.108.255.1 201 broadcast
23.frame-relay interface-dlci 201
24.frame-relay lmi-type ansi
25.crypto map anyname1
26.router ospf 1
27.network 131.108.0.0 0.0.255.255 area 0
28.access-list 100 permit ip 131.108.200.0 0.0.0.255 131.108.100.0 0.0.0.255
29.end
Scenario 5-1: Configuring Cisco Routers for IPSec 273
1The following debug output is seen on R1 after the network administrator pings remote network 131.108.100.1 from Router R2’s console port.
Why will the IPSec tunnel not negotiate properly?
R2#debug crypto engine
Crypto Engine debugging is on R2#ping
Protocol [ip]:
Target IP address: 131.108.100.1 Repeat count [5]:
Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y
Source address or interface: 131.108.200.1 Type of service [0]:
Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 131.108.100.1, timeout is 2 seconds: 22:58:55: CryptoEngine0: generate alg parameter
22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0 22:58:55: CRYPTO_ENGINE: Dh phase 1 status: 0 22:58:55: CryptoEngine0: generate alg parameter
22:58:55: CryptoEngine0: create ISAKMP SKEYID for conn id 1 22:58:55: CryptoEngine0: generate hmac context for conn id 1.
22:58:55: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 131.108.255.1 failed it s sanity check or is malformed....
Success rate is 0 percent (0/5) R2#
2What subnets will be encrypted between Routers R1 and R2?
3What IOS command produced the following display and from which router?
Crypto Map "anyname1" 1 ipsec-isakmp Peer = 131.108.255.2 Extended IP access list 100
access-list 100 permit ip 131.108.100.0 0.0.0.255 131.108.200.0 0.0.0.255 Current peer: 131.108.255.2
Security association lifetime: 4608000 kilobytes/180 seconds PFS (Y/N): N
Transform sets={ anyname, } Interfaces using crypto map anyname1:
Serial0/0
4Will Host A be able to communicate with Host B or Host C? The following displays are the IP routing tables on R1 and R2. (Assume the gateway configurations on the PCs are correct.)
R1’s IP routing table:
R1>show ip route
Codes: C - connected, , O - OSPF,
131.108.0.0/16 is variably subnetted, 4 subnets, 2 masks
C131.108.255.0/30 is directly connected, Serial0/0
O 131.108.200.0/24 [110/400] via 131.108.255.2, 00:52:00, Serial0/0
C131.108.101.0/24 is directly connected, Ethernet0/1
C131.108.100.0/24 is directly connected, Ethernet0/0
