08-06-2001 10:12 AM - edited 03-08-2019 08:33 PM
Hi All,
Does anyone know if IOS supports Tunnel cascading between non-crypto mapped end points. What I am asking is: If A trusts b and A trusts C can B trust C through A?
To Clarify:
I have a tunnel between A and B.
I have a tunnel between A and C.
Since Both B and C can get to A, Can B now get to C?
How do I enable this if it does work?
Thanks,
Jerry
08-13-2001 07:25 AM
B should not be able to get to C through A. I would simply build a tunnel from B to C and visa versa but if you want everything to go through A, that will have to be crypto-mapped. You might call tac for help with this one.
08-20-2001 05:28 PM
I want to TFTP my Config back to my TFTP Server through the tunnels. The Path would be from the remote router through the Hub Router on the head end and then finally through a management router to the tftp server as the final destination.
TFTP_Config_Router<--Tunnel-->HuB_Router<--Tunnel-->Manage_Router-->TFTP Server.
Tunnels from TFTP_Config_Router to HuB_Router work great and Vice Versa
Tunnels from HuB_Router to Manage_Router work great and vice versa.
I believe this should work. I have added the route to the tftp server on the TFTP_Config_Router. The HuB Router (Hub and spoke design) sees the traffic but gives me the following message.
6d23h: ISAKMP (0:0): received packet from 64.169.222.54 (N) NEW SA
6d23h: ISAKMP: local port 500, remote port 500
6d23h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_READY New State = IKE_R_MM1
6d23h: ISAKMP (0:1): processing SA payload. message ID = 0
6d23h: ISAKMP (0:1): found peer pre-shared key matching 64.169.222.54
6d23h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
6d23h: ISAKMP: encryption 3DES-CBC
6d23h: ISAKMP: hash SHA
6d23h: ISAKMP: default group 2
6d23h: ISAKMP: auth pre-share
6d23h: ISAKMP: life type in seconds
6d23h: ISAKMP: life duration (basic) of 28800
6d23h: ISAKMP (0:1): atts are acceptable. Next payload is 0
6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_R_MM1 New State = IKE_R_MM1
6d23h: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) MM_SA_SETUP
6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_R_MM1 New State = IKE_R_MM2
6d23h: ISAKMP (0:1): received packet from 64.169.222.54 (R) MM_SA_SETUP
6d23h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_R_MM2 New State = IKE_R_MM3
6d23h: ISAKMP (0:1): processing KE payload. message ID = 0
6d23h: ISAKMP (0:1): processing NONCE payload. message ID = 0
6d23h: ISAKMP (0:1): found peer pre-shared key matching 64.169.222.54
6d23h: ISAKMP (0:1): SKEYID state generated
6d23h: ISAKMP (0:1): processing vendor id payload
6d23h: ISAKMP (0:1): speaking to another IOS box!
6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_R_MM3 New State = IKE_R_MM3
6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) MM_KEY_EXCH
6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_R_MM3 New State = IKE_R_MM4
6d23h: ISAKMP (0:1): received packet from 64.169.222.54 (R) MM_KEY_EXCH
6d23h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_R_MM4 New State = IKE_R_MM5
6d23h: ISAKMP (0:1): processing ID payload. message ID = 0
6d23h: ISAKMP (0:1): processing HASH payload. message ID = 0
6d23h: ISAKMP:received payload type 14
6d23h: ISAKMP (0:1): processing keep alive: proposal=1800/2 sec., actual=1800/2 sec.
6d23h: ISAKMP (0:1): peer knows about the keepalive extension mechanism.
6d23h: ISAKMP (0:1): read keepalive extended attribute VPI: /0x2/0x4
6d23h: ISAKMP (0:1): peer keepalives capabilities: 0x1
6d23h: ISAKMP (0:1): SA has been authenticated with 64.169.222.54
6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_R_MM5 New State = IKE_R_MM5
6d23h: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
6d23h: ISAKMP (1): Total payload length: 12
6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) QM_IDLE
6d23h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
6d23h: ISAKMP (0:1): received packet from 64.169.222.54 (R) QM_IDLE
6d23h: ISAKMP (0:1): processing HASH payload. message ID = 1977196283
6d23h: ISAKMP (0:1): processing SA payload. message ID = 1977196283
6d23h: ISAKMP (0:1): Checking IPSec proposal 1
6d23h: ISAKMP: transform 1, AH_SHA
6d23h: ISAKMP: attributes in transform:
6d23h: ISAKMP: encaps is 1
6d23h: ISAKMP: SA life type in seconds
6d23h: ISAKMP: SA life duration (basic) of 10800
6d23h: ISAKMP: SA life type in kilobytes
6d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
6d23h: ISAKMP: group is 2
6d23h: ISAKMP: authenticator is HMAC-SHA
6d23h: ISAKMP (0:1): atts are acceptable.
6d23h: ISAKMP (0:1): Checking IPSec proposal 1
6d23h: ISAKMP: transform 1, ESP_3DES
6d23h: ISAKMP: attributes in transform:
6d23h: ISAKMP: encaps is 1
6d23h: ISAKMP: SA life type in seconds
6d23h: ISAKMP: SA life duration (basic) of 10800
6d23h: ISAKMP: SA life type in kilobytes
6d23h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
6d23h: ISAKMP: group is 2
6d23h: ISAKMP (0:1): atts are acceptable.
6d23h: ISAKMP (0:1): IPSec policy invalidated proposal
6d23h: ISAKMP (0:1): phase 2 SA not acceptable!
6d23h: ISAKMP (0:1): sending packet to 64.169.222.54 (R) QM_IDLE
6d23h: ISAKMP (0:1): purging node -2135807601
6d23h: ISAKMP (0:1): Unknown Input for node 1977196283: state = IKE_QM_READY, major = 0x00000001, minor = 0x0000000C
6d23h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 64.169.222.54
08-20-2001 07:57 PM
What do you mean non-crypto maped end points? Are you talking GRE tunnels? If so are you running any dynamic routing protocols through the tunnels?
I would think if the networks were advertised to a routing protocol then you would be able to route the traffic from B to C through A whether they are encrypted or not.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: