Dear All,
I am trying to setup an IPSEC Tunnel between a WLC 5508 and a ISE, to perform AAA with radius protocol.
I' d like setupo a IPSEC tunnel and let the radius data from the wlc to ISE pass inside it.
I have configured the WLC Radius profile enabling the IPSEC, and also configured the IPSEC parameters:
and also on the ISE ESR router I have setup the IPSEC Tunnel:
crypto isakmp policy 5
encr aes
authentication pre-share
group 14
crypto isakmp key xxxxxxxxxxx address 0.0.0.0
crypto isakmp profile MVPN-profile
description LAN-to-LAN for spoke router(s) connection
keyring MVPN-spokes
match identity address 0.0.0.0
crypto ipsec transform-set radius-3 esp-aes esp-sha-hmac
mode tunnel
crypto map radius 10 ipsec-isakmp dynamic MVPN-dynmap
!
!
!
!
!
interface Ethernet0/0
description e0/0->connection to external NAD
ip address yyy.yyy.yyy.yyy 255.255.252.0
ip nat outside
ip virtual-reassembly in
no ip route-cache
crypto map radius
!
!
!
crypto dynamic-map MVPN-dynmap 10
set transform-set radius radius-2 radius-3
When I try to use the WLAN I got on the WLC enabling the Debug ipsec event enable:
*ProcessLoggingTask: Mar 02 15:24:51.556: 1 Mar 2 14:24:51 02[KNL] creating acquire job for policy 172.26.110.4/32[udp/32769] === 172.26.31.248/32[udp/radius] with reqid {1007}
*ProcessLoggingTask: Mar 02 15:24:51.557: 0 Mar 2 14:24:51 02[IKE] <172.26.110.4-172.26.31.248-0-1812|57> initiating Main Mode IKE_SA 172.26.110.4-172.26.31.248-0-1812[57] to 172.26.31.248
*ProcessLoggingTask: Mar 02 15:24:51.557: 1 Mar 2 14:24:51 02[ENC] <172.26.110.4-172.26.31.248-0-1812|57> generating ID_PROT request 0 [ SA V V V V ]
*ProcessLoggingTask: Mar 02 15:24:51.557: 1 Mar 2 14:24:51 02[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:24:51.557: 1 Mar 2 14:24:51 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:24:55.557: 1 Mar 2 14:24:55 12[IKE] <172.26.110.4-172.26.31.248-0-1812|57> sending retransmit 1 of request message ID 0, seq 1
*ProcessLoggingTask: Mar 02 15:24:55.558: 1 Mar 2 14:24:55 12[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:24:55.558: 1 Mar 2 14:24:55 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:25:02.761: 1 Mar 2 14:25:02 01[IKE] <172.26.110.4-172.26.31.248-0-1812|57> sending retransmit 2 of request message ID 0, seq 1
*ProcessLoggingTask: Mar 02 15:25:02.762: 1 Mar 2 14:25:02 01[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:25:02.762: 1 Mar 2 14:25:02 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:25:15.725: 1 Mar 2 14:25:15 12[IKE] <172.26.110.4-172.26.31.248-0-1812|57> sending retransmit 3 of request message ID 0, seq 1
*ProcessLoggingTask: Mar 02 15:25:15.726: 1 Mar 2 14:25:15 12[NET] <172.26.110.4-172.26.31.248-0-1812|57> sending packet: from 172.26.110.4[500] to 172.26.31.248[500] (156 bytes)
*ProcessLoggingTask: Mar 02 15:25:15.726: 1 Mar 2 14:25:15 16[NET] error writing to socket: Operation not permitted
*ProcessLoggingTask: Mar 02 15:25:23.871: 1 Mar 2 14:25:23 10[KNL] creating acquire job for policy 172.26.110.4/32[udp/32769] === 172.26.31.248/32[udp/radius] with reqid {1007}
*ProcessLoggingTask: Mar 02 15:25:23.871: 1 Mar 2 14:25:23 04[CFG] ignoring acquire, connection attempt pending
*ProcessLoggingTask: Mar 02 15:25:39.057: 1 Mar 2 14:25:39 07[IKE] <172.26.110.4-172.26.31.248-0-1812|57> giving up after 3 retransmits
Any Idea about this errors?
Bye,
Igor.
Accepted Solutions
