HostedDB - Dedicated UNIX Servers
index_172
Router Security Configuration Guide UNCLASSIFIED 172 UNCLASSIFIED Version 1.0g collectively remove the unwanted information. The EXEC mode commands  clear crypto sa or clear crypto isa commands, and the global configuration mode command  no crypto ipsec sa, all tailored to the specific peer devices involved, will remove the unwanted information. 2.     Make sure the routers have mirror access lists The Cisco IOS IPSec code can get easily confused when the access lists, which are engaged by the crypto maps to determine what packets are protected using the IPSec tunnel, are not mirror images of each other. In our example above, we can see that the access lists used by both North and Remote are mirror images since they both involve using the any option to indicate that all protocol packets, with source and destination addresses each behind one of the routers, get protected. On the other hand, if we only want to protect packets to/from a LAN behind the Remote router (IP address 7.0.0.1/24) with anyone behind the East router (IP address 14.2.1.20/16), then the following access lists on Remote and North would satisfy the mirror access list requirement and should allow for the tunnel to be constructed between North and Remote.   On North: access-list 101 permit ip 14.2.1.20 0.0.255.255 7.0.0.1 0.0.0.255 On Remote: access-list 102 permit ip 7.0.0.1 0.0.0.255 14.2.1.20 0.0.255.255   3.     Turning on the debug commands to observe the router’s IPSec negotiation   It can be very helpful to run both the debug crypto ipsec and the debug crypto isakmp commands, which can be entered while the router is in privileged EXEC mode. (Note: If the routers establishing the IPSec tunnel are not currently operational, turning on full debugging using the debug all command supplies even more diagnostic information.  Full debugging imposes too great a load to be practical for operational routers.)  The debugging messages will allow the network administrator to observe how the local router is processing the remote router’s IPSec packets during the tunnel negotiation, and determine exactly where the negotiations are failing. Below is a list of the North router’s output when these two debug commands were turned on. (Note: These debug options were run at different times, but both were on while the IPSec tunnel was being constructed.) North# debug crypto isakmp Crypto ISAKMP debugging is on North# ping 7.12.1.20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 7.12.1.20, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 32/33/36 ms