Equipment Support > Hardware By Brand > Cisco > crypto % Invalid input detected at '^' marker

crypto % Invalid input detected at '^' marker

You need a K9 image to configure crypto keys. Likely ipbase has VPN, but
a nonencrypted VPN connection like GRE.

Regards

On the old licensing model, i dont think IPBASE ever had crypto. You needed to goto advanced security or advanced enterprise (or service provider) to get those.

reply to notshai
From the IOS release roadmap for that router, looks like ipbase was available with and without crypto. Since you don't have k9, you don't have crypto.

Most recent 12-series:

1. IPBASE w/crypto: c1841-ipbasek9-mz.124-24.T3.bin
2. IPBASE w/o crypto: c1841-ipbase-mz.124-24.T3.bin

I'd recommend upgrading to Advanced IP Services if possible. Depending on how much RAM and flash you have of course.

reply to notshai
thank you!
so i upgraded. and now i have a "crypto engine" and you were right.

now when i copy the maps, and tunnel, and changes as per the old T1/3640 router into the 3Meg/1841 i dont get a pingable VPN network.

shouldnt the code be compatible?

the only diff is that with the 3meg vs the old t1 there are interface MFR1.500 vs the interface Serial0/1.

reply to notshai
Make sure your rules and maps are mapped to the correct interfaces. If you can't get it working, post your config here.

With and without crypto can mean different things. With crypto probablly means "has SSH". It doesnt mean that the IOS is the correct one for IPSEC.

IPSEC tunnels were a feature in advanced security services, and advanced enterprise services.

This is very true. And is why I suggested Advanced IP Services, which I know has the correct feature set for IPSec VPN's.

reply to notshai
i am using 12.4 advanced enterprise services IOS.

when i copied over the VPN code "parts" to the 1841 one of the errors was:


1841(config)#ip audit po max-events 100
% This command is an unreleased and unsupported feature
1841(config)#ip ssh time-out 120
Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
1841(config)#ip ssh authentication-retries 3
Please create RSA keys (of atleast 768 bits size) to enable SSH v2.

some of the code is old and probably isnt used, im not sure if the SSH keys in this errors are necessary for the VPN i need.

i moved all the VPM code "parts" and still no go.

the below config of Router #1 just brought down my ftp server and web server (residing on the internal network with a NAT).

once i removed the code from interface MFR1.500 point-to-point: line = ip access-group 101 in
and line = crypto map vpn
i regained my ftp and web servers access from the outside.

also - access-list 100 permit ip 222.222.222.0 0.0.0.63 any
i sub'd the new IP address but left the 0.0.0.63 behind unchanged - i dont know how to calculate that number correctly and i might need a different number there.

it is probably an issue of an access-list

this is for Router #1 (1841)

=====IP Legend=====
(did a replace on the first three nums of each)
Router#1 Serial IP 111.111.111.202
Router#1 IP 222.222.222.2
Router#2 Serial IP 333.333.333.122
Router#2 IP 444.444.444.160
=================

Building configuration...

Current configuration : 6819 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1841
!
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
!
!
!
!
ip inspect name fw1 cuseeme
ip inspect name fw1 ftp
ip inspect name fw1 udp
ip inspect name fw1 vdolive
ip inspect name fw1 streamworks
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
!
crypto isakmp key none address 10.10.10.2
!
!
crypto ipsec transform-set s1s2 esp-des esp-sha-hmac
!
crypto map vpn local-address Tunnel0
crypto map vpn 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set s1s2
match address 108
!
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source 111.111.111.202
tunnel destination 333.333.333.122
crypto map vpn
!
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay IETF
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to gw
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 111.111.111.202 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
crypto map vpn
!
interface FastEthernet0/0
ip address 172.16.1.2 255.255.248.0 secondary
ip address 222.222.222.1 255.255.255.0
ip helper-address 172.30.0.10
ip helper-address 172.16.9.5
no ip redirects
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
interface Serial0/0/1:0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
encapsulation frame-relay MFR1
no arp frame-relay
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 10.10.12.0 0.0.0.255
network 172.16.0.0 0.0.7.255
no auto-summary
no eigrp log-neighbor-changes
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 MFR1.500
ip route 192.168.25.0 255.255.255.0 10.10.12.2
!
!
ip http server
no ip http secure-server
ip nat pool ovrld 222.222.222.1 222.222.222.1 netmask 255.255.255.0
ip nat pool swimpool 222.222.222.2 222.222.222.254 prefix-length 24
ip nat inside source list 120 pool swimpool overload
ip nat inside source route-map nonat interface MFR1.500 overload
ip nat inside source static 172.16.1.18 222.222.222.18
ip nat inside source static tcp 172.16.1.84 110 222.222.222.84 110 extendable
ip nat inside source static tcp 172.16.1.105 105 222.222.222.105 105 extendable
ip nat inside source static 172.16.1.105 222.222.222.105
ip nat inside source static tcp 172.16.1.104 8089 222.222.222.107 8089 extendable
ip nat inside source static 172.16.1.108 222.222.222.108
ip nat inside source static tcp 172.16.1.112 80 222.222.222.112 80 extendable
ip nat inside source static tcp 172.16.1.113 1433 222.222.222.113 1433 extendable
ip nat inside source static tcp 172.16.1.117 20 222.222.222.117 20 extendable
ip nat inside source static tcp 172.16.1.117 21 222.222.222.117 21 extendable
ip nat inside source static tcp 172.16.1.22 80 222.222.222.120 80 extendable
ip nat inside source static tcp 172.16.1.122 25 222.222.222.122 25 extendable
ip nat inside source static 172.16.1.126 222.222.222.126
ip nat inside source static tcp 172.16.1.128 3389 222.222.222.128 3389 extendable
ip nat inside source static 172.16.1.250 222.222.222.250
ip nat inside source static 172.16.1.251 222.222.222.251
ip nat inside source static 172.16.1.252 222.222.222.252
ip nat inside source static 172.16.1.253 222.222.222.253
!
access-list 7 permit 172.16.0.0 0.0.255.255
access-list 100 permit tcp 172.16.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.0.0 0.0.7.255 any
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 100 permit ip 222.222.222.0 0.0.0.63 any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any any established
access-list 101 permit tcp any any eq telnet
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any eq domain any
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 135
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq 135
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 138
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-dgm
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 139
access-list 101 permit udp 192.168.1.0 0.0.0.255 any eq netbios-ss
access-list 101 permit tcp any host 222.222.222.2 range ftp-data ftp
access-list 101 permit tcp any gt 1023 host 222.222.222.2 gt 1023
access-list 101 permit tcp any host 192.168.1.150 eq 7775
access-list 102 permit ip 172.16.0.0 0.0.7.255 67.135.31.160 0.0.0.15
access-list 102 permit ip 222.222.222.0 0.0.0.63 67.135.31.160 0.0.0.15
access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 109 deny ip host 172.16.172.249 any
access-list 109 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 109 permit ip 172.16.0.0 0.0.7.255 any
access-list 110 permit ip 172.16.0.0 0.0.7.255 any
access-list 120 deny ip host 172.16.1.2 any
access-list 120 deny ip host 172.16.1.47 any
access-list 120 deny ip host 172.16.1.67 any
access-list 120 deny ip host 172.16.1.106 any
access-list 120 deny ip host 172.16.1.113 any
access-list 120 deny ip host 172.16.1.114 any
access-list 120 deny ip host 172.16.1.117 any
access-list 120 deny ip host 172.16.1.125 any
access-list 120 deny ip host 172.16.1.18 any
access-list 120 permit ip 172.16.0.0 0.0.7.255 any
access-list 120 deny ip host 172.16.1.124 any
access-list 120 deny ip host 172.16.1.243 any
access-list 120 deny ip host 172.16.1.90 any
access-list 120 deny ip host 172.16.1.91 any
access-list 120 deny ip host 172.16.1.104 any
access-list 120 deny ip host 172.16.1.122 any
access-list 120 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
disable-eadi
!
route-map nonat permit 10
match ip address 7
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 20 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

________________
this is for router #2
________________

Building configuration...

Current configuration : 2267 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname C2-2620
!
no logging console
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key none address 10.10.10.1
!
!
crypto ipsec transform-set Best esp-3des esp-sha-hmac
crypto ipsec transform-set s2s1 esp-des esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer 111.111.111.202
set transform-set Best
match address 100
!
crypto map vpn local-address Tunnel0
crypto map vpn 10 ipsec-isakmp
set peer 10.10.10.1
set transform-set s2s1
match address 108
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
tunnel source 333.333.333.122
tunnel destination 111.111.111.202
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
ip address 333.333.333.122 255.255.255.252
ip nat outside
encapsulation ppp
service-module t1 timeslots 1-24
crypto map vpn
!
router eigrp 100
network 10.10.10.0 0.0.0.255
network 192.168.1.0
no auto-summary
!
ip nat pool swim 444.444.444.161 444.444.444.174 netmask 255.255.255.240
ip nat inside source route-map nonat pool swim overload
ip classless
ip route 0.0.0.0 0.0.0.0 333.333.333.121
no ip http server
!
access-list 100 permit ip 444.444.444.160 0.0.0.15 172.16.0.0 0.0.7.255
access-list 100 permit ip 444.444.444.160 0.0.0.15 222.222.222.0 0.0.0.63
access-list 108 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.0
access-list 109 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip host 222.222.222.2 host 444.444.444.161
access-list 110 permit ip host 444.444.444.161 host 222.222.222.2
access-list 111 permit ip any host 444.444.444.162
access-list 111 permit ip any host 444.444.444.172
route-map nonat permit 10
match ip address 109
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 20 0
line aux 0
line vty 0 4
session-timeout 20
exec-timeout 20 0
no login
!
end

reply to notshai

quote:

---

1841(config)#ip audit po max-events 100
% This command is an unreleased and unsupported feature

---

quote:

---

1841(config)#ip ssh time-out 120
Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
1841(config)#ip ssh authentication-retries 3
Please create RSA keys (of atleast 768 bits size) to enable SSH v2.

---

reply to notshai
First thing I see is:

ip nat inside source route-map nonat interface MFR1.500 overload
 

route-map nonat permit 10
match ip address 7
 

access-list 7 permit 172.16.0.0 0.0.255.255
 

no access-list 7
access-list 130 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.7.255
route-map nonat permit 10
no match ip address 7
match ip address 130
 

ip nat pool ovrld 222.222.222.1 222.222.222.1 netmask 255.255.255.0
ip nat pool swimpool 222.222.222.2 222.222.222.254 prefix-length 24
ip nat inside source list 120 pool swimpool overload
 

sh ip eigrp neighbor
 

no ip route 192.168.25.0 255.255.255.0 10.10.12.2
 

access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
 

reply to notshai
thank you HELLFIRE, jmillermo !!!

jmillermo-

1841#sh ip eigrp neighbor
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.10.10.2 Tu0 12 05:43:37 1171 5000 0 1767


very close !!! but still not working.

the VPN is there between the routers but not from the local networks.

from router #1 CLI i can ping 192.168.1.1 or any device on its network
and
from router #2 CLI i can ping 172.16.1.2 or any device on its network

but locally on the network devices in the router #1 network side:
i can not ping the router #2 network devices (pc in LAN1 can not ping a pc in LAN2). and vice versa.

changes i made per your advice:

1841(config)#no access-list 7
1841(config)#access-list 130 deny ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255
1841(config)#access-list 130 permit ip 172.16.0.0 0.0.7.255
% Incomplete command.
1841(config)#access-list 130 permit ip 172.16.0.0 0.0.7.255 any
1841(config)#route-map nonat permit 10
1841(config-route-map)#no match ip address 7
1841(config-route-map)#match ip address 130
1841(config-route-map)#exit
1841(config)#ip nat pool ovrld 222.222.222.1 222.222.222.1 netmask 255.255.255.0
1841(config)#ip nat pool swimpool 222.222.222.2 222.222.222.254 prefix-length 24
%Pool swimpool in use, cannot redefine
1841(config)#ip nat inside source list 120 pool swimpool overload
%Dynamic mapping in use, cannot change
 
 

reply to notshai
On R2

no access-list 109
access-list 109 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.7.255
access-list 109 permit ip 192.168.1.0 0.0.0.255 any
 

didnt help.

same "request timed out" when i ping cross networks from a PC.
and "success" when i ping cross networks from the CLIs.

from router #1
1841#traceroute 192.168.1.1
Tracing the route to 192.168.1.1
1 10.10.10.2 8 msec * 8 msec

from router #2
C2620#traceroute 172.16.1.2
Tracing the route to 172.16.1.2
1 10.10.10.1 12 msec 8 msec *

reply to notshai
Try pinging from a host on R1 and run a debug ip R2:

debug ip icmp

Also,
why do you have this configured?

ip address 172.16.1.2 255.255.248.0 secondary
ip address 222.222.222.1 255.255.255.0

C1-1841#show crypto isakmp sa
dst             src             state          conn-id slot status
 

2620#show log history
Syslog History Table:1 maximum table entries,
saving level warnings or higher
 2355 messages ignored, 0 dropped, 0 recursion drops
 131882 table entries flushed
 SNMP notifications not enabled
   entry number 131883 : CRYPTO-4-RECVD_PKT_NOT_IPSEC
    Rec'd packet not an IPSEC packet.
        (ip) dest_addr= 192.168.1.107, src_addr= 172.16.2.115, prot= 17
    timestamp: 1449614891
 
 

reply to notshai
Ok, your VPN tunnel isn't coming up. On Router 1 you are missing the access-list specified in the crypto map:

access-list 108 permit ip 172.16.0.0 0.0.7.255 192.168.1.0 0.0.0.255 
 

reply to notshai
"why do you have this configured?

ip address 172.16.1.2 255.255.248.0 secondary
ip address 222.222.222.1 255.255.255.0"

you mean on interface FastEthernet0/0?

to allow me to use the public IP's etc, you probably mean something else... do you mean why i didnt have the two diff interfaced handle the two lines separately? to be frank i mirrored the old routers config, i wasnt trying to clean it up and do it right, primarily since i was trying to avoid problems - but that didnt work too well im in a middle of a nightmare with this VPN.

Sorry, I just was curious to see why you had the public IP and a private secondary.