RE: IPsec over GRE

From: Rob Barton (robbarto@xxxxxxxxx)
Date: Thu Nov 16 2000 - 12:12:53 GMT-3

• Next message: David FAHED: "Re: new question: route redistribution metrics"
• Previous message: Sam Munzani: "Re: bgp"
• Maybe in reply to: Rob Barton: "IPsec over GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
My IPsec over GRE is solved! I did have the right config, but the IOS
version was flakey. When I did "show crypto isa sa" it showed that the sa
was between the loopback on one side of the network and the tunnel interface
on the other side. It should have been between the loopbacks on both sides
of the network. This was running 12.04. When I loaded 12.07(T) the sa's
came up immediately and traffic started to encrypt. I strongly encourage
all to avoid any IOS image earlier than 12.07 when doing IPsec.

Cheers, Rob

  _____

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Luan Nguyen
Sent: Thursday, November 16, 2000 7:25 AM
To: lpd@jacksonville.net; robbarto@cisco.com; ccielab@groupstudy.com
Cc: Simon.Baxter@au.logical.com
Subject: RE: IPsec over GRE

Try to put access list permit gre between your ethernet interfaces...maybe
that will help
access-list 102 permit gre source - destination

>From: "Steve McNutt" <lpd@jacksonville.net>
>Reply-To: "Steve McNutt" <lpd@jacksonville.net>
>To: "Rob Barton" <robbarto@cisco.com>, "Ccielab" <ccielab@groupstudy.com>
>CC: <Simon.Baxter@au.logical.com>
>Subject: RE: IPsec over GRE
>Date: Thu, 16 Nov 2000 01:44:10 -0500
>
>does r1 have 200.1.1.0/24 and does r2 have 100.1.1.0/24 in their
>respective
>routing tables? your error message means that the key exchange is failing
>which in this case looks like it could be a simple reachability problem.
>
>at any rate, since IKE ain't hapening the thing to do beyond making sure
>the
>loopbacks are pingable would be to use debug crypto isakmp, which should
>tell you pretty much why your key exchange is blowing up.
>
> you might have to spend some time on CCO to learn how to interpret the
>output, but it's pretty straightforward.
>
>-s
> -----Original Message-----
> From: Rob Barton [mailto:robbarto@cisco.com]
> Sent: Wednesday, November 15, 2000 7:38 PM
> To: Ccielab
> Cc: lpd@jacksonville.net; Simon.Baxter@au.logical.com
> Subject: IPsec over GRE
>
>
> Here is the config I am currently using, but i still can't ping to the
>IP
>address of the other side of the GRE tunnle. I am getting this weird error
>message:
>
> 02:31:41: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed
>with peer
> at 100.1.1.1
>
> R1 and R2 are directly connected through a x-over cable on FastEthernet
>
> Any ideas?
>
> Thanks - Rob.
>

• Next message: David FAHED: "Re: new question: route redistribution metrics"
• Previous message: Sam Munzani: "Re: bgp"
• Maybe in reply to: Rob Barton: "IPsec over GRE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:45 GMT-3