RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)

From: Rob Webber (rwebber@xxxxxxxxxxxx)
Date: Mon Feb 05 2001 - 23:55:00 GMT-3

• Next message: NoOne Important: "RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Previous message: Jason T. Rohm: "RE: Lab day"
• Maybe in reply to: Jason T. Rohm: "IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Next in thread: NoOne Important: "RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Jason,

When I've done this, I've created the GRE tunnel between the "outermost"
interfaces (the interfaces actually closest to each other). I'm assuming
this is the case with what I see in your configs.

Then I have run the IPSec tunnel between the loopback interfaces on each
router. You'll need the "crypto map mymap local-address Loopback0" command
(as well as changing your set peer and isakmp key commands). Keep the map
statement on the physical and tunnel interfaces - just as you have it. I've
had pretty good luck this way.

Rob.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jason T. Rohm
Sent: Monday, February 05, 2001 8:07 PM
To: 'Kyle Galusha'
Cc: CCIELIST (E-mail)
Subject: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)

I am having some problems with my newly "IpSec'd" tunnel... Do you have
experience working with these @#$% things?

A "debug crypto ipsec" shows that *SOME* of my IPinIP/GRE (I've tried it
both ways) packets are coming in w/o the IPSec wrapper. I have double
checked my crypto maps/access-lists for accuracy, but am having a hard time
determining why only some of the data isn't getting encrypted (my OSPF
packets are getting through just fine, but I can't ping or telnet).

My lab is connected to the internet if you would like to take a look for
yourself. Let me know if that would be helpful.

Basic Layout:

|-[3640B]--[other router]--[1605A]-|
     ^- IPinIP or GRE Tunnel -^

OSPF AS 50 runs on center router and connected interfaces of end routers.
OSPF AS 10 runs only on end routers' outside interfaces and the tunnel
interface.
No redistribution takes place between OSPF AS's.

I show complete routing tables on both ends in OSPF AS 10.
I can ping from either tunnel interface to the other end.
I cannot ping the other end of the tunnel using the outside interfaces as
the source.

debug crypto ipsec:

Feb 5 18:52:33.867: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
        (ip) dest_addr= 10.254.253.2, src_addr= 10.254.254.1, prot= 47
Feb 5 18:56:47.816: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
        (ip) dest_addr= 10.254.253.2, src_addr= 10.254.254.1, prot= 47

Code Summary:

****** 1605A ******
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key MYCRYPTOKEY address 10.254.254.1
!
!
crypto ipsec transform-set ZERO_ONE esp-des esp-md5-hmac
 mode transport
!
crypto map ZERO_ONE_MAP 10 ipsec-isakmp
 set peer 10.254.254.1
 set transform-set ZERO_ONE
 set pfs group2
 match address 106
!
interface Tunnel0
 ip address 10.250.250.2 255.255.255.0
 tunnel source 10.254.253.2
 tunnel destination 10.254.254.1
 crypto map ZERO_ONE_MAP
!
interface Ethernet0
 ip address 10.254.253.2 255.255.255.0
 crypto map ZERO_ONE_MAP
!
interface Ethernet1
 ip address 10.1.10.1 255.255.255.0
!
router ospf 10
 network 10.1.10.0 0.0.0.255 area 1
 network 10.250.250.0 0.0.0.255 area 1
!
access-list 105 permit ipinip host 10.254.253.2 host 10.254.254.1
access-list 105 permit ipinip host 10.254.254.1 host 10.254.253.2
access-list 106 permit gre host 10.254.253.2 host 10.254.254.1
access-list 106 permit gre host 10.254.254.1 host 10.254.253.2
!

****** 3640B ******

crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key MYCRYPTOKEY address 10.254.253.2
!
!
crypto ipsec transform-set ZERO_ONE esp-des esp-md5-hmac
 mode transport
!
crypto map ZERO_ONE_MAP 10 ipsec-isakmp
 set peer 10.254.253.2
 set transform-set ZERO_ONE
 set pfs group2
 match address 106
!
interface Tunnel0
 ip address 10.250.250.1 255.255.255.0
 tunnel source 10.254.254.1
 tunnel destination 10.254.253.2
 crypto map ZERO_ONE_MAP
!
interface Ethernet0/0
 ip address 10.0.10.36 255.255.255.0
!
interface Ethernet0/1
 ip address 10.254.254.1 255.255.255.0
 crypto map ZERO_ONE_MAP
!
router ospf 10
 network 10.0.10.0 0.0.0.255 area 1
 network 10.250.250.0 0.0.0.255 area 1
!
access-list 105 permit ipinip host 10.254.253.2 host 10.254.254.1
access-list 105 permit ipinip host 10.254.254.1 host 10.254.253.2
access-list 106 permit gre host 10.254.253.2 host 10.254.254.1
access-list 106 permit gre host 10.254.254.1 host 10.254.253.2
!

***** End Code ******

Thank you,

 Jason T. Rohm
 Sr. Network Engineer
 Wire Technologies, Inc
 jtrohm@wiretech-inc.com
 (920) 766-5172

• Next message: NoOne Important: "RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Previous message: Jason T. Rohm: "RE: Lab day"
• Maybe in reply to: Jason T. Rohm: "IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Next in thread: NoOne Important: "RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:37 GMT-3