From: Jason T. Rohm (jtrohm@xxxxxxxxxxx)
Date: Tue Feb 06 2001 - 00:49:38 GMT-3
I got mine working... send me your code... I'll look it over.
-Jason
-----Original Message-----
From: Erick B. [mailto:erickbe@yahoo.com]
Sent: Monday, February 05, 2001 9:37 PM
To: Rob Webber; 'Jason T. Rohm'; 'Kyle Galusha'
Cc: 'CCIELIST (E-mail)'
Subject: RE: IPSec w/GRE or IPinIP Tunnels (Troubleshooting)
Rob,
I've been studying IPSec with similar configs and am
experiencing the same as Jason. My traffic is getting
encrypted (show crypto ipsec sa) and my access-list
permits all ip traffic for the crypto map. I did
modify mine to use the local-address and loopbacks for
IPSec and same results. 12.0(7)T code.
I can not ping my tunnel interfaces, and I have RIP
announcing networks (unicast) on one router over the
tunnel. The rip debugs show the rip packet going to
the remote address and no errors. The remote router
see's no RIP coming in. I'm not seeing any IPSec
errors at all and the encrypted packet counters are
going up.
Hmm. Going by samples and everything looks peachy.
Thanks,
Erick
--- Rob Webber <rwebber@callisma.com> wrote:
> Jason,
>
> When I've done this, I've created the GRE tunnel
> between the "outermost"
> interfaces (the interfaces actually closest to each
> other). I'm assuming
> this is the case with what I see in your configs.
>
> Then I have run the IPSec tunnel between the
> loopback interfaces on each
> router. You'll need the "crypto map mymap
> local-address Loopback0" command
> (as well as changing your set peer and isakmp key
> commands). Keep the map
> statement on the physical and tunnel interfaces -
> just as you have it. I've
> had pretty good luck this way.
>
> Rob.
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Jason T. Rohm
> Sent: Monday, February 05, 2001 8:07 PM
> To: 'Kyle Galusha'
> Cc: CCIELIST (E-mail)
> Subject: IPSec w/GRE or IPinIP Tunnels
> (Troubleshooting)
>
>
> I am having some problems with my newly "IpSec'd"
> tunnel... Do you have
> experience working with these @#$% things?
>
> A "debug crypto ipsec" shows that *SOME* of my
> IPinIP/GRE (I've tried it
> both ways) packets are coming in w/o the IPSec
> wrapper. I have double
> checked my crypto maps/access-lists for accuracy,
> but am having a hard time
> determining why only some of the data isn't getting
> encrypted (my OSPF
> packets are getting through just fine, but I can't
> ping or telnet).
>
> My lab is connected to the internet if you would
> like to take a look for
> yourself. Let me know if that would be helpful.
>
> Basic Layout:
>
> |-[3640B]--[other router]--[1605A]-|
> ^- IPinIP or GRE Tunnel -^
>
> OSPF AS 50 runs on center router and connected
> interfaces of end routers.
> OSPF AS 10 runs only on end routers' outside
> interfaces and the tunnel
> interface.
> No redistribution takes place between OSPF AS's.
>
> I show complete routing tables on both ends in OSPF
> AS 10.
> I can ping from either tunnel interface to the other
> end.
> I cannot ping the other end of the tunnel using the
> outside interfaces as
> the source.
>
> debug crypto ipsec:
>
> Feb 5 18:52:33.867: %CRYPTO-4-RECVD_PKT_NOT_IPSEC:
> Rec'd packet not an
> IPSEC packet.
> (ip) dest_addr= 10.254.253.2, src_addr=
> 10.254.254.1, prot= 47
> Feb 5 18:56:47.816: %CRYPTO-4-RECVD_PKT_NOT_IPSEC:
> Rec'd packet not an
> IPSEC packet.
> (ip) dest_addr= 10.254.253.2, src_addr=
> 10.254.254.1, prot= 47
>
> Code Summary:
>
> ****** 1605A ******
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key MYCRYPTOKEY address 10.254.254.1
> !
> !
> crypto ipsec transform-set ZERO_ONE esp-des
> esp-md5-hmac
> mode transport
> !
> crypto map ZERO_ONE_MAP 10 ipsec-isakmp
> set peer 10.254.254.1
> set transform-set ZERO_ONE
> set pfs group2
> match address 106
> !
> interface Tunnel0
> ip address 10.250.250.2 255.255.255.0
> tunnel source 10.254.253.2
> tunnel destination 10.254.254.1
> crypto map ZERO_ONE_MAP
> !
> interface Ethernet0
> ip address 10.254.253.2 255.255.255.0
> crypto map ZERO_ONE_MAP
> !
> interface Ethernet1
> ip address 10.1.10.1 255.255.255.0
> !
> router ospf 10
> network 10.1.10.0 0.0.0.255 area 1
> network 10.250.250.0 0.0.0.255 area 1
> !
> access-list 105 permit ipinip host 10.254.253.2 host
> 10.254.254.1
> access-list 105 permit ipinip host 10.254.254.1 host
> 10.254.253.2
> access-list 106 permit gre host 10.254.253.2 host
> 10.254.254.1
> access-list 106 permit gre host 10.254.254.1 host
> 10.254.253.2
> !
>
> ****** 3640B ******
>
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key MYCRYPTOKEY address 10.254.253.2
> !
> !
> crypto ipsec transform-set ZERO_ONE esp-des
> esp-md5-hmac
> mode transport
> !
> crypto map ZERO_ONE_MAP 10 ipsec-isakmp
> set peer 10.254.253.2
> set transform-set ZERO_ONE
> set pfs group2
> match address 106
> !
> interface Tunnel0
> ip address 10.250.250.1 255.255.255.0
> tunnel source 10.254.254.1
> tunnel destination 10.254.253.2
> crypto map ZERO_ONE_MAP
> !
> interface Ethernet0/0
> ip address 10.0.10.36 255.255.255.0
> !
> interface Ethernet0/1
> ip address 10.254.254.1 255.255.255.0
> crypto map ZERO_ONE_MAP
> !
> router ospf 10
> network 10.0.10.0 0.0.0.255 area 1
> network 10.250.250.0 0.0.0.255 area 1
> !
> access-list 105 permit ipinip host 10.254.253.2 host
> 10.254.254.1
> access-list 105 permit ipinip host 10.254.254.1 host
> 10.254.253.2
> access-list 106 permit gre host 10.254.253.2 host
> 10.254.254.1
> access-list 106 permit gre host 10.254.254.1 host
> 10.254.253.2
> !
>
> ***** End Code ******
>
> Thank you,
>
> Jason T. Rohm
> Sr. Network Engineer
> Wire Technologies, Inc
> jtrohm@wiretech-inc.com
> (920) 766-5172
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:38 GMT-3