From: Erick B. (erickbe@xxxxxxxxx)
Date: Tue Feb 06 2001 - 01:45:01 GMT-3
Jason and others,
Here they are.
I tried gre and ipip tunnel modes, added no ip
route-cache to both tunnel, changed groups and hash,
changed from PPP to HDLC and some other things with
same result.
Debug ip packet on both routers shows sending... but I
don't receive anything.
Thanks for looking at this.
Router 3:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key mykey address 5.5.5.5
!
crypto ipsec transform-set r3 esp-des esp-sha-hmac
!
crypto map gre local-address Loopback0
crypto map gre 10 ipsec-isakmp
set peer 5.5.5.5
set transform-set r3
match address 101
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
no ip directed-broadcast
!
interface Tunnel1
ip address 10.10.10.3 255.255.255.0
no ip directed-broadcast
tunnel source 1.1.1.3
tunnel destination 1.1.1.5
tunnel mode ipip
crypto map gre
!
interface Serial0/1
ip address 1.1.1.3 255.255.255.0
no ip directed-broadcast
encapsulation ppp
clockrate 2000000
crypto map gre
!
router rip
network 10.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.5
!
access-list 101 permit ip any any
!
Router 5:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key mykey address 3.3.3.3
!
crypto ipsec transform-set r5 esp-des esp-sha-hmac
!
crypto map gre local-address Loopback0
crypto map gre 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set r5
match address 101
!
interface Loopback0
ip address 5.5.5.5 255.255.255.0
no ip directed-broadcast
!
interface Loopback2
ip address 20.20.20.1 255.255.255.0
no ip directed-broadcast
!
interface Tunnel1
ip address 10.10.10.5 255.255.255.0
no ip directed-broadcast
tunnel source 1.1.1.5
tunnel destination 1.1.1.3
tunnel mode ipip
crypto map gre
!
interface Serial0/1
ip address 1.1.1.5 255.255.255.0
no ip directed-broadcast
encapsulation ppp
crypto map gre
!
router rip
passive-interface Serial0/1
passive-interface Tunnel1
network 10.0.0.0
network 20.0.0.0
neighbor 10.10.10.3
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.3
!
access-list 101 permit ip any any
--- "Jason T. Rohm" <jtrohm@athenet.net> wrote:
> I got mine working... send me your code... I'll look
> it over.
>
> -Jason
>
> -----Original Message-----
> From: Erick B. [mailto:erickbe@yahoo.com]
> Sent: Monday, February 05, 2001 9:37 PM
> To: Rob Webber; 'Jason T. Rohm'; 'Kyle Galusha'
> Cc: 'CCIELIST (E-mail)'
> Subject: RE: IPSec w/GRE or IPinIP Tunnels
> (Troubleshooting)
>
>
> Rob,
>
> I've been studying IPSec with similar configs and am
> experiencing the same as Jason. My traffic is
> getting
> encrypted (show crypto ipsec sa) and my access-list
> permits all ip traffic for the crypto map. I did
> modify mine to use the local-address and loopbacks
> for
> IPSec and same results. 12.0(7)T code.
>
> I can not ping my tunnel interfaces, and I have RIP
> announcing networks (unicast) on one router over the
> tunnel. The rip debugs show the rip packet going to
> the remote address and no errors. The remote router
> see's no RIP coming in. I'm not seeing any IPSec
> errors at all and the encrypted packet counters are
> going up.
>
> Hmm. Going by samples and everything looks peachy.
>
> Thanks,
> Erick
>
> --- Rob Webber <rwebber@callisma.com> wrote:
> > Jason,
> >
> > When I've done this, I've created the GRE tunnel
> > between the "outermost"
> > interfaces (the interfaces actually closest to
> each
> > other). I'm assuming
> > this is the case with what I see in your configs.
> >
> > Then I have run the IPSec tunnel between the
> > loopback interfaces on each
> > router. You'll need the "crypto map mymap
> > local-address Loopback0" command
> > (as well as changing your set peer and isakmp key
> > commands). Keep the map
> > statement on the physical and tunnel interfaces -
> > just as you have it. I've
> > had pretty good luck this way.
> >
> > Rob.
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com]On Behalf Of
> > Jason T. Rohm
> > Sent: Monday, February 05, 2001 8:07 PM
> > To: 'Kyle Galusha'
> > Cc: CCIELIST (E-mail)
> > Subject: IPSec w/GRE or IPinIP Tunnels
> > (Troubleshooting)
> >
> >
> > I am having some problems with my newly "IpSec'd"
> > tunnel... Do you have
> > experience working with these @#$% things?
> >
> > A "debug crypto ipsec" shows that *SOME* of my
> > IPinIP/GRE (I've tried it
> > both ways) packets are coming in w/o the IPSec
> > wrapper. I have double
> > checked my crypto maps/access-lists for accuracy,
> > but am having a hard time
> > determining why only some of the data isn't
> getting
> > encrypted (my OSPF
> > packets are getting through just fine, but I can't
> > ping or telnet).
> >
> > My lab is connected to the internet if you would
> > like to take a look for
> > yourself. Let me know if that would be helpful.
> >
> > Basic Layout:
> >
> > |-[3640B]--[other router]--[1605A]-|
> > ^- IPinIP or GRE Tunnel -^
> >
> > OSPF AS 50 runs on center router and connected
> > interfaces of end routers.
> > OSPF AS 10 runs only on end routers' outside
> > interfaces and the tunnel
> > interface.
> > No redistribution takes place between OSPF AS's.
> >
> > I show complete routing tables on both ends in
> OSPF
> > AS 10.
> > I can ping from either tunnel interface to the
> other
> > end.
> > I cannot ping the other end of the tunnel using
> the
> > outside interfaces as
> > the source.
> >
> > debug crypto ipsec:
> >
> > Feb 5 18:52:33.867:
> %CRYPTO-4-RECVD_PKT_NOT_IPSEC:
> > Rec'd packet not an
> > IPSEC packet.
> > (ip) dest_addr= 10.254.253.2, src_addr=
> > 10.254.254.1, prot= 47
> > Feb 5 18:56:47.816:
> %CRYPTO-4-RECVD_PKT_NOT_IPSEC:
> > Rec'd packet not an
> > IPSEC packet.
> > (ip) dest_addr= 10.254.253.2, src_addr=
> > 10.254.254.1, prot= 47
> >
> > Code Summary:
> >
> > ****** 1605A ******
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key MYCRYPTOKEY address 10.254.254.1
> > !
> > !
> > crypto ipsec transform-set ZERO_ONE esp-des
> > esp-md5-hmac
> > mode transport
> > !
> > crypto map ZERO_ONE_MAP 10 ipsec-isakmp
> > set peer 10.254.254.1
> > set transform-set ZERO_ONE
> > set pfs group2
> > match address 106
> > !
> > interface Tunnel0
> > ip address 10.250.250.2 255.255.255.0
> > tunnel source 10.254.253.2
> > tunnel destination 10.254.254.1
> > crypto map ZERO_ONE_MAP
> > !
> > interface Ethernet0
> > ip address 10.254.253.2 255.255.255.0
> > crypto map ZERO_ONE_MAP
> > !
> > interface Ethernet1
> > ip address 10.1.10.1 255.255.255.0
> > !
> > router ospf 10
> > network 10.1.10.0 0.0.0.255 area 1
> > network 10.250.250.0 0.0.0.255 area 1
> > !
> > access-list 105 permit ipinip host 10.254.253.2
> host
> > 10.254.254.1
> > access-list 105 permit ipinip host 10.254.254.1
> host
> > 10.254.253.2
> > access-list 106 permit gre host 10.254.253.2 host
> > 10.254.254.1
> > access-list 106 permit gre host 10.254.254.1 host
> > 10.254.253.2
> > !
> >
> > ****** 3640B ******
> >
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key MYCRYPTOKEY address 10.254.253.2
> > !
> > !
> > crypto ipsec transform-set ZERO_ONE esp-des
> > esp-md5-hmac
> > mode transport
> > !
> > crypto map ZERO_ONE_MAP 10 ipsec-isakmp
> > set peer 10.254.253.2
> > set transform-set ZERO_ONE
> > set pfs group2
> > match address 106
> > !
> > interface Tunnel0
> > ip address 10.250.250.1 255.255.255.0
> > tunnel source 10.254.254.1
> > tunnel destination 10.254.253.2
> > crypto map ZERO_ONE_MAP
> > !
> > interface Ethernet0/0
> > ip address 10.0.10.36 255.255.255.0
> > !
> > interface Ethernet0/1
> > ip address 10.254.254.1 255.255.255.0
> > crypto map ZERO_ONE_MAP
> > !
> > router ospf 10
> > network 10.0.10.0 0.0.0.255 area 1
> > network 10.250.250.0 0.0.0.255 area 1
> > !
> > access-list 105 permit ipinip host 10.254.253.2
> host
> > 10.254.254.1
> > access-list 105 permit ipinip host 10.254.254.1
> host
> > 10.254.253.2
> > access-list 106 permit gre host 10.254.253.2 host
> > 10.254.254.1
> > access-list 106 permit gre host 10.254.254.1 host
> > 10.254.253.2
> > !
> >
> > ***** End Code ******
> >
> > Thank you,
> >
> > Jason T. Rohm
> > Sr. Network Engineer
> > Wire Technologies, Inc
> > jtrohm@wiretech-inc.com
> > (920) 766-5172
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:38 GMT-3