From: David A. Mack (mackd@xxxxxxxxxx)
Date: Sat Feb 24 2001 - 12:25:51 GMT-3
I would also look at which protocol to match in the crypto access-list. In
this case you are encrypting GRE tunnels, so you want to match on gre
instead of ip. I have seen references on CCO and Networkers presentations
that state the you should use transport mode for ESP rather than the default
tunnel mode when encrypting GRE tunnels since they are already tunneled. You
can set this in the transform set.
HTH,
Dave
David A. Mack
Network Engineer
Fairfax, VA 22033
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Fabricio Aponte
Sent: Saturday, February 24, 2001 9:29 AM
To: 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...
Your access lists are switched (source destination/destination source)
I would get IP to work first and then I would worry about IPX. (dont worry
about your tunnel interface)
show cry engine connections active is a command that will tell you if you
are encrypting or not.
Regards,
Fabricio
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
fwells12
Sent: Saturday, February 24, 2001 2:01 AM
To: ccielab@groupstudy.com
Subject: More IPSec probs...
Guys,
I am trying to run IPSec between to routers over a frame cloud using =
tunnels. I cannot get the isakamp security associations to register, =
and thus no traffic is being encrypted. Please give my configs the once =
over and see if you can see anything wrong with them. I have tried =
using a number of permutations of the access-lists and nothing has =
worked. You will notice I have IPX networks at each end of the network. =
I would like to encrypt that traffic too. =20
I have debug running on ipsec/isakamp/engine and nothing is being =
registered. I guess I have the configs close but...
Router1:
-----------
crypto isakmp policy 10
authentication pre-share
crypto isakmp key tunnel address 10.1.1.4 255.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
set peer 10.1.1.4
set transform-set cisco
match address 100 =20
!
interface Tunnel4
no ip address
ipx network 1441
tunnel source Serial0
tunnel destination 10.1.1.4
crypto map crypmap =20
!
interface Ethernet0
mac-address 0001.0001.0001
ip address 1.1.1.1 255.0.0.0
no ip mroute-cache
no keepalive
ipx network 11 =20
!
interface Serial0
ip address 10.1.1.1 255.0.0.0
ip access-group 101 in
encapsulation frame-relay
no ip mroute-cache
frame-relay lmi-type ansi
crypto map crypmap =20
!
ip route 4.4.4.4 255.255.255.255 10.1.1.4 =20
!
access-list 100 permit ip host 10.1.1.4 host 10.1.1.1
Router2:
------------
crypto isakmp policy 10
authentication pre-share
crypto isakmp key tunnel address 10.1.1.1 255.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
set peer 10.1.1.1
set transform-set cisco
match address 100
!
interface Tunnel1
no ip address
ipx network 1441
tunnel source Serial0
tunnel destination 10.1.1.1
crypto map crypmap =20
!
interface Ethernet0
mac-address 0004.0004.0004
ip address 4.4.4.4 255.0.0.0
no ip mroute-cache
no keepalive
ipx network 44
no cdp enable =20
!
interface Serial0
ip address 10.1.1.4 255.0.0.0
ip access-group 101 in
encapsulation frame-relay
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
crypto map crypmap =20
!
ip route 1.1.1.1 255.255.255.255 10.1.1.1
!
access-list 100 permit ip host 10.1.1.1 host 10.1.1.4 =20
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:59 GMT-3