Re: More IPSec probs...fixed!

From: fwells12 (fwells12@xxxxxxxxxxx)
Date: Sun Feb 25 2001 - 04:12:34 GMT-3

• Next message: CHIDI FRANCIS: "LAB SWAP"
• Previous message: CHIDI FRANCIS: "LAB SWAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You hit the nail on the head Scott. Thanks a lot.

For those of you that are interested, the following final configs are
encrypting both IP and IPX through a GRE tunnel which spans a frame-relay
WAN.

Router1:
-----------
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key tunnel address 10.1.1.4 255.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
 set peer 10.1.1.4
 set transform-set cisco
 match address 100
!
interface Tunnel4
 no ip address
 ipx network 1441
 tunnel source Serial0
 tunnel destination 10.1.1.4
 crypto map crypmap
!
interface Ethernet0
 mac-address 0001.0001.0001
 ip address 1.1.1.1 255.0.0.0
 no ip mroute-cache
 no keepalive
 ipx network 11
!
interface Serial0
 ip address 10.1.1.1 255.0.0.0
 encapsulation frame-relay
 no ip mroute-cache
 frame-relay lmi-type ansi
 crypto map crypmap
!
ip route 4.4.4.4 255.255.255.255 10.1.1.4
!
access-list 100 permit ip host 10.1.1.1 host 10.1.1.4

Router2:
------------
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key tunnel address 10.1.1.1 255.0.0.0
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set cisco
 match address 100
!
interface Tunnel1
 no ip address
 ipx network 1441
 tunnel source Serial0
 tunnel destination 10.1.1.1
 crypto map crypmap
!
interface Ethernet0
 mac-address 0004.0004.0004
 ip address 4.4.4.4 255.0.0.0
 no ip mroute-cache
 no keepalive
 ipx network 44
 no cdp enable
!
interface Serial0
 ip address 10.1.1.4 255.0.0.0
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 frame-relay lmi-type ansi
 crypto map crypmap
!
ip route 1.1.1.1 255.255.255.255 10.1.1.1
!
access-list 100 permit ip host 10.1.1.4 host 10.1.1.1

----- Original Message -----
From: Scott Morris <smorris@mentortech.com>
To: 'fwells12' <fwells12@hotmail.com>
Sent: Saturday, February 24, 2001 12:30 PM
Subject: RE: More IPSec probs...

> Change the ACLs from Router 1 to Router 2, you have them backwards!
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> fwells12
> Sent: Saturday, February 24, 2001 3:01 AM
> To: ccielab@groupstudy.com
> Subject: More IPSec probs...
>
>
> Guys,
> I am trying to run IPSec between to routers over a frame cloud using =
> tunnels. I cannot get the isakamp security associations to register, =
> and thus no traffic is being encrypted. Please give my configs the once =
> over and see if you can see anything wrong with them. I have tried =
> using a number of permutations of the access-lists and nothing has =
> worked. You will notice I have IPX networks at each end of the network. =
> I would like to encrypt that traffic too. =20
>
> I have debug running on ipsec/isakamp/engine and nothing is being =
> registered. I guess I have the configs close but...
>
> Router1:
> -----------
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key tunnel address 10.1.1.4 255.0.0.0
> !
> !
> crypto ipsec transform-set cisco esp-des esp-md5-hmac
> !
> crypto map crypmap 15 ipsec-isakmp
> set peer 10.1.1.4
> set transform-set cisco
> match address 100 =20
> !
> interface Tunnel4
> no ip address
> ipx network 1441
> tunnel source Serial0
> tunnel destination 10.1.1.4
> crypto map crypmap =20
> !
> interface Ethernet0
> mac-address 0001.0001.0001
> ip address 1.1.1.1 255.0.0.0
> no ip mroute-cache
> no keepalive
> ipx network 11 =20
> !
> interface Serial0
> ip address 10.1.1.1 255.0.0.0
> ip access-group 101 in
> encapsulation frame-relay
> no ip mroute-cache
> frame-relay lmi-type ansi
> crypto map crypmap =20
> !
> ip route 4.4.4.4 255.255.255.255 10.1.1.4 =20
> !
> access-list 100 permit ip host 10.1.1.4 host 10.1.1.1
>
>
> Router2:
> ------------
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key tunnel address 10.1.1.1 255.0.0.0
> !
> !
> crypto ipsec transform-set cisco esp-des esp-md5-hmac
> !
> crypto map crypmap 15 ipsec-isakmp
> set peer 10.1.1.1
> set transform-set cisco
> match address 100
> !
> interface Tunnel1
> no ip address
> ipx network 1441
> tunnel source Serial0
> tunnel destination 10.1.1.1
> crypto map crypmap =20
> !
> interface Ethernet0
> mac-address 0004.0004.0004
> ip address 4.4.4.4 255.0.0.0
> no ip mroute-cache
> no keepalive
> ipx network 44
> no cdp enable =20
> !
> interface Serial0
> ip address 10.1.1.4 255.0.0.0
> ip access-group 101 in
> encapsulation frame-relay
> no ip mroute-cache
> no fair-queue
> frame-relay lmi-type ansi
> crypto map crypmap =20
> !
> ip route 1.1.1.1 255.255.255.255 10.1.1.1
> !
> access-list 100 permit ip host 10.1.1.1 host 10.1.1.4 =20
>
>
>
>

• Next message: CHIDI FRANCIS: "LAB SWAP"
• Previous message: CHIDI FRANCIS: "LAB SWAP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:00 GMT-3