From: Devender Singh (devender.singh@xxxxxxxxxxxxxx)
Date: Sun Feb 25 2001 - 22:51:50 GMT-3
I also tried to setup GRE tunnel with ipsec and CET, but was unsuccessfull.
I thought the trick here was to put crypto map capmmand on tunn. int. &
source int.
R1 -S0------------S0- R2
1.) Tried normal ip access-list and GRE acess-list i.e.,
access-l 100 p gre ho <tunnel source ip add> ho <tunnel dest ip add>
and
access-l 100 p ip ho <tunnel source ip add> ho <tunnel dest ip addr>
2.) I tried source interfaces as lo0 on both sides and also s0 on both sides
3.) Rebooted the router
4.) Tried configuring without tunnel interface, works fine.
5.) Plate form is 2500 ,IOS is jos56 12.0(15)GD.
Did someone had this working. What am I missing. Any suggestions.
Devender Singh
BE(Hons), CCNP
IP Solution Specialist
-----Original Message-----
From: David A. Mack [mailto:mackd@cox.rr.com]
Sent: Sunday, 25 February 2001 4:00
To: 'Fabricio Aponte'; 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...
I think that I would personally check the requirement. Is it to encrypt the
Tunnel or is it to encrypt all ip traffic between the serial interfaces? I
agree with the layered approach and getting one thing working at time. I
usually get the tunnel working first then I encrypt it. However you can do
it the other way around and IPSec working first and then set up the tunnel
with the caveat of checking the requirement for encryption.
My $0.02
Dave
David A. Mack
Network Engineer
Fairfax, VA 22033
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Fabricio Aponte
Sent: Saturday, February 24, 2001 11:19 AM
To: 'David A. Mack'; 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...
I would add GRE and leave IP from serial to serial. This way, if you need
to test, all you have to do is clear crypto and ping from serial to serial
and your association should come up. If it doesnt, then you need to go back
and troubleshoot.
fabricio
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
David A. Mack
Sent: Saturday, February 24, 2001 9:26 AM
To: 'Fabricio Aponte'; 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...
I would also look at which protocol to match in the crypto access-list. In
this case you are encrypting GRE tunnels, so you want to match on gre
instead of ip. I have seen references on CCO and Networkers presentations
that state the you should use transport mode for ESP rather than the default
tunnel mode when encrypting GRE tunnels since they are already tunneled. You
can set this in the transform set.
HTH,
Dave
David A. Mack
Network Engineer
Fairfax, VA 22033
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Fabricio Aponte
Sent: Saturday, February 24, 2001 9:29 AM
To: 'fwells12'; ccielab@groupstudy.com
Subject: RE: More IPSec probs...
Your access lists are switched (source destination/destination source)
I would get IP to work first and then I would worry about IPX. (dont worry
about your tunnel interface)
show cry engine connections active is a command that will tell you if you
are encrypting or not.
Regards,
Fabricio
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
fwells12
Sent: Saturday, February 24, 2001 2:01 AM
To: ccielab@groupstudy.com
Subject: More IPSec probs...
Guys,
I am trying to run IPSec between to routers over a frame cloud using =
tunnels. I cannot get the isakamp security associations to register, =
and thus no traffic is being encrypted. Please give my configs the once =
over and see if you can see anything wrong with them. I have tried =
using a number of permutations of the access-lists and nothing has =
worked. You will notice I have IPX networks at each end of the network. =
I would like to encrypt that traffic too. =20
I have debug running on ipsec/isakamp/engine and nothing is being =
registered. I guess I have the configs close but...
Router1:
-----------
crypto isakmp policy 10
authentication pre-share
crypto isakmp key tunnel address 10.1.1.4 255.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
set peer 10.1.1.4
set transform-set cisco
match address 100 =20
!
interface Tunnel4
no ip address
ipx network 1441
tunnel source Serial0
tunnel destination 10.1.1.4
crypto map crypmap =20
!
interface Ethernet0
mac-address 0001.0001.0001
ip address 1.1.1.1 255.0.0.0
no ip mroute-cache
no keepalive
ipx network 11 =20
!
interface Serial0
ip address 10.1.1.1 255.0.0.0
ip access-group 101 in
encapsulation frame-relay
no ip mroute-cache
frame-relay lmi-type ansi
crypto map crypmap =20
!
ip route 4.4.4.4 255.255.255.255 10.1.1.4 =20
!
access-list 100 permit ip host 10.1.1.4 host 10.1.1.1
Router2:
------------
crypto isakmp policy 10
authentication pre-share
crypto isakmp key tunnel address 10.1.1.1 255.0.0.0
!
!
crypto ipsec transform-set cisco esp-des esp-md5-hmac
!
crypto map crypmap 15 ipsec-isakmp
set peer 10.1.1.1
set transform-set cisco
match address 100
!
interface Tunnel1
no ip address
ipx network 1441
tunnel source Serial0
tunnel destination 10.1.1.1
crypto map crypmap =20
!
interface Ethernet0
mac-address 0004.0004.0004
ip address 4.4.4.4 255.0.0.0
no ip mroute-cache
no keepalive
ipx network 44
no cdp enable =20
!
interface Serial0
ip address 10.1.1.4 255.0.0.0
ip access-group 101 in
encapsulation frame-relay
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
crypto map crypmap =20
!
ip route 1.1.1.1 255.255.255.255 10.1.1.1
!
access-list 100 permit ip host 10.1.1.1 host 10.1.1.4 =20
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:01 GMT-3