RE: IPSEC and Tunneling

From: Rob Webber (rwebber@xxxxxxxxxxxx)
Date: Thu May 17 2001 - 15:14:50 GMT-3

   
When I got this to work I had a few differences in my configs:

- I did not use the "crypto map testtest" command on the loopback, only on
the tunnel and physical interfaces (which you have done)
- I configured the tunnel between the physical interfaces, not the loopbacks
(source and destination)
- I configured IPSec between the loopback interfaces of the routers. To do
this change your peer addresses and add the "crypto map testtest
local-address loopback 0" to set the local router's IPSec peer address to
the loopback (otherwise I believe it defaults to the physical)

Good luck - Rob.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jubil Mathew
Sent: Thursday, May 17, 2001 12:47 PM
To: associate@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: IPSEC and Tunneling

Hi,

I was trying to setup the scenario "IPSec and Tunnelling together" I was
having some problems with the creation of the tunnel. I have a tunnel
created between loopbacks of R1 (3640-1-a) and R2 (3640-2). I was not able
to ping the tunnel interfaces. Could someone point out what is possibly
wrong in the configuration given below.

R1(3640-1-A) ------------------tunnnel---------------------|
                                                 |
                                                 |
                                                 3660-CM
                                                 |
                                                 |
                                                 |
R2(3640-2) ---------------------tunnel------------------------

3640-1-A#sh run

hostname 3640-1-A

crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key test2 address
16.16.17.2
crypto isakmp key test2 address
16.16.20.2
crypto ipsec security-association lifetime seconds
86400

crypto ipsec transform-set desmd5 esp-des
esp-md5-hmac
crypto ipsec transform-set ahmd5
ah-md5-hmac
crypto mib ipsec flowmib history tunnel size
200
crypto mib ipsec flowmib history failure size
200

crypto map testtest 1 ipsec-isakmp
  set peer 16.16.17.2
  set peer 16.16.20.2
  set peer 140.10.10.10
  set peer 192.168.1.2
  set transform-set desmd5 a
  match address 102

interface Loopback0
  ip address 130.10.10.10 255.255.255.0
  crypto map testtest

interface Tunnel0
  ip address 192.168.1.1 255.255.255.0
  tunnel source 130.10.10.10
  tunnel destination 16.16.17.2
  crypto map testtest

interface Ethernet0/0
  ip address 1.6.0.21 255.255.0.0
  ip helper-address 1.5.0.1
  no ip route-cache
  no ip mroute-cache
  half-duplex
  standby timers 3 7
  standby priority 200 preempt
  standby ip 1.6.0.199
  standby track Se0/0 101
!
interface Serial0/0
  ip address 16.16.18.2 255.25
  encapsulation frame-relay
  no ip route-cache
  no ip mroute-cache
  no fair-queue
  frame-relay interface-dlci 101
  frame-relay ip rtp header-compression
  crypto map testtest
  h323-gateway voip interface
  h323-gateway voip id gk-2 ipaddr 16.16.19.2
1719
  h323-gateway voip h323-id 3640-1-A
  h323-gateway voip tech-prefix 2#
  h323-gateway voip bind srcaddr
16.16.18.2

router eigrp 1
  network 1.6.0.0 0.0.255.255
  network 16.16.0.0 0.0.255.255
  network 130.10.0.0
  network 140.10.0.0
  network 192.168.1.0
  distribute-list 20 out Serial0/0
  no auto-summary
  no eigrp log-neighbor-changes

map-class frame-relay vofrelay
  no frame-relay adaptive-shaping
  frame-relay cir 2000000
  frame-relay bc 1000
  frame-relay mincir 1000000
  frame-relay fair-queue
  frame-relay voice bandwidth 1000000
  frame-relay fragment 80
  frame-relay ip rtp priority 16384 16383
128
access-list 7 permit 1.6.0.0 0.0.0.255
access-list 102 permit ip host 16.16.18.2 host 16.16.20.2
log
access-list 102 permit ip host 1.6.0.90 host 1.10.0.90
log
access-list 102 permit ip host 1.6.0.90 host 1.7.0.90
log
access-list 102 permit ip host 16.16.18.2 host 16.16.17.2
log
access-list 102 permit gre host 16.16.18.2 host 16.16.17.2
log
access-list 102 permit gre host 130.10.10.10 host
140.10.10.10
access-list 102 permit gre host 16.16.17.2 host 16.16.18.2
log
access-list 102 permit gre host 192.168.1.1 host 192.168.1.2
log
access-list 110 permit ip 1.6.0.0 0.0.0.255
any
access-list 110 permit ip 1.6.0.0 0
dialer-list 1 protocol ip list 101

gateway

call-manager-fallback
  ip source-address 1.6.0.199 port 2000
  max-ephones 48
  max-dn 48
  transfer-pattern 3...
  transfer-pattern 2...
  transfer-pattern 1...
  transfer-pattern 5...
  default-destination 2003
  access-code fxo 9

end

********************************************************
3640-2#sh run

hostname 3640-2

crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime
crypto isakmp key test2 address
16.16.20.2
crypto isakmp key test2 address
16.16.18.2

crypto ipsec security-association lifetime seconds
86400
!
crypto ipsec transform-set desmd5 esp-des
esp-md5-hmac
crypto ipsec transform-set ahmd5
ah-md5-hmac
crypto mib ipsec flowmib history tunnel size
200
crypto mib ipsec flowmib history failure size
200

crypto map testtest 1 ipsec-isakmp
  set peer 16.16.18.2
  set peer 16.16.20.2
  set peer 130.10.10.10
  set peer 192.168.1.1
  set transform-set desmd5 ahmd5
  match address 101

interface Loopback0
  ip address 140.10.10.10 255.255.255.0
  crypto map testtest

interface Tunnel0
  ip address 192.168.1.2 255.255.255.0
  tunnel source 140.10.10.10
  tunnel destination 16.16.18.2
  crypto map testtest

interface FastEthernet0/0
  ip address 1.7.0.30 255.255.0.0
  ip helper-address 1.5.0.1
  no ip route-cache
  no ip mroute-cache
  duplex auto
  speed auto

interface FastEthernet0/1
  ip address 1.4.0.20 255.255.255.0
  ip helper-address 1.5.0.1
  shutdown
  duplex auto
  speed auto

interface Serial0/1
  ip address 16.16.17.2 255.255.255.0
  encapsulation frame-relay
  no ip route-cache
  ip split-horizon
  no ip mroute-cache
  no fair-queue
  frame-relay interface-dlci 200
  crypto map testtest
  h323-gateway voip interface
  h323-gateway voip id gk-3 ipaddr 16.16.19.2
1719
  h323-gateway voip h323-id 3640-2
  h323-gateway voip tech-prefix 3#
  h323-gateway voip bind srcaddr
16.16.17.2

router eigrp 1
  network 1.4.0.0 0.0.255.255
  network 1.7.0.0 0.0.255.255
  network 16.16.0.0 0.0.255.255
  network 130.10.0.0
  network 140.10.0.0
  network 192.168.1.0
  no auto-summary
  no eigrp log-neighbor-changes

map-class frame-relay vofrelay
  no frame-relay adaptive-shaping
  frame-relay cir 2000000
  frame-relay bc 1000
  frame-relay mincir 1000000
  frame-relay fair-queue
  frame-relay voice bandwidth 1000000
  frame-relay fragment 80
  frame-relay ip rtp priority 16384 16383
128
access-list 7 permit 1.7.0.0 0.0.0.255
log
access-list 101 permit ip host 16.16.17.2 host 16.16.18.2
log
access-list 101 permit ip host 1.7.0.90 host 1.6.0.90
log
access-list 101 permit ip host 16.16.17.2 host 16.16.20.2
log
access-list 101 permit ip host 1.7.0.90 host 1.10.0.90 log
access-list 101 permit gre host 16.16.17.2 host 16.16.18.2
log
access-list 101 permit gre host 140.10.10.10 host
130.10.10.10
access-list 101 permit gre host 16.16.17.2 host 16.16.20.2
log
access-list 101 permit gre host 192.168.1.2 host 192.168.1.1 log

dialer-list 1 protocol ip permit

gateway

call-manager-fallback
  ip source-address 1.7.0.30 port 2000
  max-ephones 48
  max-dn 48
  transfer-pattern 3...
  transfer-pattern 2...
  transfer-pattern 1...
  transfer-pattern 5...

end

****************************************************************************
****************
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:44 GMT-3