From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxxxxxx)
Date: Thu May 17 2001 - 18:51:43 GMT-3
If you look at your tunnel definitions on say 3640-1-A, your source is
130.10.10.10 (3640-1-A Lo0) and destination is 16.16.17.2 (3640-2 S0/0).
THus your GRE tunnel will always have source of 130.10.10.10 and destination
of 16.16.17.2 - now if you look at your crypto access-lists, there is no
entry that matches - hence your ipsec tunnel is not being initiated.
Regards,
Justin Menga CCIE #6640 CCNP+Voice+ATM CCDP MCSE+I CCSE
WAN Specialist
Computerland New Zealand
PO Box 3631, Auckland
DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
mailto: justin.menga@computerland.co.nz
web: http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain information
that is confidential and subject to privilege. If you are not the intended
recipient, you are notified that any use, dissemination, distribution or
copying of this message or data is prohibited. If you have received this
e-mail in error, please notify me immediately and delete all material
pertaining to this e-mail. Thank you.
-----Original Message-----
From: Jubil Mathew [mailto:jmathew@cisco.com]
Sent: Friday, 18 May 2001 4:47 a.m.
To: associate@groupstudy.com
Cc: ccielab@groupstudy.com
Subject: IPSEC and Tunneling
Hi,
I was trying to setup the scenario "IPSec and Tunnelling together" I was
having some problems with the creation of the tunnel. I have a tunnel
created between loopbacks of R1 (3640-1-a) and R2 (3640-2). I was not able
to ping the tunnel interfaces. Could someone point out what is possibly
wrong in the configuration given below.
R1(3640-1-A) ------------------tunnnel---------------------|
|
|
3660-CM
|
|
|
R2(3640-2) ---------------------tunnel------------------------
3640-1-A#sh run
hostname 3640-1-A
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key test2 address
16.16.17.2
crypto isakmp key test2 address
16.16.20.2
crypto ipsec security-association lifetime seconds
86400
crypto ipsec transform-set desmd5 esp-des
esp-md5-hmac
crypto ipsec transform-set ahmd5
ah-md5-hmac
crypto mib ipsec flowmib history tunnel size
200
crypto mib ipsec flowmib history failure size
200
crypto map testtest 1 ipsec-isakmp
set peer 16.16.17.2
set peer 16.16.20.2
set peer 140.10.10.10
set peer 192.168.1.2
set transform-set desmd5 a
match address 102
interface Loopback0
ip address 130.10.10.10 255.255.255.0
crypto map testtest
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
tunnel source 130.10.10.10
tunnel destination 16.16.17.2
crypto map testtest
interface Ethernet0/0
ip address 1.6.0.21 255.255.0.0
ip helper-address 1.5.0.1
no ip route-cache
no ip mroute-cache
half-duplex
standby timers 3 7
standby priority 200 preempt
standby ip 1.6.0.199
standby track Se0/0 101
!
interface Serial0/0
ip address 16.16.18.2 255.25
encapsulation frame-relay
no ip route-cache
no ip mroute-cache
no fair-queue
frame-relay interface-dlci 101
frame-relay ip rtp header-compression
crypto map testtest
h323-gateway voip interface
h323-gateway voip id gk-2 ipaddr 16.16.19.2
1719
h323-gateway voip h323-id 3640-1-A
h323-gateway voip tech-prefix 2#
h323-gateway voip bind srcaddr
16.16.18.2
router eigrp 1
network 1.6.0.0 0.0.255.255
network 16.16.0.0 0.0.255.255
network 130.10.0.0
network 140.10.0.0
network 192.168.1.0
distribute-list 20 out Serial0/0
no auto-summary
no eigrp log-neighbor-changes
map-class frame-relay vofrelay
no frame-relay adaptive-shaping
frame-relay cir 2000000
frame-relay bc 1000
frame-relay mincir 1000000
frame-relay fair-queue
frame-relay voice bandwidth 1000000
frame-relay fragment 80
frame-relay ip rtp priority 16384 16383
128
access-list 7 permit 1.6.0.0 0.0.0.255
access-list 102 permit ip host 16.16.18.2 host 16.16.20.2
log
access-list 102 permit ip host 1.6.0.90 host 1.10.0.90
log
access-list 102 permit ip host 1.6.0.90 host 1.7.0.90
log
access-list 102 permit ip host 16.16.18.2 host 16.16.17.2
log
access-list 102 permit gre host 16.16.18.2 host 16.16.17.2
log
access-list 102 permit gre host 130.10.10.10 host
140.10.10.10
access-list 102 permit gre host 16.16.17.2 host 16.16.18.2
log
access-list 102 permit gre host 192.168.1.1 host 192.168.1.2
log
access-list 110 permit ip 1.6.0.0 0.0.0.255
any
access-list 110 permit ip 1.6.0.0 0
dialer-list 1 protocol ip list 101
gateway
call-manager-fallback
ip source-address 1.6.0.199 port 2000
max-ephones 48
max-dn 48
transfer-pattern 3...
transfer-pattern 2...
transfer-pattern 1...
transfer-pattern 5...
default-destination 2003
access-code fxo 9
end
********************************************************
3640-2#sh run
hostname 3640-2
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime
crypto isakmp key test2 address
16.16.20.2
crypto isakmp key test2 address
16.16.18.2
crypto ipsec security-association lifetime seconds
86400
!
crypto ipsec transform-set desmd5 esp-des
esp-md5-hmac
crypto ipsec transform-set ahmd5
ah-md5-hmac
crypto mib ipsec flowmib history tunnel size
200
crypto mib ipsec flowmib history failure size
200
crypto map testtest 1 ipsec-isakmp
set peer 16.16.18.2
set peer 16.16.20.2
set peer 130.10.10.10
set peer 192.168.1.1
set transform-set desmd5 ahmd5
match address 101
interface Loopback0
ip address 140.10.10.10 255.255.255.0
crypto map testtest
interface Tunnel0
ip address 192.168.1.2 255.255.255.0
tunnel source 140.10.10.10
tunnel destination 16.16.18.2
crypto map testtest
interface FastEthernet0/0
ip address 1.7.0.30 255.255.0.0
ip helper-address 1.5.0.1
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
interface FastEthernet0/1
ip address 1.4.0.20 255.255.255.0
ip helper-address 1.5.0.1
shutdown
duplex auto
speed auto
interface Serial0/1
ip address 16.16.17.2 255.255.255.0
encapsulation frame-relay
no ip route-cache
ip split-horizon
no ip mroute-cache
no fair-queue
frame-relay interface-dlci 200
crypto map testtest
h323-gateway voip interface
h323-gateway voip id gk-3 ipaddr 16.16.19.2
1719
h323-gateway voip h323-id 3640-2
h323-gateway voip tech-prefix 3#
h323-gateway voip bind srcaddr
16.16.17.2
router eigrp 1
network 1.4.0.0 0.0.255.255
network 1.7.0.0 0.0.255.255
network 16.16.0.0 0.0.255.255
network 130.10.0.0
network 140.10.0.0
network 192.168.1.0
no auto-summary
no eigrp log-neighbor-changes
map-class frame-relay vofrelay
no frame-relay adaptive-shaping
frame-relay cir 2000000
frame-relay bc 1000
frame-relay mincir 1000000
frame-relay fair-queue
frame-relay voice bandwidth 1000000
frame-relay fragment 80
frame-relay ip rtp priority 16384 16383
128
access-list 7 permit 1.7.0.0 0.0.0.255
log
access-list 101 permit ip host 16.16.17.2 host 16.16.18.2
log
access-list 101 permit ip host 1.7.0.90 host 1.6.0.90
log
access-list 101 permit ip host 16.16.17.2 host 16.16.20.2
log
access-list 101 permit ip host 1.7.0.90 host 1.10.0.90 log
access-list 101 permit gre host 16.16.17.2 host 16.16.18.2
log
access-list 101 permit gre host 140.10.10.10 host
130.10.10.10
access-list 101 permit gre host 16.16.17.2 host 16.16.20.2
log
access-list 101 permit gre host 192.168.1.2 host 192.168.1.1 log
dialer-list 1 protocol ip permit
gateway
call-manager-fallback
ip source-address 1.7.0.30 port 2000
max-ephones 48
max-dn 48
transfer-pattern 3...
transfer-pattern 2...
transfer-pattern 1...
transfer-pattern 5...
end
****************************************************************************
****************
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:44 GMT-3