RE: IPSEC and Tunneling

From: John Huston (jhuston@xxxxxxxxxxx)
Date: Thu May 17 2001 - 19:02:09 GMT-3

• Next message: Carlos Gonzales: "Re: ATM question"
• Previous message: Justin Menga: "RE: ATM question"
• Maybe in reply to: Jubil Mathew: "IPSEC and Tunneling"
• Next in thread: Jubil Mathew: "Re: IPSEC and Tunneling"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Nice Catch!!

> -----Original Message-----
> From: Justin Menga [mailto:Justin.Menga@computerland.co.nz]
> Sent: Thursday, May 17, 2001 4:52 PM
> To: 'Jubil Mathew'; associate@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: RE: IPSEC and Tunneling
>
>
> If you look at your tunnel definitions on say 3640-1-A, your source is
> 130.10.10.10 (3640-1-A Lo0) and destination is 16.16.17.2
> (3640-2 S0/0).
> THus your GRE tunnel will always have source of 130.10.10.10
> and destination
> of 16.16.17.2 - now if you look at your crypto access-lists,
> there is no
> entry that matches - hence your ipsec tunnel is not being initiated.
>
>
> Regards,
>
> Justin Menga CCIE #6640 CCNP+Voice+ATM CCDP MCSE+I CCSE
> WAN Specialist
> Computerland New Zealand
> PO Box 3631, Auckland
> DDI: (+64) 9 360 4864 Mobile: (+64) 25 349 599
> mailto: justin.menga@computerland.co.nz
> web: http://www.computerland.co.nz
>
> CAUTION: This e-mail message and accompanying data may
> contain information
> that is confidential and subject to privilege. If you are
> not the intended
> recipient, you are notified that any use, dissemination,
> distribution or
> copying of this message or data is prohibited. If you have
> received this
> e-mail in error, please notify me immediately and delete all material
> pertaining to this e-mail. Thank you.
>
>
> -----Original Message-----
> From: Jubil Mathew [mailto:jmathew@cisco.com]
> Sent: Friday, 18 May 2001 4:47 a.m.
> To: associate@groupstudy.com
> Cc: ccielab@groupstudy.com
> Subject: IPSEC and Tunneling
>
>
> Hi,
>
> I was trying to setup the scenario "IPSec and Tunnelling
> together" I was
> having some problems with the creation of the tunnel. I have a tunnel
> created between loopbacks of R1 (3640-1-a) and R2 (3640-2). I
> was not able
> to ping the tunnel interfaces. Could someone point out what
> is possibly
> wrong in the configuration given below.
>
>
> R1(3640-1-A) ------------------tunnnel---------------------|
> |
> |
> 3660-CM
> |
> |
> |
> R2(3640-2) ---------------------tunnel------------------------
>
>
> 3640-1-A#sh run
>
> hostname 3640-1-A
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key test2 address
> 16.16.17.2
> crypto isakmp key test2 address
> 16.16.20.2
> crypto ipsec security-association lifetime seconds
> 86400
>
> crypto ipsec transform-set desmd5 esp-des
> esp-md5-hmac
> crypto ipsec transform-set ahmd5
> ah-md5-hmac
> crypto mib ipsec flowmib history tunnel size
> 200
> crypto mib ipsec flowmib history failure size
> 200
>
> crypto map testtest 1 ipsec-isakmp
> set peer 16.16.17.2
> set peer 16.16.20.2
> set peer 140.10.10.10
> set peer 192.168.1.2
> set transform-set desmd5 a
> match address 102
>
> interface Loopback0
> ip address 130.10.10.10 255.255.255.0
> crypto map testtest
>
> interface Tunnel0
> ip address 192.168.1.1 255.255.255.0
> tunnel source 130.10.10.10
> tunnel destination 16.16.17.2
> crypto map testtest
>
> interface Ethernet0/0
> ip address 1.6.0.21 255.255.0.0
> ip helper-address 1.5.0.1
> no ip route-cache
> no ip mroute-cache
> half-duplex
> standby timers 3 7
> standby priority 200 preempt
> standby ip 1.6.0.199
> standby track Se0/0 101
> !
> interface Serial0/0
> ip address 16.16.18.2 255.25
> encapsulation frame-relay
> no ip route-cache
> no ip mroute-cache
> no fair-queue
> frame-relay interface-dlci 101
> frame-relay ip rtp header-compression
> crypto map testtest
> h323-gateway voip interface
> h323-gateway voip id gk-2 ipaddr 16.16.19.2
> 1719
> h323-gateway voip h323-id 3640-1-A
> h323-gateway voip tech-prefix 2#
> h323-gateway voip bind srcaddr
> 16.16.18.2
>
> router eigrp 1
> network 1.6.0.0 0.0.255.255
> network 16.16.0.0 0.0.255.255
> network 130.10.0.0
> network 140.10.0.0
> network 192.168.1.0
> distribute-list 20 out Serial0/0
> no auto-summary
> no eigrp log-neighbor-changes
>
> map-class frame-relay vofrelay
> no frame-relay adaptive-shaping
> frame-relay cir 2000000
> frame-relay bc 1000
> frame-relay mincir 1000000
> frame-relay fair-queue
> frame-relay voice bandwidth 1000000
> frame-relay fragment 80
> frame-relay ip rtp priority 16384 16383
> 128
> access-list 7 permit 1.6.0.0 0.0.0.255
> access-list 102 permit ip host 16.16.18.2 host 16.16.20.2
> log
> access-list 102 permit ip host 1.6.0.90 host 1.10.0.90
> log
> access-list 102 permit ip host 1.6.0.90 host 1.7.0.90
> log
> access-list 102 permit ip host 16.16.18.2 host 16.16.17.2
> log
> access-list 102 permit gre host 16.16.18.2 host 16.16.17.2
> log
> access-list 102 permit gre host 130.10.10.10 host
> 140.10.10.10
> access-list 102 permit gre host 16.16.17.2 host 16.16.18.2
> log
> access-list 102 permit gre host 192.168.1.1 host 192.168.1.2
> log
> access-list 110 permit ip 1.6.0.0 0.0.0.255
> any
> access-list 110 permit ip 1.6.0.0 0
> dialer-list 1 protocol ip list 101
>
> gateway
>
> call-manager-fallback
> ip source-address 1.6.0.199 port 2000
> max-ephones 48
> max-dn 48
> transfer-pattern 3...
> transfer-pattern 2...
> transfer-pattern 1...
> transfer-pattern 5...
> default-destination 2003
> access-code fxo 9
>
> end
>
> ********************************************************
> 3640-2#sh run
>
> hostname 3640-2
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime
> crypto isakmp key test2 address
> 16.16.20.2
> crypto isakmp key test2 address
> 16.16.18.2
>
> crypto ipsec security-association lifetime seconds
> 86400
> !
> crypto ipsec transform-set desmd5 esp-des
> esp-md5-hmac
> crypto ipsec transform-set ahmd5
> ah-md5-hmac
> crypto mib ipsec flowmib history tunnel size
> 200
> crypto mib ipsec flowmib history failure size
> 200
>
> crypto map testtest 1 ipsec-isakmp
> set peer 16.16.18.2
> set peer 16.16.20.2
> set peer 130.10.10.10
> set peer 192.168.1.1
> set transform-set desmd5 ahmd5
> match address 101
>
> interface Loopback0
> ip address 140.10.10.10 255.255.255.0
> crypto map testtest
>
> interface Tunnel0
> ip address 192.168.1.2 255.255.255.0
> tunnel source 140.10.10.10
> tunnel destination 16.16.18.2
> crypto map testtest
>
> interface FastEthernet0/0
> ip address 1.7.0.30 255.255.0.0
> ip helper-address 1.5.0.1
> no ip route-cache
> no ip mroute-cache
> duplex auto
> speed auto
>
> interface FastEthernet0/1
> ip address 1.4.0.20 255.255.255.0
> ip helper-address 1.5.0.1
> shutdown
> duplex auto
> speed auto
>
> interface Serial0/1
> ip address 16.16.17.2 255.255.255.0
> encapsulation frame-relay
> no ip route-cache
> ip split-horizon
> no ip mroute-cache
> no fair-queue
> frame-relay interface-dlci 200
> crypto map testtest
> h323-gateway voip interface
> h323-gateway voip id gk-3 ipaddr 16.16.19.2
> 1719
> h323-gateway voip h323-id 3640-2
> h323-gateway voip tech-prefix 3#
> h323-gateway voip bind srcaddr
> 16.16.17.2
>
> router eigrp 1
> network 1.4.0.0 0.0.255.255
> network 1.7.0.0 0.0.255.255
> network 16.16.0.0 0.0.255.255
> network 130.10.0.0
> network 140.10.0.0
> network 192.168.1.0
> no auto-summary
> no eigrp log-neighbor-changes
>
> map-class frame-relay vofrelay
> no frame-relay adaptive-shaping
> frame-relay cir 2000000
> frame-relay bc 1000
> frame-relay mincir 1000000
> frame-relay fair-queue
> frame-relay voice bandwidth 1000000
> frame-relay fragment 80
> frame-relay ip rtp priority 16384 16383
> 128
> access-list 7 permit 1.7.0.0 0.0.0.255
> log
> access-list 101 permit ip host 16.16.17.2 host 16.16.18.2
> log
> access-list 101 permit ip host 1.7.0.90 host 1.6.0.90
> log
> access-list 101 permit ip host 16.16.17.2 host 16.16.20.2
> log
> access-list 101 permit ip host 1.7.0.90 host 1.10.0.90 log
> access-list 101 permit gre host 16.16.17.2 host 16.16.18.2
> log
> access-list 101 permit gre host 140.10.10.10 host
> 130.10.10.10
> access-list 101 permit gre host 16.16.17.2 host 16.16.20.2
> log
> access-list 101 permit gre host 192.168.1.2 host 192.168.1.1 log
>
> dialer-list 1 protocol ip permit
>
> gateway
>
> call-manager-fallback
> ip source-address 1.7.0.30 port 2000
> max-ephones 48
> max-dn 48
> transfer-pattern 3...
> transfer-pattern 2...
> transfer-pattern 1...
> transfer-pattern 5...
>
> end
>
> **************************************************************
> **************
> ****************
> **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Carlos Gonzales: "Re: ATM question"
• Previous message: Justin Menga: "RE: ATM question"
• Maybe in reply to: Jubil Mathew: "IPSEC and Tunneling"
• Next in thread: Jubil Mathew: "Re: IPSEC and Tunneling"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:44 GMT-3