Re: help!! ipsec tunnel

From: John Elias (jelias_@xxxxxxxxxxx)
Date: Tue May 29 2001 - 11:56:19 GMT-3

• Next message: John Huston: "RE: help!! ipsec tunnel"
• Previous message: Walter Chen: "RE: 0.0.0.0 wildcard bits and redistribution"
• Maybe in reply to: garry baker: "help!! ipsec tunnel"
• Next in thread: John Huston: "RE: help!! ipsec tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Gary,
   All of your "crypto isakmp key <123456> address" commands should be the
physical interface, not the tunnel interface. Also your access-list should
permit the physical interfaces, not the tunnel interfaces.

John

>From: garry baker <fallow46@yahoo.com>
>Reply-To: garry baker <fallow46@yahoo.com>
>To: ccielab@groupstudy.com
>Subject: help!! ipsec tunnel
>Date: Sun, 27 May 2001 22:15:54 -0700 (PDT)
>
>Guys,
>
>i am trying to get a ipsec to work over a gre tunnel,
>the tunnel works fine but when i add the ipsec i am
>unable to ping the other end of the tunnel. all i am
>trying to achieve is to be able to ping the other end
>of the tunnel. i went through the post from last week
>that was similar but still could not fix my problem.
>
>i have three routers connected with the outer two
>acting as the tunnel endpoints. i have pasted the
>relevant config details. could someone point me in the
>right direction?
>
>Garry
>
>r6
>
>crypto isakmp policy 1
> authentication pre-share
>crypto isakmp key 123456 address 64.108.4.9
>crypto isakmp key 12345 address 64.108.68.8
>
>crypto map test local-address Tunnel0
>crypto map test 10 ipsec-isakmp
> set peer 64.180.68.8
> set transform-set test
> match address 150
>!
>
>interface Tunnel0
> ip address 64.108.68.6 255.255.255.0
> no ip directed-broadcast
> no ip route-cache
> no ip mroute-cache
> tunnel source 64.108.9.2
> tunnel destination 64.108.1.34
> crypto map test
>
>interface Serial0/1
> ip address 64.108.9.2 255.255.255.240
> no ip directed-broadcast
> ip pim sparse-mode
> encapsulation ppp
> ip ospf interface-retry 0
> ip igmp join-group 226.10.10.1
> ip igmp join-group 226.1.1.10
> crypto map test
>
>access-list 150 permit ip host 64.108.68.6 host
>64.108.68.8
>
>r8
>
>crypto isakmp policy 1
> authentication pre-share
>crypto isakmp key 12345 address 64.108.68.6
>!
>!
>crypto ipsec transform-set test esp-des
>!
>!
>crypto map test local-address Tunnel0
>crypto map test 10 ipsec-isakmp
> set peer 64.108.68.6
> set transform-set test
> match address 150
>
>interface Tunnel0
> ip address 64.108.68.8 255.255.255.0
> no ip directed-broadcast
> no ip route-cache
> no ip mroute-cache
> tunnel source 64.108.1.34
> tunnel destination 64.108.9.2
> crypto map test
>!
>interface Ethernet0/0
> ip address 64.108.1.34 255.255.255.224
> no ip directed-broadcast
> ip pim sparse-mode
> crypto map test
>
>access-list 150 permit ip host 64.108.68.8 host
>64.108.68.6
>
>

• Next message: John Huston: "RE: help!! ipsec tunnel"
• Previous message: Walter Chen: "RE: 0.0.0.0 wildcard bits and redistribution"
• Maybe in reply to: garry baker: "help!! ipsec tunnel"
• Next in thread: John Huston: "RE: help!! ipsec tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:55 GMT-3