IPSec And Tunneling help

From: Jubil Mathew (jmathew@xxxxxxxxx)
Date: Wed Jun 13 2001 - 16:46:04 GMT-3

   
Hi,

I am trying to set up a GRE tunnel between 2 end points (3640 and 2621),
with IPsec enabled between the Peer routers.
Send all traffic from the end points through the tunnel with GRE encryption.

I am not able to ping between the tunnel destination address, between the
private address of the peer routers.

The network setup is like this:

                 | E0/0 WAN LINK (Frame Relay)
1.6.0.90 |-------------3640-1
----------------------------/ |
                 |
/--------------------------- 2621-1 ---------------| 1.10.0.90

                        |

the network configuration is given below:

3640-1-A#sh run

crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key test2 address 16.16.17.2
crypto isakmp key test2 address 16.16.20.2
crypto isakmp key test2 address 130.10.10.1
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set desmd5 esp-des esp-md5-hmac
crypto ipsec transform-set ahmd5 ah-md5-hmac

crypto map testtest 1 ipsec-isakmp
  set peer 16.16.17.2
  set peer 16.16.20.2
  set peer 130.10.10.1
  set transform-set desmd5 ahmd5
  match address 102

interface Tunnel0
  ip address 130.10.10.2 255.255.255.0
  tunnel source 16.16.18.2
  tunnel destination 16.16.20.2
  crypto map testtest

interface Ethernet0/0
  ip address 1.6.0.21 255.255.0.0
  ip helper-address 1.5.0.1

interface Serial0/0
  ip address 16.16.18.2 255.255.255.0
  ip helper-address 1.5.0.1
  encapsulation frame-relay
  frame-relay interface-dlci 101
  frame-relay ip tcp header-compression
  frame-relay ip rtp header-compression
  crypto map testtest

router eigrp 1
  network 16.16.0.0 0.0.255.255
  network 1.0.0.0
  network 130.10.0.0
  no auto-summary

ip route 1.0.0.0 255.0.0.0 Tunnel0

map-class frame-relay vofrelay
  frame-relay ip rtp priority 16384 16383 128

access-list 102 permit gre any any log

end
*********************************************************
3640-1-A#sh ip route
C 200.200.200.0/24 is directly connected, BRI0/0
      16.0.0.0/24 is subnetted, 4 subnets
C 16.16.18.0 is directly connected, Serial0/0
D 16.16.19.0 [90/2273792] via 16.16.18.1, 02:09:54, Serial0/0
D 16.16.20.0 [90/2273792] via 16.16.18.1, 02:09:54, Serial0/0
D 16.16.21.0 [90/6023936] via 16.16.18.1, 02:09:54, Serial0/0
      1.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
S 1.0.0.0/8 is directly connected, Tunnel0
D 1.5.0.0/16 [90/1787392] via 16.16.18.1, 02:09:55, Serial0/0
C 1.6.0.0/16 is directly connected, Ethernet0/0
D 1.9.0.0/16 [90/2299392] via 16.16.18.1, 02:09:55, Serial0/0
D 1.8.0.0/24 [90/2401792] via 16.16.18.1, 02:09:55, Serial0/0
D 1.11.0.0/24 [90/6049536] via 16.16.18.1, 02:09:55, Serial0/0
      130.10.0.0/24 is subnetted, 1 subnets
C 130.10.10.0 is directly connected, Tunnel0
      10.0.0.0/24 is subnetted, 1 subnets
D 10.33.128.0 [90/6151936] via 16.16.18.1, 02:09:55, Serial0/0
*********************************************************
3640-1-A#ping 130.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.10.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
*********************************************************
3640-1-A#ping 16.16.20.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 16.16.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
*********************************************************
3640-1-A#ping 1.10.0.90

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.10.0.90, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
*********************************************************
3640-1-A#ping 1.10.0.21

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.10.0.21, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

*******************************************************************************
*******************************************************************************
*************
2621-1#sh run

crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key test2 address 16.16.17.2
crypto isakmp key test2 address 16.16.18.2
crypto isakmp key test2 address 130.10.10.2
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set desmd5 esp-des esp-md5-hmac
crypto ipsec transform-set ahmd5 ah-md5-hmac

crypto map testtest 1 ipsec-isakmp
  set peer 16.16.17.2
  set peer 16.16.18.2
  set peer 130.10.10.2
  set transform-set desmd5 ahmd5
  match address 101

interface Tunnel0
  ip address 130.10.10.1 255.255.255.0
  tunnel source 16.16.20.2
  tunnel destination 16.16.18.2
  crypto map testtest

interface FastEthernet0/0
  ip address 1.10.0.21 255.255.255.0
  ip helper-address 1.5.0.1

interface Serial0/2
  ip address 16.16.20.2 255.255.255.0
  encapsulation frame-relay
  frame-relay map ip 16.16.20.1 400 broadcast
  frame-relay interface-dlci 400
  frame-relay ip rtp header-compression
  crypto map testtest

router eigrp 1
  network 16.16.0.0 0.0.255.255
  network 1.0.0.0
  network 130.10.0.0
  no auto-summary

ip route 1.0.0.0 255.0.0.0 Tunnel0

map-class frame-relay vofrelay
  frame-relay ip rtp priority 16384 16383 128

access-list 101 permit gre any any log

end

*********************************************************

2621-1#sh ip route
      16.0.0.0/24 is subnetted, 4 subnets
D 16.16.18.0 [90/2681856] via 16.16.20.1, 00:19:39, Serial0/2
D 16.16.19.0 [90/2681856] via 16.16.20.1, 00:19:39, Serial0/2
C 16.16.20.0 is directly connected, Serial0/2
D 16.16.21.0 [90/6023936] via 16.16.20.1, 00:19:39, Serial0/2
      1.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
S 1.0.0.0/8 is directly connected, Tunnel0
D 1.5.0.0/16 [90/2195456] via 16.16.20.1, 00:19:39, Serial0/2
D 1.9.0.0/16 [90/2707456] via 16.16.20.1, 00:19:40, Serial0/2
D 1.8.0.0/24 [90/2809856] via 16.16.20.1, 00:19:40, Serial0/2
D 1.11.0.0/24 [90/6049536] via 16.16.20.1, 00:19:40, Serial0/2
C 1.10.0.0/24 is directly connected, FastEthernet0/0
      130.10.0.0/24 is subnetted, 1 subnets
C 130.10.10.0 is directly connected, Tunnel0
      10.0.0.0/24 is subnetted, 1 subnets
D 10.33.128.0 [90/6151936] via 16.16.20.1, 00:19:40, Serial0/2

*********************************************************
2621-1#ping 130.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 130.10.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
*********************************************************
2621-1#ping 16.16.18.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 16.16.18.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
*********************************************************
2621-1#ping 1.6.0.21

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.6.0.21, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
*******************************************************************************
*******************************************************************************
*************

Jubil Mathew
Software Engineer, MPSBU
Cisco Systems Inc.
821, Alder drive, SJ-22/2/1
Milpitas, California. 95035
Phone: (408) 853-4566
jmathew@cisco.com
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:23 GMT-3