Re: IPSec And Tunneling help

From: Brian (signal@xxxxxxxxxx)
Date: Wed Jun 13 2001 - 18:00:18 GMT-3

   
I think you need to mess with your access lists. Have them match on the
serial IP's................the tunnel sources. I am not sure what you
have would work. I think your going to need to match "ip", since thats
ultimatly whats put inside the tunnel, and I wouldn't make it "any any",
make it more specific, like I said the tunnel sources.

Also it doesn't hurt to nail down your local address with "crypto map
testtest local-address x.x.x.x"

brian

On Wed, 13 Jun 2001, Jubil Mathew wrote:

> Hi,
>
> I am trying to set up a GRE tunnel between 2 end points (3640 and 2621),
> with IPsec enabled between the Peer routers.
> Send all traffic from the end points through the tunnel with GRE encryption.
>
> I am not able to ping between the tunnel destination address, between the
> private address of the peer routers.
>
> The network setup is like this:
>
> | E0/0 WAN LINK (Frame Rela
y)
> 1.6.0.90 |-------------3640-1
> ----------------------------/ |
> |
> /--------------------------- 2621-1 ---------------| 1.10.0.90
>
                          |
>
>
> the network configuration is given below:
>
> 3640-1-A#sh run
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key test2 address 16.16.17.2
> crypto isakmp key test2 address 16.16.20.2
> crypto isakmp key test2 address 130.10.10.1
> crypto ipsec security-association lifetime seconds 86400
> crypto ipsec transform-set desmd5 esp-des esp-md5-hmac
> crypto ipsec transform-set ahmd5 ah-md5-hmac
>
> crypto map testtest 1 ipsec-isakmp
> set peer 16.16.17.2
> set peer 16.16.20.2
> set peer 130.10.10.1
> set transform-set desmd5 ahmd5
> match address 102
>
> interface Tunnel0
> ip address 130.10.10.2 255.255.255.0
> tunnel source 16.16.18.2
> tunnel destination 16.16.20.2
> crypto map testtest
>
> interface Ethernet0/0
> ip address 1.6.0.21 255.255.0.0
> ip helper-address 1.5.0.1
>
> interface Serial0/0
> ip address 16.16.18.2 255.255.255.0
> ip helper-address 1.5.0.1
> encapsulation frame-relay
> frame-relay interface-dlci 101
> frame-relay ip tcp header-compression
> frame-relay ip rtp header-compression
> crypto map testtest
>
> router eigrp 1
> network 16.16.0.0 0.0.255.255
> network 1.0.0.0
> network 130.10.0.0
> no auto-summary
>
> ip route 1.0.0.0 255.0.0.0 Tunnel0
>
> map-class frame-relay vofrelay
> frame-relay ip rtp priority 16384 16383 128
>
> access-list 102 permit gre any any log
>
> end
> *********************************************************
> 3640-1-A#sh ip route
> C 200.200.200.0/24 is directly connected, BRI0/0
> 16.0.0.0/24 is subnetted, 4 subnets
> C 16.16.18.0 is directly connected, Serial0/0
> D 16.16.19.0 [90/2273792] via 16.16.18.1, 02:09:54, Serial0/0
> D 16.16.20.0 [90/2273792] via 16.16.18.1, 02:09:54, Serial0/0
> D 16.16.21.0 [90/6023936] via 16.16.18.1, 02:09:54, Serial0/0
> 1.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
> S 1.0.0.0/8 is directly connected, Tunnel0
> D 1.5.0.0/16 [90/1787392] via 16.16.18.1, 02:09:55, Serial0/0
> C 1.6.0.0/16 is directly connected, Ethernet0/0
> D 1.9.0.0/16 [90/2299392] via 16.16.18.1, 02:09:55, Serial0/0
> D 1.8.0.0/24 [90/2401792] via 16.16.18.1, 02:09:55, Serial0/0
> D 1.11.0.0/24 [90/6049536] via 16.16.18.1, 02:09:55, Serial0/0
> 130.10.0.0/24 is subnetted, 1 subnets
> C 130.10.10.0 is directly connected, Tunnel0
> 10.0.0.0/24 is subnetted, 1 subnets
> D 10.33.128.0 [90/6151936] via 16.16.18.1, 02:09:55, Serial0/0
> *********************************************************
> 3640-1-A#ping 130.10.10.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 130.10.10.1, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> *********************************************************
> 3640-1-A#ping 16.16.20.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 16.16.20.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
> *********************************************************
> 3640-1-A#ping 1.10.0.90
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.10.0.90, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> *********************************************************
> 3640-1-A#ping 1.10.0.21
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.10.0.21, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
> *****************************************************************************
*******************************************************************************
***************
> 2621-1#sh run
>
> crypto isakmp policy 1
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key test2 address 16.16.17.2
> crypto isakmp key test2 address 16.16.18.2
> crypto isakmp key test2 address 130.10.10.2
> crypto ipsec security-association lifetime seconds 86400
> crypto ipsec transform-set desmd5 esp-des esp-md5-hmac
> crypto ipsec transform-set ahmd5 ah-md5-hmac
>
> crypto map testtest 1 ipsec-isakmp
> set peer 16.16.17.2
> set peer 16.16.18.2
> set peer 130.10.10.2
> set transform-set desmd5 ahmd5
> match address 101
>
> interface Tunnel0
> ip address 130.10.10.1 255.255.255.0
> tunnel source 16.16.20.2
> tunnel destination 16.16.18.2
> crypto map testtest
>
> interface FastEthernet0/0
> ip address 1.10.0.21 255.255.255.0
> ip helper-address 1.5.0.1
>
> interface Serial0/2
> ip address 16.16.20.2 255.255.255.0
> encapsulation frame-relay
> frame-relay map ip 16.16.20.1 400 broadcast
> frame-relay interface-dlci 400
> frame-relay ip rtp header-compression
> crypto map testtest
>
> router eigrp 1
> network 16.16.0.0 0.0.255.255
> network 1.0.0.0
> network 130.10.0.0
> no auto-summary
>
> ip route 1.0.0.0 255.0.0.0 Tunnel0
>
> map-class frame-relay vofrelay
> frame-relay ip rtp priority 16384 16383 128
>
> access-list 101 permit gre any any log
>
> end
>
> *********************************************************
>
> 2621-1#sh ip route
> 16.0.0.0/24 is subnetted, 4 subnets
> D 16.16.18.0 [90/2681856] via 16.16.20.1, 00:19:39, Serial0/2
> D 16.16.19.0 [90/2681856] via 16.16.20.1, 00:19:39, Serial0/2
> C 16.16.20.0 is directly connected, Serial0/2
> D 16.16.21.0 [90/6023936] via 16.16.20.1, 00:19:39, Serial0/2
> 1.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
> S 1.0.0.0/8 is directly connected, Tunnel0
> D 1.5.0.0/16 [90/2195456] via 16.16.20.1, 00:19:39, Serial0/2
> D 1.9.0.0/16 [90/2707456] via 16.16.20.1, 00:19:40, Serial0/2
> D 1.8.0.0/24 [90/2809856] via 16.16.20.1, 00:19:40, Serial0/2
> D 1.11.0.0/24 [90/6049536] via 16.16.20.1, 00:19:40, Serial0/2
> C 1.10.0.0/24 is directly connected, FastEthernet0/0
> 130.10.0.0/24 is subnetted, 1 subnets
> C 130.10.10.0 is directly connected, Tunnel0
> 10.0.0.0/24 is subnetted, 1 subnets
> D 10.33.128.0 [90/6151936] via 16.16.20.1, 00:19:40, Serial0/2
>
> *********************************************************
> 2621-1#ping 130.10.10.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 130.10.10.2, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> *********************************************************
> 2621-1#ping 16.16.18.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 16.16.18.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms
> *********************************************************
> 2621-1#ping 1.6.0.21
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.6.0.21, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
> *****************************************************************************
*******************************************************************************
***************
>
>
>
> Jubil Mathew
> Software Engineer, MPSBU
> Cisco Systems Inc.
> 821, Alder drive, SJ-22/2/1
> Milpitas, California. 95035
> Phone: (408) 853-4566
> jmathew@cisco.com
> **Please read:http://www.groupstudy.com/list/posting.html
-----------------------------------------------
    I'm buying / selling used CISCO gear!!
            email me for a quote

Brian Feeny,CCDP,CCNP+VAS Scarlett Parria
signal@netjam.net scarlett@netjam.net
318-213-4709 318-213-4701

Netjam, LLC http://www.netjam.net
333 Texas St. VISA/MC/AMEX/COD
Suite 1401 30 day warranty
Shreveport, LA 71101 Cisco Channel Partner
toll free: 866-2NETJAM
phone: 318-212-0245
fax: 318-212-0246
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:23 GMT-3