IPSec/NAT

From: Macky Lee (Macky.Lee@xxxxxxxxxxxxx)
Date: Thu Oct 25 2001 - 00:23:38 GMT-3

• Next message: Henry: "RE: IPSec/NAT"
• Previous message: Tom Daniel: "OT: Dual Route Switch Processor in 7513"
• Next in thread: Henry: "RE: IPSec/NAT"
• Maybe reply: Henry: "RE: IPSec/NAT"
• Maybe reply: Henry: "RE: IPSec/NAT"
• Maybe reply: Khalid Nafie: "RE: IPSec/NAT"
• Maybe reply: Brian Lodwick: "RE: IPSec/NAT"
• Maybe reply: Richard Foltz: "Re: IPSec/NAT"
• Maybe reply: Brian Lodwick: "Re: IPSec/NAT"
• Maybe reply: Brian Lodwick: "Re: IPSec/NAT"
• Maybe reply: John Kim: "RE: IPSec/NAT"
• Maybe reply: Sam Munzani: "Re: IPSec/NAT"
• Maybe reply: michael robertson: "RE: IPSec/NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi all,

Could someone please tell me what have I don't wrong in the following Lab setup
?

R1---R2---R3---R4

R2 have NATapplied (100.1.1.1--->200.100.100.1)
R1 is trying to setup an IPSec tunnel with R4

Ping was fine before the IPsec configure was put in.

Here are the configuration.

R1
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 10000
crypto isakmp key Ciscotest address 200.200.200.4 /----(R4 serial0)
!
crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
 set peer 200.200.200.4 -----(R4 serial0)
 set transform-set Ciscotran
 match address 101
!
interface Serial0
 ip address 100.1.1.1 255.255.255.0
 encapsulation ppp
 no fair-queue
 clockrate 64000
 crypto map test

access-list 101 permit ip 100.1.1.0 0.0.0.255 200.200.200.0 0.0.0.255

R4
crypto isakmp policy 10
 hash md5
 authentication pre-share
 lifetime 10000
crypto isakmp key Ciscotest address 200.100.100.1----- (R1 serial0 after NAT)
!
!
crypto ipsec transform-set Ciscotran esp-des esp-md5-hmac
!
crypto map test 10 ipsec-isakmp
 set peer 200.100.100.1----- (R1 serial0 after NAT)
 set transform-set Ciscotran
 match address 101
!
interface Serial0
 ip address 200.200.200.4 255.255.255.0
 encapsulation ppp
 no fair-queue
 crypto map test
!
access-list 101 permit ip 200.200.200.0 0.0.0.255 200.100.100.0 0.0.0.255

Regards,

Macky

• Next message: Henry: "RE: IPSec/NAT"
• Previous message: Tom Daniel: "OT: Dual Route Switch Processor in 7513"
• Next in thread: Henry: "RE: IPSec/NAT"
• Maybe reply: Henry: "RE: IPSec/NAT"
• Maybe reply: Henry: "RE: IPSec/NAT"
• Maybe reply: Khalid Nafie: "RE: IPSec/NAT"
• Maybe reply: Brian Lodwick: "RE: IPSec/NAT"
• Maybe reply: Richard Foltz: "Re: IPSec/NAT"
• Maybe reply: Brian Lodwick: "Re: IPSec/NAT"
• Maybe reply: Brian Lodwick: "Re: IPSec/NAT"
• Maybe reply: John Kim: "RE: IPSec/NAT"
• Maybe reply: Sam Munzani: "Re: IPSec/NAT"
• Maybe reply: michael robertson: "RE: IPSec/NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:24 GMT-3