From: John Neiberger (neiby@xxxxxxxxxx)
Date: Wed Apr 17 2002 - 01:55:02 GMT-3
When trying to get IPSec to work over a GRE tunnel, I try to
remember three rules:
1. In the IPsec config, always use the real IP addresses, not
the addresses of the tunnel.
2. Apply the crypto map to both the Tunnel interface and the
real outgoing interface.
3. Your crypto access list only needs a single line that
permits GRE, again using real IP addresses, not tunnel
addresses.
If you follow those three rules you shouldn't have a problem
with a basic config.
HTH,
John
---- On Wed, 17 Apr 2002, kym blair (kymblair@hotmail.com)
wrote:
> IPSEC works great with the below config when applied to a
physical serial
> link, but when I apply it to a working tunnel, it doesn't
work. I've tried
> a variety of address combinations but still can't get it.
Can anyone solve
> this? Here are the configs:
>
> ROUTER3:
>
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key CCIE address 148.8.8.8
> crypto ipsec transform-set XFRM esp-des esp-sha-hmac
> access-list 138 permit ip host 148.8.8.3 host 148.8.8.8
>
> crypto map CCIEMAP 10 ipsec-isakmp
> set peer 148.8.8.8
> set transform-set XFRM
> match address 138
> !
> interface Tunnel8
> ip address 148.8.8.3 255.255.255.0
> tunnel source 33.3.3.3
> tunnel destination 172.28.2.8
> crypto map CCIEMAP
>
> ROUTER8:
>
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key CCIE address 148.8.8.3
> crypto ipsec transform-set XFRM esp-des esp-sha-hmac
> access-list 138 permit ip host 148.8.8.8 host 148.8.8.3
> !
> crypto map CCIEMAP 10 ipsec-isakmp
> set peer 148.8.8.3
> set transform-set XFRM
> match address 138
> !
> interface Tunnel8
> ip address 148.8.8.8 255.255.255.0
> tunnel source 172.28.2.8
> tunnel destination 33.3.3.3
> crypto map CCIEMAP
>
>
> TIA, Kym
>
>
>
>
>
>
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:11 GMT-3