Re: IPSEC over Tunnel Not Working

From: Tim Wilhoit (tilimil@xxxxxxxxxxx)
Date: Wed Apr 17 2002 - 02:17:08 GMT-3

• Next message: Roger Schotsal: "Re: Engineering mode"
• Previous message: Brian: "Re: ATM Router Selection (a must read!)"
• Maybe in reply to: kym blair: "IPSEC over Tunnel Not Working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
The first thing I see here is that your access-list 138 is wrong. It should
actually have the ip addresses of your source and destination addresses for
the tunnel rather than the addresses of the tunnel interfaces.

Also, I believe the "set peer" statement on the crypto map should have the
address of the tunnel destination as the peer.

And lastly, make sure you apply the crytpo map not only to the tunnel
interfaces but also the interfaces that are the source and destination for
you tunnel.

Tim Wilhoit

----- Original Message -----
From: "kym blair" <kymblair@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Tuesday, April 16, 2002 11:30 PM
Subject: IPSEC over Tunnel Not Working

> IPSEC works great with the below config when applied to a physical serial
> link, but when I apply it to a working tunnel, it doesn't work. I've
tried
> a variety of address combinations but still can't get it. Can anyone
solve
> this? Here are the configs:
>
> ROUTER3> authentication pre-share
> crypto isakmp key CCIE address 148.8.8.8:
>
> crypto isakmp policy 10

> crypto ipsec transform-set XFRM esp-des esp-sha-hmac
> access-list 138 permit ip host 148.8.8.3 host 148.8.8.8
>
> crypto map CCIEMAP 10 ipsec-isakmp
> set peer 148.8.8.8
> set transform-set XFRM
> match address 138
> !
> interface Tunnel8
> ip address 148.8.8.3 255.255.255.0
> tunnel source 33.3.3.3
> tunnel destination 172.28.2.8
> crypto map CCIEMAP
>
> ROUTER8:
>
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key CCIE address 148.8.8.3
> crypto ipsec transform-set XFRM esp-des esp-sha-hmac
> access-list 138 permit ip host 148.8.8.8 host 148.8.8.3
> !
> crypto map CCIEMAP 10 ipsec-isakmp
> set peer 148.8.8.3
> set transform-set XFRM
> match address 138
> !
> interface Tunnel8
> ip address 148.8.8.8 255.255.255.0
> tunnel source 172.28.2.8
> tunnel destination 33.3.3.3
> crypto map CCIEMAP
>
>
> TIA, Kym
>
>
>
>
>
>

• Next message: Roger Schotsal: "Re: Engineering mode"
• Previous message: Brian: "Re: ATM Router Selection (a must read!)"
• Maybe in reply to: kym blair: "IPSEC over Tunnel Not Working"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:11 GMT-3