RE: IPSEC over GRE Tunnel

From: Lupi, Guy (Guy.Lupi@xxxxxxxxxxxxx)
Date: Thu Apr 25 2002 - 22:06:14 GMT-3

• Next message: George Spahl: "RE: IPX SAP filtering between NLSP routers"
• Previous message: Scott Stoddard: "IPSEC over GRE Tunnel"
• Maybe in reply to: Scott Stoddard: "IPSEC over GRE Tunnel"
• Next in thread: Scott Stoddard: "Re: IPSEC over GRE Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
I have always had problems with the any keyword and ipsec. Technically, if
all your traffic is routing over the tunnel, you don't need any line but
access-list 100 permit gre host 192.168.0.2 host 192.168.0.1 on r8 and
access-list 100 permit gre host 192.168.0.1 host 192.168.0.2 on r6a, since
all traffic will be gre unless you are pinging an address in a directly
connected network. Try the access lists with only the 1 line in each and
see if it works.

~-----Original Message-----
~From: Scott Stoddard [mailto:sstoddard@gblx.net]
~Sent: Thursday, April 25, 2002 8:47 PM
~To: ccielab@groupstudy.com
~Subject: IPSEC over GRE Tunnel
~
~
~Hi all, does anyone see anything I am doing wrong in my
~configs below? I am
~trying to do IPSEC over a tunnel my configs match examples off
~of CCO but I
~cannot ping across the tunnel, if I remove the tunnel config
~the ipsec part
~works great is there something I am missing over a tunnel? I
~am sourcing my
~pings from the loopback with a default out the tunnel interface. Thanx!
~
~hostname R6a
~!
~crypto isakmp policy 1
~ authentication pre-share
~crypto isakmp key cisco address 192.168.0.2
~!
~crypto ipsec transform-set peekaboo esp-des esp-sha-hmac
~ mode transport
~!
~crypto map doit local-address Serial0
~crypto map doit 10 ipsec-isakmp
~ set peer 192.168.0.2
~ set transform-set peekaboo
~ match address 100
~!
~interface Loopback1
~ ip address 150.150.150.150 255.255.255.0
~ no ip directed-broadcast
~!
~interface Tunnel0
~ ip address 10.1.1.1 255.255.255.0
~ no ip directed-broadcast
~ tunnel source 192.168.0.1
~ tunnel destination 192.168.0.2
~ crypto map doit
~!
~interface Serial0
~ ip address 192.168.0.1 255.255.255.0
~ clockrate 64000
~ crypto map doit
~!
~ip route 0.0.0.0 0.0.0.0 Tunnel0
~!
~access-list 100 permit gre any any
~access-list 100 permit icmp any any
~access-list 100 permit ip any any
~----------------------------------
~hostname R8
~!
~crypto isakmp policy 1
~ authentication pre-share
~crypto isakmp key cisco address 192.168.0.1
~!
~crypto ipsec transform-set peekaboo esp-des esp-sha-hmac
~ mode transport
~!
~crypto map doit local-address Serial1
~crypto map doit 10 ipsec-isakmp
~ set peer 192.168.0.1
~ set transform-set peekaboo
~ match address 100
~!
~interface Loopback1
~ ip address 200.200.200.200 255.255.255.0
~ no ip directed-broadcast
~!
~interface Tunnel0
~ ip address 10.1.1.2 255.255.255.0
~ no ip directed-broadcast
~ tunnel source 192.168.0.2
~ tunnel destination 192.168.0.1
~ crypto map doit
~!
~interface Serial1
~ ip address 192.168.0.2 255.255.255.0
~ crypto map doit
~!
~ip route 0.0.0.0 0.0.0.0 Tunnel0
~!
~access-list 100 permit ip any any
~access-list 100 permit icmp any any
~access-list 100 permit gre any any

• Next message: George Spahl: "RE: IPX SAP filtering between NLSP routers"
• Previous message: Scott Stoddard: "IPSEC over GRE Tunnel"
• Maybe in reply to: Scott Stoddard: "IPSEC over GRE Tunnel"
• Next in thread: Scott Stoddard: "Re: IPSEC over GRE Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:19 GMT-3