From: Scott Stoddard (sstoddard@xxxxxxxx)
Date: Thu Apr 25 2002 - 23:19:23 GMT-3
Cool, That did it! I was hammering this out with different options and
debugs for hours checking my ipsec for problems and had no idea the 'any'
keyword in my access list was it all along :-). Thanx!
Thanx!
--Scott
----- Original Message -----
From: "Lupi, Guy" <Guy.Lupi@eurekaggn.com>
To: "'Scott Stoddard'" <sstoddard@gblx.net>; <ccielab@groupstudy.com>
Sent: Thursday, April 25, 2002 6:06 PM
Subject: RE: IPSEC over GRE Tunnel
> I have always had problems with the any keyword and ipsec. Technically,
if
> all your traffic is routing over the tunnel, you don't need any line but
> access-list 100 permit gre host 192.168.0.2 host 192.168.0.1 on r8 and
> access-list 100 permit gre host 192.168.0.1 host 192.168.0.2 on r6a, since
> all traffic will be gre unless you are pinging an address in a directly
> connected network. Try the access lists with only the 1 line in each and
> see if it works.
>
> ~-----Original Message-----
> ~From: Scott Stoddard [mailto:sstoddard@gblx.net]
> ~Sent: Thursday, April 25, 2002 8:47 PM
> ~To: ccielab@groupstudy.com
> ~Subject: IPSEC over GRE Tunnel
> ~
> ~
> ~Hi all, does anyone see anything I am doing wrong in my
> ~configs below? I am
> ~trying to do IPSEC over a tunnel my configs match examples off
> ~of CCO but I
> ~cannot ping across the tunnel, if I remove the tunnel config
> ~the ipsec part
> ~works great is there something I am missing over a tunnel? I
> ~am sourcing my
> ~pings from the loopback with a default out the tunnel interface. Thanx!
> ~
> ~hostname R6a
> ~!
> ~crypto isakmp policy 1
> ~ authentication pre-share
> ~crypto isakmp key cisco address 192.168.0.2
> ~!
> ~crypto ipsec transform-set peekaboo esp-des esp-sha-hmac
> ~ mode transport
> ~!
> ~crypto map doit local-address Serial0
> ~crypto map doit 10 ipsec-isakmp
> ~ set peer 192.168.0.2
> ~ set transform-set peekaboo
> ~ match address 100
> ~!
> ~interface Loopback1
> ~ ip address 150.150.150.150 255.255.255.0
> ~ no ip directed-broadcast
> ~!
> ~interface Tunnel0
> ~ ip address 10.1.1.1 255.255.255.0
> ~ no ip directed-broadcast
> ~ tunnel source 192.168.0.1
> ~ tunnel destination 192.168.0.2
> ~ crypto map doit
> ~!
> ~interface Serial0
> ~ ip address 192.168.0.1 255.255.255.0
> ~ clockrate 64000
> ~ crypto map doit
> ~!
> ~ip route 0.0.0.0 0.0.0.0 Tunnel0
> ~!
> ~access-list 100 permit gre any any
> ~access-list 100 permit icmp any any
> ~access-list 100 permit ip any any
> ~----------------------------------
> ~hostname R8
> ~!
> ~crypto isakmp policy 1
> ~ authentication pre-share
> ~crypto isakmp key cisco address 192.168.0.1
> ~!
> ~crypto ipsec transform-set peekaboo esp-des esp-sha-hmac
> ~ mode transport
> ~!
> ~crypto map doit local-address Serial1
> ~crypto map doit 10 ipsec-isakmp
> ~ set peer 192.168.0.1
> ~ set transform-set peekaboo
> ~ match address 100
> ~!
> ~interface Loopback1
> ~ ip address 200.200.200.200 255.255.255.0
> ~ no ip directed-broadcast
> ~!
> ~interface Tunnel0
> ~ ip address 10.1.1.2 255.255.255.0
> ~ no ip directed-broadcast
> ~ tunnel source 192.168.0.2
> ~ tunnel destination 192.168.0.1
> ~ crypto map doit
> ~!
> ~interface Serial1
> ~ ip address 192.168.0.2 255.255.255.0
> ~ crypto map doit
> ~!
> ~ip route 0.0.0.0 0.0.0.0 Tunnel0
> ~!
> ~access-list 100 permit ip any any
> ~access-list 100 permit icmp any any
> ~access-list 100 permit gre any any
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:19 GMT-3