Re: IPSec with a Tunnel as the egress interface

From: Denise Donohue (fradendon@xxxxxxxxxxx)
Date: Fri Jun 21 2002 - 18:51:51 GMT-3

• Next message: P729: "Re: Please re- read a see can you help (More exact problem)"
• Previous message: Dan: "Re: ISDN config in CIM"
• Maybe in reply to: Jerry Haverkos: "IPSec with a Tunnel as the egress interface"
• Next in thread: Tommy C: "Re: IPSec with a Tunnel as the egress interface"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You need to apply the crypto-map to the physical interface as well as the
tunnel.

----- Original Message -----
From: "Jerry Haverkos" <jhaverkos@columbus.rr.com>
To: <ccielab@groupstudy.com>
Sent: Friday, June 21, 2002 1:44 PM
Subject: IPSec with a Tunnel as the egress interface

> Hello Everyone
>
> I could use some help. I am not establishing an ISAKMP SA between 2
routers
> that have a tunnel between them. The serial connection is frame-relay. The
> following is the IPSec configuration of the two routers at present. The
> tunnel works without IPSec. Also I have another serial interface,
non-frame
> and no tunnel, that has IPSec working. Your consideration of the problem
is
> appreciated.
>
> Router 3640-1
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key tunnel1 address 139.7.147.2
> crypto isakmp key LetMeIn address 139.7.97.1
> crypto ipsec transform-set s1 esp-des esp-md5-hmac
> crypto ipsec transform-set s2 esp-des esp-md5-hmac
> crypto map Sec1 10 ipsec-isakmp
> set peer 139.7.97.1
> set transform-set s1
> match address 100
> crypto map Sec1 20 ipsec-isakmp
> set peer 139.7.147.2
> set transform-set s2
> match address 151
> interface Loopback0
> ip address 139.7.254.254 255.255.255.252
> interface Tunnel1
> ip address 139.7.147.1 255.255.255.252
> ipx ipxwan 0 221155 3640-1
> ipx nlsp enable
> tunnel source Loopback0
> tunnel destination 139.7.65.1
> crypto map Sec1
> interface Serial1/0
> no ip address
> encapsulation frame-relay
> no frame-relay inverse-arp
> interface Serial1/0.1 multipoint
> ip address 139.7.254.9 255.255.255.248
> ip nat inside
> ip ospf network broadcast
> frame-relay map ip 139.7.254.10 401 broadcast
> frame-relay map ip 139.7.254.11 403 broadcast
> access-list 151 permit ip host 139.7.254.254 host 139.7.65.1
>
>
> Router2611-1
> crypto isakmp policy 10
> authentication pre-share
> crypto isakmp key tunnel1 address 139.7.147.1
> crypto ipsec transform-set s1 esp-des esp-md5-hmac
> crypto map Sec1 10 ipsec-isakmp
> set peer 139.7.147.1
> set transform-set s1
> match address 100
> interface Loopback0
> ip address 139.7.65.1 255.255.255.255
> interface Tunnel1
> ip address 139.7.147.2 255.255.255.252
> ipx ipxwan 0 221155 2611-1
> ipx nlsp enable
> tunnel source Loopback0
> tunnel destination 139.7.254.254
> crypto map Sec1
> interface Serial0/0
> bandwidth 64
> ip address 139.7.254.11 255.255.255.248
> encapsulation frame-relay
> ip ospf network broadcast
> ip ospf priority 0
> frame-relay map ip 139.7.254.9 304 broadcast
> frame-relay map ip 139.7.254.10 304 broadcast
> no frame-relay inverse-arp
> frame-relay lmi-type ansi
> access-list 100 permit ip host 139.7.65.1 host 139.7.254.254

• Next message: P729: "Re: Please re- read a see can you help (More exact problem)"
• Previous message: Dan: "Re: ISDN config in CIM"
• Maybe in reply to: Jerry Haverkos: "IPSec with a Tunnel as the egress interface"
• Next in thread: Tommy C: "Re: IPSec with a Tunnel as the egress interface"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:39 GMT-3