From: Tommy C (tkc9789@xxxxxxxxxxx)
Date: Fri Jun 21 2002 - 22:03:34 GMT-3
Access-list 151 needs to be changed to permit GRE instead of permit ip.
Since you're using loopback0 as tunnel source, you need:
crypto-map sec1 local-addr loopback0.
>From: "Denise Donohue" <fradendon@comcast.net>
>Reply-To: "Denise Donohue" <fradendon@comcast.net>
>To: "Jerry Haverkos" <jhaverkos@columbus.rr.com>, <ccielab@groupstudy.com>
>Subject: Re: IPSec with a Tunnel as the egress interface
>Date: Fri, 21 Jun 2002 17:51:51 -0400
>
>You need to apply the crypto-map to the physical interface as well as the
>tunnel.
>
>----- Original Message -----
>From: "Jerry Haverkos" <jhaverkos@columbus.rr.com>
>To: <ccielab@groupstudy.com>
>Sent: Friday, June 21, 2002 1:44 PM
>Subject: IPSec with a Tunnel as the egress interface
>
>
> > Hello Everyone
> >
> > I could use some help. I am not establishing an ISAKMP SA between 2
>routers
> > that have a tunnel between them. The serial connection is frame-relay.
>The
> > following is the IPSec configuration of the two routers at present. The
> > tunnel works without IPSec. Also I have another serial interface,
>non-frame
> > and no tunnel, that has IPSec working. Your consideration of the problem
>is
> > appreciated.
> >
> > Router 3640-1
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key tunnel1 address 139.7.147.2
> > crypto isakmp key LetMeIn address 139.7.97.1
> > crypto ipsec transform-set s1 esp-des esp-md5-hmac
> > crypto ipsec transform-set s2 esp-des esp-md5-hmac
> > crypto map Sec1 10 ipsec-isakmp
> > set peer 139.7.97.1
> > set transform-set s1
> > match address 100
> > crypto map Sec1 20 ipsec-isakmp
> > set peer 139.7.147.2
> > set transform-set s2
> > match address 151
> > interface Loopback0
> > ip address 139.7.254.254 255.255.255.252
> > interface Tunnel1
> > ip address 139.7.147.1 255.255.255.252
> > ipx ipxwan 0 221155 3640-1
> > ipx nlsp enable
> > tunnel source Loopback0
> > tunnel destination 139.7.65.1
> > crypto map Sec1
> > interface Serial1/0
> > no ip address
> > encapsulation frame-relay
> > no frame-relay inverse-arp
> > interface Serial1/0.1 multipoint
> > ip address 139.7.254.9 255.255.255.248
> > ip nat inside
> > ip ospf network broadcast
> > frame-relay map ip 139.7.254.10 401 broadcast
> > frame-relay map ip 139.7.254.11 403 broadcast
> > access-list 151 permit ip host 139.7.254.254 host 139.7.65.1
> >
> >
> > Router2611-1
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key tunnel1 address 139.7.147.1
> > crypto ipsec transform-set s1 esp-des esp-md5-hmac
> > crypto map Sec1 10 ipsec-isakmp
> > set peer 139.7.147.1
> > set transform-set s1
> > match address 100
> > interface Loopback0
> > ip address 139.7.65.1 255.255.255.255
> > interface Tunnel1
> > ip address 139.7.147.2 255.255.255.252
> > ipx ipxwan 0 221155 2611-1
> > ipx nlsp enable
> > tunnel source Loopback0
> > tunnel destination 139.7.254.254
> > crypto map Sec1
> > interface Serial0/0
> > bandwidth 64
> > ip address 139.7.254.11 255.255.255.248
> > encapsulation frame-relay
> > ip ospf network broadcast
> > ip ospf priority 0
> > frame-relay map ip 139.7.254.9 304 broadcast
> > frame-relay map ip 139.7.254.10 304 broadcast
> > no frame-relay inverse-arp
> > frame-relay lmi-type ansi
> > access-list 100 permit ip host 139.7.65.1 host 139.7.254.254
This archive was generated by hypermail 2.1.4 : Tue Jul 02 2002 - 08:12:40 GMT-3