Re: Need help with GRE over IPSec config

From: Nick Shah (nshah@connect.com.au)
Date: Sun Sep 22 2002 - 04:14:47 GMT-3

• Next message: Jack S: "Dlsw direct encap between ethernet and tokenring"
• Previous message: Chris Hugo: "OT: link to pay online for R&S Lab"
• Maybe in reply to: joh middle: "Need help with GRE over IPSec config"
• Next in thread: Ronny Jonathan: "Re: Need help with GRE over IPSec config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Minh

I am just thinking :

The ACL used in the map is actually 'traffic between source/destination to
be encrypted'
You are trying to encrypt just the GRE between source/destination.

Unless there is something different you are trying to do, I would make that
ACL

on R6
access-list 146 permit host 148.8.46.6 host 148.8.46.4 log

on R4
access-list 146 permit host 148.8.46.4 host 148.8.46.6 log

rgds
Nick
----- Original Message -----
From: Minh Vuong <mvuong@cisco.com>
To: CCIE Groupstudy <ccielab@groupstudy.com>
Cc: Bao Dam <dambq@yahoo.com>; Alan Wong <alawong@cisco.com>
Sent: Sunday, September 22, 2002 4:15 PM
Subject: Need help with GRE over IPSec config

> Guys, need some help please with a GRE over IPSec problem. I think it's
> rather basic config but I for some reason I can't get it to work. So
> another set of eyes would be appreciated...
>
> R6 connect directly to R4 via token ring.
>
>
> R6 CONFIG:
> access-list 146 permit gre host 148.8.46.6 host 148.8.46.4 log
> !
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key baby address 148.8.46.4
> !
> !
> crypto ipsec transform-set GRE_SET esp-des esp-sha-hmac
> !
> crypto map GRE_MAP local-address TokenRing5/0
> crypto map GRE_MAP 10 ipsec-isakmp
> set peer 148.8.46.4
> set transform-set GRE_SET
> match address 146
> !
> interface Tunnel46
> ip address 148.8.200.6 255.255.255.0
> tunnel source 148.8.46.6
> tunnel destination 148.8.46.4
> crypto map GRE_MAP
> !
> !interface TokenRing5/0
> ip address 148.8.46.6 255.255.255.192
> ipx network 46
> ring-speed 4
> crypto map GRE_MAP
> !
>
>
>
> R4 CONFIG:
> !
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key baby address 148.8.46.6
> !
> !
> crypto ipsec transform-set GRE_SET esp-des esp-sha-hmac
> !
> crypto map GRE_MAP local-address TokenRing0/0
> crypto map GRE_MAP 10 ipsec-isakmp
> set peer 148.8.46.6
> set transform-set GRE_SET
> match address 146
> !
> !
> interface Tunnel46
> ip address 148.8.200.4 255.255.255.0
> tunnel source 148.8.46.4
> tunnel destination 148.8.46.6
> crypto map GRE_MAP
> !
> interface TokenRing0/0
> ip address 148.8.46.4 255.255.255.192
> ipx network 46
> ring-speed 4
> crypto map GRE_MAP
> source-bridge 300 1 1000
>
>
> On R4, I get the following error messages:
> 14:19:33: %SEC-6-IPACCESSLOGRP: list 146 permitted gre 148.8.46.4 ->
> 148.8.46.6, 60 packets
> 14:19:33: IPSEC(encapsulate): invalid conn id 0
> 14:19:33: IPSEC(encapsulate): error in encapsulation crypto_ip_encrypt
> 14:20:33: IPSEC(encapsulate): invalid conn id 0
> 14:20:33: IPSEC(encapsulate): error in encapsulation crypto_ip_encrypt
>
>
> OSPF neighborship would never establish:
> R4#sh ip ospf nei
>
> Neighbor ID Pri State Dead Time Address
Interface
> 148.8.5.5 1 FULL/DR 00:01:53 148.8.245.5
Serial0/0
> 148.8.6.6 1 INIT/ - 00:00:31 148.8.200.6 Tunnel46
>
> Thanks,
>
> Minh

• Next message: Jack S: "Dlsw direct encap between ethernet and tokenring"
• Previous message: Chris Hugo: "OT: link to pay online for R&S Lab"
• Maybe in reply to: joh middle: "Need help with GRE over IPSec config"
• Next in thread: Ronny Jonathan: "Re: Need help with GRE over IPSec config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:59 GMT-3