GRE Tunnel with IPSec encapsulation!

From: Tasuka Amano Hsu (tasuka@mac.com)
Date: Mon Mar 17 2003 - 05:29:48 GMT-3

• Next message: Scott Morris: "RE: access-list"
• Previous message: Tom Young: "access-list"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Tasuka Amano Hsu: "Re: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Jeongwoo Park: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Michael Snyder: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Roth, Joshua: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Anthony Pace: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is my GRE tunnel over IPSec configuration, and it can work, but
does I consider too much at access-list ? or use too many command to do
it ? I am tried the IP-IP tunnel mode and GRE-IP mode is same config.
If I did not put the crypto map at interface tunnel0, then will got an
error say the protocol type 47 not encapsulation with IPSec.
Somebody could share yours ?

The R1 and R2 is connect via Ethernet directly.

Best Regards

Tasuka

!
hostname R1
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key cisco address 172.16.100.174
!
!
crypto ipsec transform-set IPform1 ah-md5-hmac
crypto ipsec transform-set IPform2 esp-des
!
crypto map IPSEC 10 ipsec-isakmp
  set peer 172.16.100.174
  set transform-set IPform2 IPform1
  set pfs group1
  match address 101
!
interface Tunnel0
  ip address 172.16.11.1 255.255.255.0
  tunnel source 172.16.100.253
  tunnel destination 172.16.100.174
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  crypto map IPSEC
!
interface Ethernet0
  ip address 172.16.100.253 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  crypto map IPSEC
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.174
no ip http server
!
access-list 101 deny ahp any any
access-list 101 deny esp any any
access-list 101 permit gre host 172.16.100.253 host 172.16.100.174
access-list 101 permit ip host 172.16.100.253 host 172.16.100.174
!

!
hostname R2
!
enable password cisco
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
!
crypto isakmp policy 1
  hash md5
  authentication pre-share
  group 2
  lifetime 3600
crypto isakmp key cisco address 172.16.100.253
!
!
crypto ipsec transform-set IPform1 ah-md5-hmac
crypto ipsec transform-set IPform2 esp-des
!
crypto map IPSS 10 ipsec-isakmp
  set peer 172.16.100.253
  set transform-set IPform2 IPform1
  set pfs group1
  match address 101
!
interface Tunnel0
  ip address 172.16.11.2 255.255.255.0
  tunnel source 172.16.100.174
  tunnel destination 172.16.100.253
  tunnel sequence-datagrams
  tunnel checksum
  tunnel path-mtu-discovery
  crypto map IPSS
!
interface Ethernet0
  ip address 172.16.100.174 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  crypto map IPSS
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.253
no ip http server
!
access-list 101 deny ahp any any
access-list 101 deny esp any any
access-list 101 permit gre host 172.16.100.174 host 172.16.100.253
access-list 101 permit ip host 172.16.100.174 host 172.16.100.253
!

• Next message: Scott Morris: "RE: access-list"
• Previous message: Tom Young: "access-list"
• Next in thread: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Tasuka Amano Hsu: "Re: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Jeongwoo Park: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Michael Snyder: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Roth, Joshua: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Anthony Pace: "RE: GRE Tunnel with IPSec encapsulation!"
• Maybe reply: Brown, Patrick (NSOC-OCF}: "RE: GRE Tunnel with IPSec encapsulation!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3