From: Fabrice Bobes (study@6colabs.com)
Date: Fri Jun 13 2003 - 01:50:01 GMT-3
Hi Joseph,
I played with GRE and IPSec and I agree that you need to apply the
crypto map on the physical interface as well. I assumed it was not
needed anymore on newest releases like 12.2T but well, it worked only
when I applied on both (Tunnel and Physical). Lesson of the day: never
assume anything ;-)
Thanks,
Fabrice
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Biondino, Joseph
Sent: Thursday, June 12, 2003 5:48 PM
To: Fabrice Bobes; Leo Seto; Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
Hi;
I disagree; When running IPSEC with GRE you encrypt GRE traffic running
over
the Physical interface, thus you need to apply the crypto map to the
physical interface.
Kind regards,
Joseph Biondino
Network Specialist
UNISYS
Network Command Centre
115 - 117 Wicks Rd
North Ryde NSW 2113
Phone: 02 9857 3149
Group: 02 9390 1107
Fax: 02 9857 3122
-----Original Message-----
From: Fabrice Bobes [mailto:study@6colabs.com]
Sent: Friday, 13 June 2003 8:46 AM
To: Leo Seto; Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
(Sorry if it's a duplicate but I don't think this message went through
the first time.)
Todd and Leo,
My understanding is that you should apply it to the Tunnel interface
only but it doesn't hurt to apply it also on the physical interface.
On older releases, you needed to apply the crypto map on both the Tunnel
interface and the physical interface.
I don't see the point of applying the crypto map on the loopback
interface, traffic is not flowing through it. Maybe I am missing
something here.
In other words you should have something like:
Crypto map vpn local-address lo0
Int lo0
Ip add x.x.x.x 255.255.255.0
Int e0
Ip add y.y.y.y 255.255.255.0
Int tu0
Ip add z.z.z.z 255.255.255.0
Crypto map vpn
Thanks,
Fabrice
http://www.6colabs.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Leo Seto
Sent: Thursday, June 12, 2003 12:32 PM
To: Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
put it on the tunnel and loopback. Then you might try a:
crypto map [MYMAP] local-address [loopbackX]
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/
secu
r_r/sec_c2g.htm#1073947
HTH
-Leo
CCIE #11664
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Todd Carswell
Sent: Thursday, June 12, 2003 8:54 AM
To: ccielab@groupstudy.com
Subject: Applying crypto maps -- Tunnel, Physical or both?
I've got a basic VPN config w/ GRE tunnels. My tunnel source is loo0 on
both ends of the VPN. Where should I apply my crypto map? The tunnel,
the loopback, or the physical interface? All three???
Thx
Todd
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:57 GMT-3