From: ZaferP@koc.net
Date: Fri Jun 13 2003 - 09:38:43 GMT-3
I think this worked because you have given the tunnel IP adresses as source and destination in transform set. I bet you would need to add the crypto map to the S0 if you have used the source and destination as the serial interface IPs in the crypto map.
If you have done it the other way aroud you would have to match the gre traffic in your access-list rather than the actual IP traffic on both ends of the tunnel.
Can anyone tell which method is better under which circumstances.
Zafer
-----Original Message-----
From: Daniel Cisco Group Study [mailto:danielcgs@imc.net.au]
Sent: Friday, June 13, 2003 1:47 PM
To: Fabrice Bobes; Biondino, Joseph; Leo Seto; Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
Have a look at this config.... It works on my routers.... Crypto maps only on the tunnel interfaces.......
Daniel
E0-R14---IP CLOUD---R13-E0
R14#s
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 34.34.34.13
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!
crypto map MYMAP local-address Tunnel0
crypto map MYMAP 10 ipsec-isakmp
set peer 34.34.34.13
set transform-set MYSET
match address 103
!
!
interface Ethernet0
ip address 192.168.6.1 255.255.255.0
!
interface Tunnel0
ip address 34.34.34.14 255.255.255.0
tunnel source 150.100.32.10
tunnel destination 137.20.20.13
crypto map MYMAP
!
interface Serial0
ip address 150.100.32.10 255.255.224.0
!
interface Serial1
no ip address
shutdown
!
router rip
version 2
timers basic 5 15 15 20
network 34.0.0.0
network 192.168.6.0
no auto-summary
!
access-list 103 permit ip 192.168.6.0 0.0.0.255 192.168.13.0 0.0.0.255
R13#s
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 34.34.34.14
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!
crypto map MYMAP local-address Tunnel0
crypto map MYMAP 10 ipsec-isakmp
set peer 34.34.34.14
set transform-set MYSET
match address 103
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.13.1 255.255.255.0
!
interface Tunnel0
ip address 34.34.34.13 255.255.255.0
tunnel source 137.20.20.13
tunnel destination 150.100.32.10
crypto map MYMAP
!
interface Serial0
ip address 137.20.20.13 255.255.255.0
!
router rip
version 2
timers basic 5 15 15 20
network 34.0.0.0
network 192.168.13.0
no auto-summary
!
access-list 103 permit ip 192.168.13.0 0.0.0.255 192.168.6.0 0.0.0.255 !
-----Original Message-----
From: Fabrice Bobes [mailto:study@6colabs.com]
Sent: Friday, 13 June 2003 14:50
To: 'Biondino, Joseph'; 'Leo Seto'; 'Todd Carswell'; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
Hi Joseph,
I played with GRE and IPSec and I agree that you need to apply the crypto map on the physical interface as well. I assumed it was not needed anymore on newest releases like 12.2T but well, it worked only when I applied on both (Tunnel and Physical). Lesson of the day: never assume anything ;-)
Thanks,
Fabrice
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Biondino, Joseph
Sent: Thursday, June 12, 2003 5:48 PM
To: Fabrice Bobes; Leo Seto; Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
Hi;
I disagree; When running IPSEC with GRE you encrypt GRE traffic running over the Physical interface, thus you need to apply the crypto map to the physical interface.
Kind regards,
Joseph Biondino
Network Specialist
UNISYS
Network Command Centre
115 - 117 Wicks Rd
North Ryde NSW 2113
Phone: 02 9857 3149
Group: 02 9390 1107
Fax: 02 9857 3122
-----Original Message-----
From: Fabrice Bobes [mailto:study@6colabs.com]
Sent: Friday, 13 June 2003 8:46 AM
To: Leo Seto; Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
(Sorry if it's a duplicate but I don't think this message went through the first time.)
Todd and Leo,
My understanding is that you should apply it to the Tunnel interface only but it doesn't hurt to apply it also on the physical interface. On older releases, you needed to apply the crypto map on both the Tunnel interface and the physical interface. I don't see the point of applying the crypto map on the loopback interface, traffic is not flowing through it. Maybe I am missing something here. In other words you should have something like:
Crypto map vpn local-address lo0
Int lo0
Ip add x.x.x.x 255.255.255.0
Int e0
Ip add y.y.y.y 255.255.255.0
Int tu0
Ip add z.z.z.z 255.255.255.0
Crypto map vpn
Thanks,
Fabrice
http://www.6colabs.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Leo Seto
Sent: Thursday, June 12, 2003 12:32 PM
To: Todd Carswell; ccielab@groupstudy.com
Subject: RE: Applying crypto maps -- Tunnel, Physical or both?
put it on the tunnel and loopback. Then you might try a:
crypto map [MYMAP] local-address [loopbackX]
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/
secu
r_r/sec_c2g.htm#1073947
HTH
-Leo
CCIE #11664
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of Todd Carswell
Sent: Thursday, June 12, 2003 8:54 AM
To: ccielab@groupstudy.com
Subject: Applying crypto maps -- Tunnel, Physical or both?
I've got a basic VPN config w/ GRE tunnels. My tunnel source is loo0 on both ends of the VPN. Where should I apply my crypto map? The tunnel, the loopback, or the physical interface? All three???
Thx
Todd
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com
**********************************************************************
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:58 GMT-3