From: eward15@juno.com
Date: Sun Jan 30 2005 - 10:23:20 GMT-3
For starters, unless I am looking at your config wrong, I think you may have placed the crypto maps on the wrong interfaces; the crypto map should be placed on the interface facing the other peer (external interface) as opposed to the interface facing the internal network.
Eugene Ward
-------------------------------------------------------------------------------------------------------
Hello,
I'm using 4 2500 series routers all running c2500-jk8os-l.122-1d.bin. I'm
using r1 and r9 as telnet clients and r2 and r6 as the devices performing nat
and providing ipsec through a gre tunnel. My goal is to nat traffic from r9 to
r1 and telnet from r9 to r1 (telnet 91.1.1.1 /source-interface loopback 1)
and have that traffic protected by ipsec(and viceaversa). Everything
communicates fine, nat works fine, but ipsec does not (no output when I debug
crypto
ipsec and send telnet traffic from r9 to r1 and show crypto ipsec sa looks
pretty bleak). I have no experience configuring ipsec and I'm probably not
explaining well, but I've provided the configs of the 4 routers in hopes
someone
will point out, which I'm sure is an obvious mistake. I'm going to wipe the
configs, go through my notes, do some more reading then try it again. Thanks
for any help. --Jason
------------------------------------------------------
hostname r1
!
interface Loopback1
ip address 6.6.6.1 255.0.0.0
!
interface Ethernet0
ip address 150.50.17.1 255.255.255.0
!
router eigrp 1
network 150.50.0.0
no auto-summary
!
ip route 90.1.1.1 255.255.255.255 150.50.17.2
!
line vty 0 4
password cisco
login
---------------------------------------------
hostname r2
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 150.50.100.6
!
crypto ipsec transform-set sec-telnet esp-des esp-sha-hmac
!
crypto map secure-telnet 10 ipsec-isakmp
set peer 150.50.100.6
set transform-set sec-telnet
set pfs group2
match address 101
!
interface Loopback91
ip address 91.1.1.1 255.255.255.255
!
interface Loopback666
description tunnel source
ip address 66.66.66.62 255.255.255.255
!
interface Tunnel1
ip address 1.1.1.1 255.0.0.0
ip nat outside
tunnel source Loopback666
tunnel destination 66.66.66.66
!
interface Ethernet0
description link to r1
ip address 150.50.17.2 255.255.255.0
ip nat inside
crypto map secure-telnet
!
interface Serial0.256 multipoint
description link to r6
ip address 150.50.100.2 255.255.255.224
frame-relay map ip 150.50.100.6 106 broadcast
!
router eigrp 1
network 150.50.0.0
no auto-summary
!
ip nat inside source static 6.6.6.1 91.1.1.1
ip route 6.6.6.1 255.255.255.255 150.50.17.1
ip route 66.66.66.66 255.255.255.255 150.50.100.6
ip route 90.1.1.1 255.255.255.255 Tunnel1
!
access-list 101 permit tcp host 91.1.1.1 host 90.1.1.1 eq telnet
----------------------------------------------------------------
hostname r6
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 150.50.100.2
!
crypto ipsec transform-set sec-telnet esp-des esp-sha-hmac
!
crypto map secure-telnet 10 ipsec-isakmp
set peer 150.50.100.2
set transform-set sec-telnet
set pfs group2
match address 101
!
interface Loopback90
ip address 90.1.1.1 255.255.255.255
!
interface Loopback666
description tunnel source
ip address 66.66.66.66 255.255.255.255
!
interface Tunnel1
ip address 1.1.1.2 255.0.0.0
ip nat outside
tunnel source Loopback666
tunnel destination 66.66.66.62
!
interface Serial0
description link to r2
ip address 150.50.100.6 255.255.255.224
encapsulation frame-relay
frame-relay map ip 150.50.100.6 601
frame-relay lmi-type cisco
!
interface Serial1
description link to r9
ip address 150.50.6.6 255.255.255.128
ip nat inside
clockrate 64000
crypto map secure-telnet
!
router eigrp 1
network 150.50.0.0
auto-summary
!
ip nat inside source static 6.6.6.9 90.1.1.1
ip route 6.6.6.9 255.255.255.255 Serial1
ip route 66.66.66.62 255.255.255.255 150.50.100.2
ip route 91.1.1.1 255.255.255.255 Tunnel1
!
access-list 101 permit tcp host 90.1.1.1 host 91.1.1.1 eq telnet
----------------------------------------------------------------
hostname r9
!
interface Loopback1
ip address 6.6.6.9 255.0.0.0
!
interface Serial0
description link to r6
ip address 150.50.6.9 255.255.255.224
!
router eigrp 1
network 150.50.0.0
no auto-summary
!
ip route 91.1.1.1 255.255.255.255 150.50.6.6
!
line vty 0 4
password cisco
login
This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:27 GMT-3