From: Ceeesko@aol.com
Date: Mon Jan 31 2005 - 04:23:51 GMT-3
Thank you Eugene for your response. There were actually a couple of things I
was not doing correctly. You were right about placing the crypto map on the
interface facing the other peer. I also had to apply the crypto map to the
tunnel interfaces for telnet traffic to work (*shrug*, didn't have to in order for
ping to work however). Something else I did wrong was not make gre the
interesting traffic. I got a bit of help from a friend. He gave me some pointers and
after almost 4 days, I've become a bit more educated. Thanks again --Jason
In a message dated 1/30/2005 7:26:13 AM Central Standard Time,
eward15@juno.com writes:
> For starters, unless I am looking at your config wrong, I think you may
> have placed the crypto maps on the wrong interfaces; the crypto map should be
> placed on the interface facing the other peer (external interface) as opposed
> to the interface facing the internal network.
>
> Eugene Ward
>
> -----------------------------------------------------------------------------
> --------------------------
>
> Hello,
> I'm using 4 2500 series routers all running c2500-jk8os-l.122-1d.bin. I'm
> using r1 and r9 as telnet clients and r2 and r6 as the devices performing
> nat
> and providing ipsec through a gre tunnel. My goal is to nat traffic from r9
> to
>
> r1 and telnet from r9 to r1 (telnet 91.1.1.1 /source-interface loopback 1)
> and have that traffic protected by ipsec(and viceaversa). Everything
> communicates fine, nat works fine, but ipsec does not (no output when I
> debug
> crypto
> ipsec and send telnet traffic from r9 to r1 and show crypto ipsec sa looks
> pretty bleak). I have no experience configuring ipsec and I'm probably not
> explaining well, but I've provided the configs of the 4 routers in hopes
> someone
> will point out, which I'm sure is an obvious mistake. I'm going to wipe the
>
> configs, go through my notes, do some more reading then try it again.
> Thanks
> for any help. --Jason
> ------------------------------------------------------
> hostname r1
> !
> interface Loopback1
> ip address 6.6.6.1 255.0.0.0
> !
> interface Ethernet0
> ip address 150.50.17.1 255.255.255.0
> !
> router eigrp 1
> network 150.50.0.0
> no auto-summary
> !
> ip route 90.1.1.1 255.255.255.255 150.50.17.2
> !
> line vty 0 4
> password cisco
> login
> ---------------------------------------------
> hostname r2
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key cisco address 150.50.100.6
> !
> crypto ipsec transform-set sec-telnet esp-des esp-sha-hmac
> !
> crypto map secure-telnet 10 ipsec-isakmp
> set peer 150.50.100.6
> set transform-set sec-telnet
> set pfs group2
> match address 101
> !
> interface Loopback91
> ip address 91.1.1.1 255.255.255.255
> !
> interface Loopback666
> description tunnel source
> ip address 66.66.66.62 255.255.255.255
> !
> interface Tunnel1
> ip address 1.1.1.1 255.0.0.0
> ip nat outside
> tunnel source Loopback666
> tunnel destination 66.66.66.66
> !
> interface Ethernet0
> description link to r1
> ip address 150.50.17.2 255.255.255.0
> ip nat inside
> crypto map secure-telnet
> !
> interface Serial0.256 multipoint
> description link to r6
> ip address 150.50.100.2 255.255.255.224
> frame-relay map ip 150.50.100.6 106 broadcast
> !
> router eigrp 1
> network 150.50.0.0
> no auto-summary
> !
> ip nat inside source static 6.6.6.1 91.1.1.1
> ip route 6.6.6.1 255.255.255.255 150.50.17.1
> ip route 66.66.66.66 255.255.255.255 150.50.100.6
> ip route 90.1.1.1 255.255.255.255 Tunnel1
> !
> access-list 101 permit tcp host 91.1.1.1 host 90.1.1.1 eq telnet
> ----------------------------------------------------------------
> hostname r6
> !
> crypto isakmp policy 1
> authentication pre-share
> group 2
> crypto isakmp key cisco address 150.50.100.2
> !
> crypto ipsec transform-set sec-telnet esp-des esp-sha-hmac
> !
> crypto map secure-telnet 10 ipsec-isakmp
> set peer 150.50.100.2
> set transform-set sec-telnet
> set pfs group2
> match address 101
> !
> interface Loopback90
> ip address 90.1.1.1 255.255.255.255
> !
> interface Loopback666
> description tunnel source
> ip address 66.66.66.66 255.255.255.255
> !
> interface Tunnel1
> ip address 1.1.1.2 255.0.0.0
> ip nat outside
> tunnel source Loopback666
> tunnel destination 66.66.66.62
> !
> interface Serial0
> description link to r2
> ip address 150.50.100.6 255.255.255.224
> encapsulation frame-relay
> frame-relay map ip 150.50.100.6 601
> frame-relay lmi-type cisco
> !
> interface Serial1
> description link to r9
> ip address 150.50.6.6 255.255.255.128
> ip nat inside
> clockrate 64000
> crypto map secure-telnet
> !
> router eigrp 1
> network 150.50.0.0
> auto-summary
> !
> ip nat inside source static 6.6.6.9 90.1.1.1
> ip route 6.6.6.9 255.255.255.255 Serial1
> ip route 66.66.66.62 255.255.255.255 150.50.100.2
> ip route 91.1.1.1 255.255.255.255 Tunnel1
> !
> access-list 101 permit tcp host 90.1.1.1 host 91.1.1.1 eq telnet
> ----------------------------------------------------------------
> hostname r9
> !
> interface Loopback1
> ip address 6.6.6.9 255.0.0.0
> !
> interface Serial0
> description link to r6
> ip address 150.50.6.9 255.255.255.224
> !
> router eigrp 1
> network 150.50.0.0
> no auto-summary
> !
> ip route 91.1.1.1 255.255.255.255 150.50.6.6
> !
> line vty 0 4
> password cisco
> login
This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:27 GMT-3