could i configure GRE and ipsec turnnel to different peers

From: Helena Qiu (ccie_helena@yahoo.ca)
Date: Wed Sep 14 2005 - 01:02:51 GMT-3

• Next message: Anthony Sequeira: "Re: Load Balancing Across Trunks"
• Previous message: Schulz, Dave: "RE: Question on Multicasting"
• Next in thread: LeFort, Claude \(Design\): "RE: could i configure GRE and ipsec turnnel to different peers"
• Maybe reply: LeFort, Claude \(Design\): "RE: could i configure GRE and ipsec turnnel to different peers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear all,
 
I am going to configure 2 VPN tunnels to different peers under the same interface. These 2 peers belongs to 2 different companies. One is pure ipsec tunnel. Another one is GRE tunnel, because we need to run dynamic routing protocols.
 
With my configuration, we had no problem to bring up the GRE tunnel. But for the ipsec, it failed. I couldn't access the remote peer, because it belongs to another company. When i showed crypto isa sa, the sa was right there. But when i showed crypto ipsec sa, it showed #pkts decaps: 8, #pkts decrypt: 8, #pkts verify 8, but #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0. It supposedly the configuration in the other site is correct, otherwise i wouldn't get any packets to decrypt and decaps.
 
But when i showed access-list 102, there were a lot of matches there. I tried to debug crypto ipsec, but nothing was coming up.
 
Do you have any idea about this? Appreciate for your help. Thanks.
 
Here is my configuration:
crypto isakmp policy 10
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
crypto isakmp key key1 address 1.1.1.1
crypto isakmp key key2 address 2.2.2.2
!
!
crypto ipsec transform-set vpn1 esp-des esp-sha-hmac
crypto ipsec transform-set vpn2 esp-des esp-md5-hmac
!
crypto map GRE 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set vpn1
 match address 102
crypto map GRE 70 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set vpn2
 match address 103
!
!
!
interface Tunnel1
 ip address 10.161.7.234 255.255.255.252
 ip mtu 1360
 ip ospf cost 100
 tunnel source Serial1/0
 tunnel destination 1.1.1.1
 crypto map GRE
!
!
interface FastEthernet0/0
 ip address 10.1.0.1 255.255.255.0
 
!
interface Serial1/0
 ip address 3.3.3.1 255.255.255.252
 crypto map GRE
!
router ospf 1
 log-adjacency-changes
 network 10.161.7.232 0.0.0.3 area 3
 
access-list 102 permit gre host 3.3.3.1 host 1.1.1.1
access-list 103 permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255

                
---------------------------------
Find your next car at Yahoo! Canada Autos

• Next message: Anthony Sequeira: "Re: Load Balancing Across Trunks"
• Previous message: Schulz, Dave: "RE: Question on Multicasting"
• Next in thread: LeFort, Claude \(Design\): "RE: could i configure GRE and ipsec turnnel to different peers"
• Maybe reply: LeFort, Claude \(Design\): "RE: could i configure GRE and ipsec turnnel to different peers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3