From: Jens Petter Eikeland (jenseike@start.no)
Date: Wed Sep 14 2005 - 05:02:50 GMT-3
Hi ,
Your config looks good to me. Could you perhaps debug this and past that in
to me.
If you debug : isakmp, ipsec and the engine that would be great.
By the way... try remove the crypto map from the tunnel interface. You do
not need to have this on the tunnel interface if you have a fearly new ios
image (after 12.2T). In fact cisco say that you should not set this on the
tunnel..
It can be that since you have the crypto map also on the runnel that it trys
to send the ipsec packets over the tunnel also...
Jens Petter Eikeland
-----Opprinnelig melding-----
Fra: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Pe vegne av Helena
Qiu
Sendt: 14. september 2005 06:03
Til: ccielab@groupstudy.com
Emne: could i configure GRE and ipsec turnnel to different peers under a
same interface?
Dear all,
I am going to configure 2 VPN tunnels to different peers under the same
interface. These 2 peers belongs to 2 different companies. One is pure ipsec
tunnel. Another one is GRE tunnel, because we need to run dynamic routing
protocols.
With my configuration, we had no problem to bring up the GRE tunnel. But for
the ipsec, it failed. I couldn't access the remote peer, because it belongs
to another company. When i showed crypto isa sa, the sa was right there. But
when i showed crypto ipsec sa, it showed #pkts decaps: 8, #pkts decrypt: 8,
#pkts verify 8, but #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0. It
supposedly the configuration in the other site is correct, otherwise i
wouldn't get any packets to decrypt and decaps.
But when i showed access-list 102, there were a lot of matches there. I
tried to debug crypto ipsec, but nothing was coming up.
Do you have any idea about this? Appreciate for your help. Thanks.
Here is my configuration:
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key key1 address 1.1.1.1
crypto isakmp key key2 address 2.2.2.2
!
!
crypto ipsec transform-set vpn1 esp-des esp-sha-hmac
crypto ipsec transform-set vpn2 esp-des esp-md5-hmac
!
crypto map GRE 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set vpn1
match address 102
crypto map GRE 70 ipsec-isakmp
set peer 2.2.2.2
set transform-set vpn2
match address 103
!
!
!
interface Tunnel1
ip address 10.161.7.234 255.255.255.252
ip mtu 1360
ip ospf cost 100
tunnel source Serial1/0
tunnel destination 1.1.1.1
crypto map GRE
!
!
interface FastEthernet0/0
ip address 10.1.0.1 255.255.255.0
!
interface Serial1/0
ip address 3.3.3.1 255.255.255.252
crypto map GRE
!
router ospf 1
log-adjacency-changes
network 10.161.7.232 0.0.0.3 area 3
access-list 102 permit gre host 3.3.3.1 host 1.1.1.1
access-list 103 permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
---------------------------------
Find your next car at Yahoo! Canada Autos
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3