From: LeFort, Claude \(Design\) (Claude.Lefort@aliant.ca)
Date: Wed Sep 14 2005 - 08:15:25 GMT-3
Is your LAN to LAN traffic bypassing NAT? You mentioned that
access-list 102 is showing hits, but did you mean access-list 103?
My personal experience with building tunnels to an external partner has
rarely been good. May I suggest that you request the following commands
if connecting to another Cisco router. Ask them to remove items that
they don't want you to see, if they hesitate
Show crypto isakmp policy
Show crypto isakmp key
Show crypto map
Claude
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Helena Qiu
Sent: Wednesday, September 14, 2005 1:03 AM
To: ccielab@groupstudy.com
Subject: could i configure GRE and ipsec turnnel to different peers
under a same interface?
Dear all,
I am going to configure 2 VPN tunnels to different peers under the same
interface. These 2 peers belongs to 2 different companies. One is pure
ipsec tunnel. Another one is GRE tunnel, because we need to run dynamic
routing protocols.
With my configuration, we had no problem to bring up the GRE tunnel. But
for the ipsec, it failed. I couldn't access the remote peer, because it
belongs to another company. When i showed crypto isa sa, the sa was
right there. But when i showed crypto ipsec sa, it showed #pkts decaps:
8, #pkts decrypt: 8, #pkts verify 8, but #pkts encaps: 0, #pkts encrypt:
0, #pkts digest 0. It supposedly the configuration in the other site is
correct, otherwise i wouldn't get any packets to decrypt and decaps.
But when i showed access-list 102, there were a lot of matches there. I
tried to debug crypto ipsec, but nothing was coming up.
Do you have any idea about this? Appreciate for your help. Thanks.
Here is my configuration:
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key key1 address 1.1.1.1
crypto isakmp key key2 address 2.2.2.2
!
!
crypto ipsec transform-set vpn1 esp-des esp-sha-hmac
crypto ipsec transform-set vpn2 esp-des esp-md5-hmac
!
crypto map GRE 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set vpn1
match address 102
crypto map GRE 70 ipsec-isakmp
set peer 2.2.2.2
set transform-set vpn2
match address 103
!
!
!
interface Tunnel1
ip address 10.161.7.234 255.255.255.252
ip mtu 1360
ip ospf cost 100
tunnel source Serial1/0
tunnel destination 1.1.1.1
crypto map GRE
!
!
interface FastEthernet0/0
ip address 10.1.0.1 255.255.255.0
!
interface Serial1/0
ip address 3.3.3.1 255.255.255.252
crypto map GRE
!
router ospf 1
log-adjacency-changes
network 10.161.7.232 0.0.0.3 area 3
access-list 102 permit gre host 3.3.3.1 host 1.1.1.1
access-list 103 permit ip 10.1.0.0 0.0.0.255 10.2.0.0 0.0.0.255
---------------------------------
Find your next car at Yahoo! Canada Autos
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3