RE: VPN GRE Tunnel with crypto map problem

From: Rocco R21 (roccor21@hotmail.com)
Date: Wed May 09 2007 - 16:45:49 ART

• Next message: Rob McDonald: "Re: dot1x & Guest VLAN"
• Previous message: Sydney Hawke: "VPN GRE Tunnel with crypto map problem"
• Maybe in reply to: Sydney Hawke: "VPN GRE Tunnel with crypto map problem"
• Next in thread: Rocco R21: "RE: VPN GRE Tunnel with crypto map problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Try using the crypto-map on only the physical interfaces of where the
traffic will traverse. (ie ether or serial) Remove it from your loopbacks
and tunnels if your IOS is 12.2(13)T or later. The named access-list
'vpn' will define what you want to encrypt, in this case only between the
loopbacks. Your crypto policy should get a match and your ACLs
are mirrored so you should be fine there. Also, you may want to consider
going with a smaller ip mtu on the tunnels to account for the GRE/IPSec
header info.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_field_notice09186a0080697964.shtml

HTH,

rr

  --------------------------------------------------------------------

  From: Sydney Hawke <sydneyhawke@yahoo.com>
  Reply-To: Sydney Hawke <sydneyhawke@yahoo.com>
  To: ccielab@groupstudy.com
  Subject: VPN GRE Tunnel with crypto map problem
  Date: Wed, 9 May 2007 12:04:36 -0700 (PDT)
  MIME-Version: 1.0
  Received: from lists.groupstudy.com ([207.44.210.9]) by
  bay0-mc11-f8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
  Wed, 9 May 2007 12:08:20 -0700
  Received: (from sympa@localhost)by lists.groupstudy.com
  (8.12.11.20060308/8.11.6) id l49J8IQ2029632;Wed, 9 May 2007 15:08:18
  -0400
  Received: from groupstudy.com (www.groupstudy.com [209.51.144.7])by
  lists.groupstudy.com (8.12.11.20060308/8.11.6) with ESMTP id
  l49J4frd029584for <ccielab@lists.groupstudy.com>; Wed, 9 May 2007
  15:04:41 -0400
  Received: from groupstudy.com (groupstudy.com [127.0.0.1])by
  groupstudy.com (8.12.11.20060308/8.12.11) with ESMTP id
  l49J4ss6029764GroupStudy Mailer; Wed, 9 May 2007 15:04:54 -0400
  Received: (from listserver@localhost)by groupstudy.com
  (8.12.11.20060308/8.12.11/Submit) id l49J4sQV029762for
  ccielabxhiddenx; Wed, 9 May 2007 15:04:54 -0400
  Received: from web62304.mail.re1.yahoo.com
  (web62304.mail.re1.yahoo.com [69.147.75.18]) by groupstudy.com
  (8.12.11.20060308/8.12.11) with SMTP id l49J4q8C029739 GroupStudy
  Mailer; Wed, 9 May 2007 15:04:52 -0400
  Received: (qmail 62902 invoked by uid 60001); 9 May 2007 19:04:36
  -0000
  Received: from [213.114.238.181] by web62304.mail.re1.yahoo.com via
  HTTP; Wed, 09 May 2007 12:04:36 PDT
>Hi,
>
>I have been testing this a lot and I just cannot get it to work
  (encrypt), is there anyone who are a better security person than I am
  that can help?
>
>I appreciate your help in this.
>
>All networks advertised in OSPF
>
>ROUTER 4
>interface Tunnel46
> ip address 46.46.46.4 255.255.255.0
> tunnel source 4.4.4.4
> tunnel destination 6.6.6.6
> crypto map CRYPTOMAP - Is it needed or just on the source
  interface ie the loopback?
>!
>interface Loopback0
> ip address 4.4.4.4 255.255.255.0
> crypto map CRYPTOMAP
>
>ip access-list extended VPN
>permit gre host 4.4.4.4 host 6.6.6.6
>
>crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
>crypto isakmp key CISCO address 6.6.6.6
>
>crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
>
>crypto map CRYPTOMAP 1 ipsec-isakmp
> set peer 6.6.6.6
> set transform-set TRANSFORM
> match address VPN
>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>ROUTER 6
>interface Tunnel46
> ip address 46.46.46.6 255.255.255.0
> tunnel source 6.6.6.6
> tunnel destination 4.4.4.4
> crypto map CRYPTOMAP - Is it needed or just on the source
  interface ie the loopback?
>
>interface Loopback0
> ip address 6.6.6.6 255.255.255.0
> crypto map CRYPTOMAP
>
>ip access-list extended VPN
>permit gre host 6.6.6.6 host 4.4.4.4
>
>crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
>crypto isakmp key CISCO address 4.4.4.4
>
>crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
>
>crypto map CRYPTOMAP 1 ipsec-isakmp
> set peer 4.4.4.4
> set transform-set TRANSFORM
> match address VPN
>
>
>Best Regards,
>
>Sydney
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Rob McDonald: "Re: dot1x & Guest VLAN"
• Previous message: Sydney Hawke: "VPN GRE Tunnel with crypto map problem"
• Maybe in reply to: Sydney Hawke: "VPN GRE Tunnel with crypto map problem"
• Next in thread: Rocco R21: "RE: VPN GRE Tunnel with crypto map problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART