Funny behavior of IPSEC/GRE

From: ENVULADU TSAKU (tenvuladu@gmail.com)
Date: Fri Jul 25 2008 - 11:40:42 ART

• Next message: Tony Varriale: "RE: Good job CISCO!!!!"
• Previous message: nortic @hackermail.com: "RE: Good job CISCO!!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Experts,

I have a scenario for IPSEC over a GRE Tunnel.

lan1---------fa0/0 (R1) fa0/1-------GRE TUNNEL---------fa0/1 (R2)
fa0/0----------lan2

The GRE tunnel is up and also the ipsec tunnel.Ping from R1 with source IP
of fa0/0 can get to R2 fa0/0.
But the issue is a host on LAN1 cannot ping a host in LAN2.The config is
below:

*R1*

Building configuration...

Current configuration : 2496 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FORTIS_MEDIFE
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-11.T2.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$1fqH$7jc1XIavhgjQpt8m.iH1Y/
enable password 7 060506324F41
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool one
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.250
   dns-server 204.14.40.44 204.14.40.22 209.244.0.3 66.178.2.25
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
username admin password 7 0822455D0A16
username <myuser> privilege 15 secret 5 $1$9TEG$kPAjqADsLoC2NtFYc0og4/
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 Cisco address 216.226.72.178
!
!
crypto ipsec transform-set FORTIS ah-md5-hmac esp-3des esp-md5-hmac
!
crypto map FORTIS local-address FastEthernet0/1
crypto map FORTIS 2 ipsec-isakmp
 set peer 216.226.72.178
 set transform-set FORTIS
 match address 102
!
!
!
!
interface Tunnel0
 ip address 172.16.20.1 255.255.255.0
 tunnel source 216.226.72.98
 tunnel destination 216.226.72.178
 crypto map FORTIS
!
interface FastEthernet0/0

 ip address 192.168.0.250 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 duplex auto
 speed auto
 no keepalive
!
interface FastEthernet0/1
 ip address 216.226.72.98 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map FORTIS
!
ip route 0.0.0.0 0.0.0.0 216.226.72.97
ip route 192.168.0.200 255.255.255.255 FastEthernet0/0
ip route 192.168.5.0 255.255.255.0 Tunnel0
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit gre host 216.226.72.98 host 216.226.72.178
!
!
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 password 7 060506324F41
 login
 transport input telnet
line vty 5 15
 privilege level 15
 password 7 0620003358471A
 login
 transport input telnet
!
scheduler allocate 20000 1000
!
end

*R2

s*h run
Building configuration...

Current configuration : 4694 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FORTIS_MARABA
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
!
no aaa new-model
ip cef
!
!
!
!
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-1537726374
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1537726374
 revocation-check none
 rsakeypair TP-self-signed-1537726374
!
!
crypto pki certificate chain TP-self-signed-1537726374
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353337 37323633 3734301E 170D3038 30373138 31343135
  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35333737
  32363337 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ACD1 5E6D90D7 1478644B ED467A34 9F9356E2 4975FAB5 0B069B86 B38D0C9A
  0111D5CE 9A93B644 C0B0A508 752C38E5 EBFEE7BF 798127FE 3D6BE3D7 06F69978
  18025B99 DD988073 60D2C933 2B8F88C0 746052D1 B183319C D8BB9BF8 96F25422
  7D34CF40 7EA6106F 3754EF3C 5B81BAD0 0F447AB2 12CB6F45 6E751317 B217AF57
  B8510203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C464F52 5449535F 4D415241 42412E79 6F757264 6F6D6169
  6E2E636F 6D301F06 03551D23 04183016 8014E1C5 D0C019FA A6833664 5311B319
  261A43B6 66E3301D 0603551D 0E041604 14E1C5D0 C019FAA6 83366453 11B31926
  1A43B666 E3300D06 092A8648 86F70D01 01040500 03818100 1A91BC69 FFB8169C
  C3C1A59D 0BE8DB2C 23EEC080 349E47E5 E0CF3D61 D73BB92A 0CA0E9B4 4E3261FA
  4DA90A58 FF00803B 3EE43C44 167A7D6A BBC9DA8A 737C7478 086D61E0 3CC79ACE
  9E9E729A 85C5C6E5 45876661 6D14F57F 88A80D7E 7EA62582 74E2E6DB 3FA4CF13
  358BDEAE 77E6E291 162B6996 F215E1B4 C73BDB21 91810D7D
  quit
username cisco privilege 15 secret 5 $1$ID17$UnnMnTbefC4F97yxRlHxu0
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 Cisco address 216.226.72.98
!
!
crypto ipsec transform-set FORTIS ah-md5-hmac esp-3des esp-md5-hmac
!
crypto map FORTIS local-address FastEthernet0/1
crypto map FORTIS 2 ipsec-isakmp
 set peer 216.226.72.98
 set transform-set FORTIS
 match address 102
!
!
!
interface Tunnel0
 ip address 172.16.20.5 255.255.255.0
 tunnel source 216.226.72.178
 tunnel destination 216.226.72.98
 crypto map FORTIS
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 216.226.72.178 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map FORTIS
!
ip route 0.0.0.0 0.0.0.0 216.226.72.177
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit gre host 216.226.72.178 host 216.226.72.98
!
!
!
!
control-plane
!
!

line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 password cisco
 login
 transport input telnet ssh
line vty 5 14
 privilege level 15
 password cisco
 login
 transport input telnet ssh
line vty 15
 access-class 23 in
 privilege level 15
 password cisco
 login
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Does anyone have any suggestions or did i do something wrong. First person
to reply gets a thank you.

• Next message: Tony Varriale: "RE: Good job CISCO!!!!"
• Previous message: nortic @hackermail.com: "RE: Good job CISCO!!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:57 ART