Re: IPSec Crypto MAP on a tunnel interface from swap m on 2009-11-04 (Ccielab archives 11/2009)

From: swap m <ccie19804_at_gmail.com>
Date: Wed, 4 Nov 2009 16:00:04 +0400

Sadiq,

you are configuring GRE over IPSec but mixing it with IPSec over GRE.

Just configure IPSec "set peer" as the "tunnel destination" (no the remote
tunnel IP) ....rest is straightforward.

cheers
Swap
#19804

On Wed, Nov 4, 2009 at 3:36 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Hi guys,
>
> Wonder whats going on here? Is this even a supported configuration at all?
> I
> am trying to configure IPSec over a GRE tunnel by applying a crypto map on
> a
> tunnel interface (to encrypt everything going over the tunnel). See below
> the configuration. I noticed on the wireshark capture that my ISAKMP
> packets
> are being source from the physical interface's IP address (183.1.x.x) and
> not the tunnel interface IP address (172.26.x.x). Now this is preventing
> the
> tunnel from coming up because the peer is expecting an IPSec packet to come
> from the tunnel IP address (configured in the crypto map peer config line).
> What am I missing here?
>
> Thanks,
>
>
> R4#sh run int tun 100
> interface Tunnel100
> ip address 172.26.0.1 255.255.255.252
> tunnel source 183.1.46.4
> tunnel destination 183.1.46.6
> crypto map MYMAP
> end
>
> R4#sh run | sec crypto
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key CISCO address 172.26.0.2
> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
> crypto ipsec profile IPSEC_PROFILE
> set transform-set DES_SHA
> crypto map MYMAP 10 ipsec-isakmp
> set peer 172.26.0.2
> set transform-set DES_SHA
> match address IPSEC
> crypto map MYMAP
> R4#
>
>
> R6#sh run int tun 0
> interface Tunnel0
> ip address 172.26.0.2 255.255.255.252
> tunnel source 183.1.46.6
> tunnel destination 183.1.46.4
> crypto map MYMAP
> end
> R6#
> R6#sh run | sec crypto
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key CISCO address 172.26.0.1
> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
> crypto ipsec profile IPSEC_PROFILE
> set transform-set DES_SHA
> crypto map MYMAP 10 ipsec-isakmp
> set peer 172.26.0.1
> set transform-set DES_SHA
> match address IPSEC
> crypto map MYMAP
> R6#
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 04 2009 - 16:00:04 ART

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART