Re: IPSec Crypto MAP on a tunnel interface

typo *(not the remote tunnel IP)...

Also what Piotr suggested, crypto on physical interface will mean "IPSec
over GRE".

Both work...

On Wed, Nov 4, 2009 at 4:00 PM, swap m <ccie19804_at_gmail.com> wrote:

> Sadiq,
>
> you are configuring GRE over IPSec but mixing it with IPSec over GRE.
>
> Just configure IPSec "set peer" as the "tunnel destination" (no the remote
> tunnel IP) ....rest is straightforward.
>
> cheers
> Swap
> #19804
>
> On Wed, Nov 4, 2009 at 3:36 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> Hi guys,
>>
>> Wonder whats going on here? Is this even a supported configuration at all?
>> I
>> am trying to configure IPSec over a GRE tunnel by applying a crypto map on
>> a
>> tunnel interface (to encrypt everything going over the tunnel). See below
>> the configuration. I noticed on the wireshark capture that my ISAKMP
>> packets
>> are being source from the physical interface's IP address (183.1.x.x) and
>> not the tunnel interface IP address (172.26.x.x). Now this is preventing
>> the
>> tunnel from coming up because the peer is expecting an IPSec packet to
>> come
>> from the tunnel IP address (configured in the crypto map peer config
>> line).
>> What am I missing here?
>>
>> Thanks,
>>
>>
>> R4#sh run int tun 100
>> interface Tunnel100
>> ip address 172.26.0.1 255.255.255.252
>> tunnel source 183.1.46.4
>> tunnel destination 183.1.46.6
>> crypto map MYMAP
>> end
>>
>> R4#sh run | sec crypto
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key CISCO address 172.26.0.2
>> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
>> crypto ipsec profile IPSEC_PROFILE
>> set transform-set DES_SHA
>> crypto map MYMAP 10 ipsec-isakmp
>> set peer 172.26.0.2
>> set transform-set DES_SHA
>> match address IPSEC
>> crypto map MYMAP
>> R4#
>>
>>
>> R6#sh run int tun 0
>> interface Tunnel0
>> ip address 172.26.0.2 255.255.255.252
>> tunnel source 183.1.46.6
>> tunnel destination 183.1.46.4
>> crypto map MYMAP
>> end
>> R6#
>> R6#sh run | sec crypto
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp key CISCO address 172.26.0.1
>> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
>> crypto ipsec profile IPSEC_PROFILE
>> set transform-set DES_SHA
>> crypto map MYMAP 10 ipsec-isakmp
>> set peer 172.26.0.1
>> set transform-set DES_SHA
>> match address IPSEC
>> crypto map MYMAP
>> R6#
>>
>>
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 04 2009 - 16:04:36 ART