Re: IPSec Crypto MAP on a tunnel interface

correction -
crypto on physical interface also means "GRE over IPSec". (not the other
way)....

IPSec over GRE doesnt wrk coz we need to route the packets first and then
encapsulate...also i believe its not a supported feature and you'll most
like wont find any documentation on Cisco for the same..

Swap
#19804

On Wed, Nov 4, 2009 at 4:04 PM, swap m <ccie19804_at_gmail.com> wrote:

> typo *(not the remote tunnel IP)...
>
> Also what Piotr suggested, crypto on physical interface will mean "IPSec
> over GRE".
>
> Both work...
>
>
>
> On Wed, Nov 4, 2009 at 4:00 PM, swap m <ccie19804_at_gmail.com> wrote:
>
>> Sadiq,
>>
>> you are configuring GRE over IPSec but mixing it with IPSec over GRE.
>>
>> Just configure IPSec "set peer" as the "tunnel destination" (no the remote
>> tunnel IP) ....rest is straightforward.
>>
>> cheers
>> Swap
>> #19804
>>
>> On Wed, Nov 4, 2009 at 3:36 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>>
>>> Hi guys,
>>>
>>> Wonder whats going on here? Is this even a supported configuration at
>>> all? I
>>> am trying to configure IPSec over a GRE tunnel by applying a crypto map
>>> on a
>>> tunnel interface (to encrypt everything going over the tunnel). See below
>>> the configuration. I noticed on the wireshark capture that my ISAKMP
>>> packets
>>> are being source from the physical interface's IP address (183.1.x.x) and
>>> not the tunnel interface IP address (172.26.x.x). Now this is preventing
>>> the
>>> tunnel from coming up because the peer is expecting an IPSec packet to
>>> come
>>> from the tunnel IP address (configured in the crypto map peer config
>>> line).
>>> What am I missing here?
>>>
>>> Thanks,
>>>
>>>
>>> R4#sh run int tun 100
>>> interface Tunnel100
>>> ip address 172.26.0.1 255.255.255.252
>>> tunnel source 183.1.46.4
>>> tunnel destination 183.1.46.6
>>> crypto map MYMAP
>>> end
>>>
>>> R4#sh run | sec crypto
>>> crypto isakmp policy 10
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key CISCO address 172.26.0.2
>>> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
>>> crypto ipsec profile IPSEC_PROFILE
>>> set transform-set DES_SHA
>>> crypto map MYMAP 10 ipsec-isakmp
>>> set peer 172.26.0.2
>>> set transform-set DES_SHA
>>> match address IPSEC
>>> crypto map MYMAP
>>> R4#
>>>
>>>
>>> R6#sh run int tun 0
>>> interface Tunnel0
>>> ip address 172.26.0.2 255.255.255.252
>>> tunnel source 183.1.46.6
>>> tunnel destination 183.1.46.4
>>> crypto map MYMAP
>>> end
>>> R6#
>>> R6#sh run | sec crypto
>>> crypto isakmp policy 10
>>> encr 3des
>>> hash md5
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key CISCO address 172.26.0.1
>>> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
>>> crypto ipsec profile IPSEC_PROFILE
>>> set transform-set DES_SHA
>>> crypto map MYMAP 10 ipsec-isakmp
>>> set peer 172.26.0.1
>>> set transform-set DES_SHA
>>> match address IPSEC
>>> crypto map MYMAP
>>> R6#
>>>
>>>
>>> --
>>> CCIE #19963
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 04 2009 - 22:55:15 ART