From: kym blair (kymblair@xxxxxxxxxxx)
Date: Wed Apr 17 2002 - 02:57:24 GMT-3
John, your advice worked great! Thanks! For others, here are the working
configs of an IPSEC VPN between R8 and R3 with other routers and Frame Relay
in between:
R3:
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CCIE address 172.28.2.8
crypto ipsec transform-set XFRM esp-des esp-sha-hmac
access-list 138 permit ip host 62.8.1.3 host 172.28.2.8
!
crypto map CCIEMAP 10 ipsec-isakmp
set peer 172.28.2.8
set transform-set XFRM
match address 138
!
interface Serial1
ip address 62.8.1.3 255.255.255.128
encapsulation frame-relay
frame-relay map ip 62.8.1.3 306 broadcast
frame-relay map ip 62.8.1.5 306 broadcast
frame-relay map ip 62.8.1.6 306 broadcast
no frame-relay inverse-arp
crypto map CCIEMAP
!
interface Tunnel8
ip address 148.8.8.3 255.255.255.0
tunnel source 62.8.1.3
tunnel destination 172.28.2.8
crypto map CCIEMAP
R8:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key CCIE address 62.8.1.3
crypto ipsec transform-set XFRM esp-des esp-sha-hmac
access-list 168 permit ip host 172.28.2.8 host 62.8.1.3
!
crypto map CCIEMAP 10 ipsec-isakmp
set peer 62.8.1.3
set transform-set XFRM
match address 168
!
interface Tunnel8
ip address 148.8.8.8 255.255.255.0
tunnel source 172.28.2.8
tunnel destination 62.8.1.3
crypto map CCIEMAP
!
interface Serial0
ip address 172.28.2.8 255.255.255.0
crypto map CCIEMAP
Kym
------------------------------------------------------
>From: John Neiberger <neiby@ureach.com>
>Reply-To: John Neiberger <neiby@ureach.com>
>To: "kym blair" <kymblair@hotmail.com>, ccielab@groupstudy.com
>Subject: Re: IPSEC over Tunnel Not Working
>Date: Wed, 17 Apr 2002 00:55:02 -0400
>
>When trying to get IPSec to work over a GRE tunnel, I try to
>remember three rules:
>
>1. In the IPsec config, always use the real IP addresses, not
>the addresses of the tunnel.
>
>2. Apply the crypto map to both the Tunnel interface and the
>real outgoing interface.
>
>3. Your crypto access list only needs a single line that
>permits GRE, again using real IP addresses, not tunnel
>addresses.
>
>If you follow those three rules you shouldn't have a problem
>with a basic config.
>
>HTH,
>John
>
>
>
>---- On Wed, 17 Apr 2002, kym blair (kymblair@hotmail.com)
>wrote:
>
> > IPSEC works great with the below config when applied to a
>physical serial
> > link, but when I apply it to a working tunnel, it doesn't
>work. I've tried
> > a variety of address combinations but still can't get it.
>Can anyone solve
> > this? Here are the configs:
> >
> > ROUTER3:
> >
> > crypto isakmp policy 10
> > authentication pre-share
> > crypto isakmp key CCIE address 148.8.8.8
> > crypto ipsec transform-set XFRM esp-des esp-sha-hmac
> > access-list 138 permit ip host 148.8.8.3 host 148.8.8.8
> >
> > crypto map CCIEMAP 10 ipsec-isakmp
> > set peer 148.8.8.8
> > set transform-set XFRM
> > match address 138
> > !
> > interface Tunnel8
> > ip address 148.8.8.3 255.255.255.0
> > tunnel source 33.3.3.3
> > tunnel destination 172.28.2.8
> > crypto map CCIEMAP
> >
> > ROUTER8:
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > crypto isakmp key CCIE address 148.8.8.3
> > crypto ipsec transform-set XFRM esp-des esp-sha-hmac
> > access-list 138 permit ip host 148.8.8.8 host 148.8.8.3
> > !
> > crypto map CCIEMAP 10 ipsec-isakmp
> > set peer 148.8.8.3
> > set transform-set XFRM
> > match address 138
> > !
> > interface Tunnel8
> > ip address 148.8.8.8 255.255.255.0
> > tunnel source 172.28.2.8
> > tunnel destination 33.3.3.3
> > crypto map CCIEMAP
> >
> >
> > TIA, Kym
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:11 GMT-3