Re: Need help with GRE over IPSec config

From: Ronny Jonathan (rjonathan@hotpop.com)
Date: Sun Sep 22 2002 - 08:45:56 GMT-3

• Next message: Ashok.Gupta: "RE: Mgmt Interface 3550 in separate vlan"
• Previous message: Asim Khan: "Re: FRTS Guide"
• Maybe in reply to: joh middle: "Need help with GRE over IPSec config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Minh,

Try to add "mode transport" for both R4 & R6 under

crypto ipsec transform-set GRE_SET esp-des esp-sha-hmac
  mode transport

and don't forget to have access-list 146 defined on R4

Regards,
Ronny
----- Original Message -----
From: "Minh Vuong" <mvuong@cisco.com>
To: "CCIE Groupstudy" <ccielab@groupstudy.com>
Cc: "Bao Dam" <dambq@yahoo.com>; "Alan Wong" <alawong@cisco.com>
Sent: Sunday, September 22, 2002 2:15 PM
Subject: Need help with GRE over IPSec config

> Guys, need some help please with a GRE over IPSec problem. I think it's
> rather basic config but I for some reason I can't get it to work. So
> another set of eyes would be appreciated...
>
> R6 connect directly to R4 via token ring.
>
>
> R6 CONFIG:
> access-list 146 permit gre host 148.8.46.6 host 148.8.46.4 log
> !
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key baby address 148.8.46.4
> !
> !
> crypto ipsec transform-set GRE_SET esp-des esp-sha-hmac
> !
> crypto map GRE_MAP local-address TokenRing5/0
> crypto map GRE_MAP 10 ipsec-isakmp
> set peer 148.8.46.4
> set transform-set GRE_SET
> match address 146
> !
> interface Tunnel46
> ip address 148.8.200.6 255.255.255.0
> tunnel source 148.8.46.6
> tunnel destination 148.8.46.4
> crypto map GRE_MAP
> !
> !interface TokenRing5/0
> ip address 148.8.46.6 255.255.255.192
> ipx network 46
> ring-speed 4
> crypto map GRE_MAP
> !
>
>
>
> R4 CONFIG:
> !
> crypto isakmp policy 1
> authentication pre-share
> crypto isakmp key baby address 148.8.46.6
> !
> !
> crypto ipsec transform-set GRE_SET esp-des esp-sha-hmac
> !
> crypto map GRE_MAP local-address TokenRing0/0
> crypto map GRE_MAP 10 ipsec-isakmp
> set peer 148.8.46.6
> set transform-set GRE_SET
> match address 146
> !
> !
> interface Tunnel46
> ip address 148.8.200.4 255.255.255.0
> tunnel source 148.8.46.4
> tunnel destination 148.8.46.6
> crypto map GRE_MAP
> !
> interface TokenRing0/0
> ip address 148.8.46.4 255.255.255.192
> ipx network 46
> ring-speed 4
> crypto map GRE_MAP
> source-bridge 300 1 1000
>
>
> On R4, I get the following error messages:
> 14:19:33: %SEC-6-IPACCESSLOGRP: list 146 permitted gre 148.8.46.4 ->
> 148.8.46.6, 60 packets
> 14:19:33: IPSEC(encapsulate): invalid conn id 0
> 14:19:33: IPSEC(encapsulate): error in encapsulation crypto_ip_encrypt
> 14:20:33: IPSEC(encapsulate): invalid conn id 0
> 14:20:33: IPSEC(encapsulate): error in encapsulation crypto_ip_encrypt
>
>
> OSPF neighborship would never establish:
> R4#sh ip ospf nei
>
> Neighbor ID Pri State Dead Time Address
Interface
> 148.8.5.5 1 FULL/DR 00:01:53 148.8.245.5
Serial0/0
> 148.8.6.6 1 INIT/ - 00:00:31 148.8.200.6 Tunnel46
>
> Thanks,
>
> Minh

• Next message: Ashok.Gupta: "RE: Mgmt Interface 3550 in separate vlan"
• Previous message: Asim Khan: "Re: FRTS Guide"
• Maybe in reply to: joh middle: "Need help with GRE over IPSec config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:59 GMT-3