Hi,
Take a look at the tunnel source command. What's the source IP address?
Anyway, the "appropriate" way to do that is to attach a crypto map on
physical interfaces and specify GRE protocol as "interesting traffic".
Alternatively you can use IPSec profiles and use "tunnel protection" command
under the tunnel interface.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2009/11/4 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> Hi guys,
>
> Wonder whats going on here? Is this even a supported configuration at all?
> I
> am trying to configure IPSec over a GRE tunnel by applying a crypto map on
> a
> tunnel interface (to encrypt everything going over the tunnel). See below
> the configuration. I noticed on the wireshark capture that my ISAKMP
> packets
> are being source from the physical interface's IP address (183.1.x.x) and
> not the tunnel interface IP address (172.26.x.x). Now this is preventing
> the
> tunnel from coming up because the peer is expecting an IPSec packet to come
> from the tunnel IP address (configured in the crypto map peer config line).
> What am I missing here?
>
> Thanks,
>
>
> R4#sh run int tun 100
> interface Tunnel100
> ip address 172.26.0.1 255.255.255.252
> tunnel source 183.1.46.4
> tunnel destination 183.1.46.6
> crypto map MYMAP
> end
>
> R4#sh run | sec crypto
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key CISCO address 172.26.0.2
> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
> crypto ipsec profile IPSEC_PROFILE
> set transform-set DES_SHA
> crypto map MYMAP 10 ipsec-isakmp
> set peer 172.26.0.2
> set transform-set DES_SHA
> match address IPSEC
> crypto map MYMAP
> R4#
>
>
> R6#sh run int tun 0
> interface Tunnel0
> ip address 172.26.0.2 255.255.255.252
> tunnel source 183.1.46.6
> tunnel destination 183.1.46.4
> crypto map MYMAP
> end
> R6#
> R6#sh run | sec crypto
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key CISCO address 172.26.0.1
> crypto ipsec transform-set DES_SHA esp-des esp-sha-hmac
> crypto ipsec profile IPSEC_PROFILE
> set transform-set DES_SHA
> crypto map MYMAP 10 ipsec-isakmp
> set peer 172.26.0.1
> set transform-set DES_SHA
> match address IPSEC
> crypto map MYMAP
> R6#
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Nov 04 2009 - 12:56:54 ART