1841 and IPSec configuration

Unanswered Question

Hi All,


Would like to connect Site A to Site B using IPSec/GRE tunnel. I came up with a template to use and wondering if my sample configuration will work.

Thanks in advance,

-J


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <key> address <public interface ip>


!

!

crypto ipsec transform-set ESP_SHA esp-3des esp-sha-hmac

!

crypto map ENCRYPT 10 ipsec-isakmp

description VPN to BIS

set peer <public interface ip>

set transform-set ESP_SHA

set pfs group2

match address GRE_TUNNEL0

!

!

interface Tunnel0

description Tunnel to

ip address <private interface ip> 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1300

tunnel source Loopback1

tunnel destination <remote loopback ip>

!

interface Null0

no ip unreachables

!

interface Loopback1

description GRE endpoint

ip address <private interface ip> 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

!

!

interface fa-x/x ====================================>(Public-facing Interface)

ip address <public interface ip>

no cdp enable

crypto map ENCRYPT

!

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 (Internet Next-Hop) 254

ip route <LAN IP> 255.255.255.0 Null0 254

ip route <local loopback> 255.255.255.255 (Internet Next-Hop)

ip route <remote-public-interface> 255.255.255.255 (Internet Next-Hop)


!

no ip http server

!

ip access-list extended GRE_TUNNEL0

permit ip host <remote loopback> host <local-loopback>


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Mon, 05/28/2007 - 20:00
User Badges:
  • Red, 2250 points or more

Hi


You have created a GRE as well as an IPSEC tunnel but through which tunnel you are going to pass the traffic out to the remote location ?


Also the routes which you have defined for internet next hop and lan ip with some admin distance is not required.


Instead you need to have a static route pointing via either the fax/x followed by the default ip/gateway provided by your isp and a backup route pointing towards your gre tunnel..


regds


jaffer_sathik2010 Tue, 05/29/2007 - 04:47
User Badges:

Hi,


It is better idea to keep the tunnel souce loopback having pubuc ip to ensure that it is reachable from the tunnel destination.


--Jaffer

Hi All,


I'm trying to get the IPSec tunnel up and running but running into some troubles


The far end device is a Netscreen 5gt.


This is the error message i'm getting

000035: Jun 1 17:00:31.369 PCTime: No peer struct to get peer description

000036: Jun 1 17:00:31.373 PCTime: No peer struct to get peer description


any help would be appreciated

Actions

This Discussion