Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
3
Replies

1841 and IPSec configuration

jasonmathew1
Level 1
Level 1

‎05-28-2007 07:45 AM - edited ‎02-21-2020 03:04 PM

Hi All,

Would like to connect Site A to Site B using IPSec/GRE tunnel. I came up with a template to use and wondering if my sample configuration will work.

Thanks in advance,

-J

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <key> address <public interface ip>

!

!

crypto ipsec transform-set ESP_SHA esp-3des esp-sha-hmac

!

crypto map ENCRYPT 10 ipsec-isakmp

description VPN to BIS

set peer <public interface ip>

set transform-set ESP_SHA

set pfs group2

match address GRE_TUNNEL0

!

!

interface Tunnel0

description Tunnel to

ip address <private interface ip> 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1300

tunnel source Loopback1

tunnel destination <remote loopback ip>

!

interface Null0

no ip unreachables

!

interface Loopback1

description GRE endpoint

ip address <private interface ip> 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

!

!

interface fa-x/x ====================================>(Public-facing Interface)

ip address <public interface ip>

no cdp enable

crypto map ENCRYPT

!

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 (Internet Next-Hop) 254

ip route <LAN IP> 255.255.255.0 Null0 254

ip route <local loopback> 255.255.255.255 (Internet Next-Hop)

ip route <remote-public-interface> 255.255.255.255 (Internet Next-Hop)

!

no ip http server

!

ip access-list extended GRE_TUNNEL0

permit ip host <remote loopback> host <local-loopback>

Labels:
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎05-28-2007 08:00 PM

Hi

You have created a GRE as well as an IPSEC tunnel but through which tunnel you are going to pass the traffic out to the remote location ?

Also the routes which you have defined for internet next hop and lan ip with some admin distance is not required.

Instead you need to have a static route pointing via either the fax/x followed by the default ip/gateway provided by your isp and a backup route pointing towards your gre tunnel..

regds

0 Helpful

jaffer_sathik2010
Level 1
Level 1

‎05-29-2007 04:47 AM

Hi,

It is better idea to keep the tunnel souce loopback having pubuc ip to ensure that it is reachable from the tunnel destination.

--Jaffer

0 Helpful

jasonmathew1
Level 1
Level 1
In response to jaffer_sathik2010

‎06-01-2007 02:02 PM

Hi All,

I'm trying to get the IPSec tunnel up and running but running into some troubles

The far end device is a Netscreen 5gt.

This is the error message i'm getting

000035: Jun 1 17:00:31.369 PCTime: No peer struct to get peer description

000036: Jun 1 17:00:31.373 PCTime: No peer struct to get peer description

any help would be appreciated

0 Helpful
Customers Also Viewed These Support Documents