05-28-2007 07:45 AM - edited 02-21-2020 03:04 PM
Hi All,
Would like to connect Site A to Site B using IPSec/GRE tunnel. I came up with a template to use and wondering if my sample configuration will work.
Thanks in advance,
-J
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <key> address <public interface ip>
!
!
crypto ipsec transform-set ESP_SHA esp-3des esp-sha-hmac
!
crypto map ENCRYPT 10 ipsec-isakmp
description VPN to BIS
set peer <public interface ip>
set transform-set ESP_SHA
set pfs group2
match address GRE_TUNNEL0
!
!
interface Tunnel0
description Tunnel to
ip address <private interface ip> 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1300
tunnel source Loopback1
tunnel destination <remote loopback ip>
!
interface Null0
no ip unreachables
!
interface Loopback1
description GRE endpoint
ip address <private interface ip> 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
!
interface fa-x/x ====================================>(Public-facing Interface)
ip address <public interface ip>
no cdp enable
crypto map ENCRYPT
!
!
ip classless
!
ip route 0.0.0.0 0.0.0.0 (Internet Next-Hop) 254
ip route <LAN IP> 255.255.255.0 Null0 254
ip route <local loopback> 255.255.255.255 (Internet Next-Hop)
ip route <remote-public-interface> 255.255.255.255 (Internet Next-Hop)
!
no ip http server
!
ip access-list extended GRE_TUNNEL0
permit ip host <remote loopback> host <local-loopback>
05-28-2007 08:00 PM
Hi
You have created a GRE as well as an IPSEC tunnel but through which tunnel you are going to pass the traffic out to the remote location ?
Also the routes which you have defined for internet next hop and lan ip with some admin distance is not required.
Instead you need to have a static route pointing via either the fax/x followed by the default ip/gateway provided by your isp and a backup route pointing towards your gre tunnel..
regds
05-29-2007 04:47 AM
Hi,
It is better idea to keep the tunnel souce loopback having pubuc ip to ensure that it is reachable from the tunnel destination.
--Jaffer
06-01-2007 02:02 PM
Hi All,
I'm trying to get the IPSec tunnel up and running but running into some troubles
The far end device is a Netscreen 5gt.
This is the error message i'm getting
000035: Jun 1 17:00:31.369 PCTime: No peer struct to get peer description
000036: Jun 1 17:00:31.373 PCTime: No peer struct to get peer description
any help would be appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide