GRE over IPSEC 12.2 to 12.3

Unanswered Question
Jul 2nd, 2007

While sorting out a different issue for a customer, I noticed that their crypto configurations weren't working (no output from show crypto isakmp sa). At first glance I thought the problem was down to the ACLs being wrong for GRE over IPSEC, as they were configured for the LAN ranges instead of the GRE tunnel source and destination IP addresses.


I undertook to help them out, though it isn't my field of expertise, but I've got a bit stuck.


The (unencrypted) tunnel works fine, and EIGRP forms an adjacency over it.


The branch router is running 12.3 and the core router 12.2. Because of this, I though I'd need to apply the crypto map to both the tunnel and physical interface of the core router, but just to the physical interface of the branch router.


However, it all works fine until I apply the crypto map to the physical interface of the branch router - I lose connectivity and the only way I can get back onto the device is by reloading it. I've also tried applying the crypto map to the tunnel. This allows the tunnel to work, but the encryption still doesn't come up. If I apply it to both the tunnel and the physical interface, I lose connectivity as before.


The configurations as applied are below along with a abridged "show version" for each router. Can anyone help? Upgrading the software is only likely to be an option if it is definitely not solvable in any other way. BTW - both routers have a VPN module, but the one in the branch router appears not to be recognised by the IOS running. I didn't think this would be a problem in itself, though I know it would affect performance.





version 12.3

!

hostname BranchRouter

!

crypto isakmp policy 25

hash md5

authentication pre-share

!

crypto isakmp key dummykey address 57.57.57.57

!

crypto ipsec transform-set www esp-des esp-md5-hmac

mode transport

!

crypto map GRE local-address Ethernet0

!

crypto map GRE 50 ipsec-isakmp

set peer 57.57.57.57

set transform-set www

match address 101

!

interface Tunnel0

bandwidth 2048

ip address 10.1.1.2 255.255.255.252

ip mtu 1440

tunnel source Ethernet0

tunnel destination 57.57.57.57

!

interface Ethernet0

description Public Interface

ip address 43.43.43.43 255.255.255.248

ip nat outside

crypto map GRE

!

access-list 101 permit gre host 43.43.43.43 host 57.57.57.57



IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.3(1a), RELEASE SOFTWARE (fc1)

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

System image file is "flash:c1700-k9o3sy7-mz.123-1a.bin"

cisco 1721 (MPC860P) processor (revision 0x300) with 83278K/15026K bytes of memory.

32768K bytes of processor board System flash (Read/Write)



version 12.2

!

hostname CoreRouter

!

crypto isakmp policy 25

hash md5

authentication pre-share

!

crypto isakmp key dummykey address 43.43.43.43

!

crypto ipsec transform-set WWW esp-des esp-md5-hmac

mode transport

!

crypto map GRE 80 ipsec-isakmp

set peer 43.43.43.43

set transform-set WWW

match address 104

!

interface Tunnel3

ip address 10.1.1.1 255.255.255.252

ip mtu 1440

tunnel source FastEthernet0/0

tunnel destination 43.43.43.43

crypto map GRE

!

access-list 104 permit gre host 57.57.57.57 host 43.43.43.43

!


IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.2(23), RELEASE SOFTWARE (fc2)

cisco 2621 (MPC860) processor (revision 0x00) with 59392K/6144K bytes of memory.

1 Virtual Private Network (VPN) Module(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Fri, 07/06/2007 - 08:32

Try reconfiguring the cryptomap and related stuff at both the ends

krishnakomiti Sat, 07/07/2007 - 03:37

Hi,


I think your trying from the machine, from machine it will not work, why means you have given acl from transport mode.

My suggestion is try extended ping from router itself and check encrypted packetes are handshaking or not, via " show crypto engine connection active"


Cheers,

Krishna.

huw.morgan Sun, 07/08/2007 - 23:02

Hi Krishna, thanks for your reply, but I don't quite understand.


I'm working entirely on the pair of routers - I'm not using an end-station to test.


What do you mean by the "ACL from transport mode"?


krishnakomiti Mon, 07/09/2007 - 03:09

Hi,


I mean u have created VPN's between two routers. Transport mode means your VPN tunnels and interesting traffic are same, so generate traffic from the interesting traffice machine (Router) that to extended ping u have to use and check the packets are flowing or not.


Actions

This Discussion