cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
592
Views
10
Helpful
5
Replies

IPSEC-GRP routing protocol

bapatsubodh
Level 1
Level 1

Hi,

We are configuring GRE-IPsec with OSPF. Without IPSEC configuration we are able to form OSPF neighbor realtionship across the two end of GRE tunnel. But when we apply "crypto map NAP" to tunnel interface OSPF is not getting formed.

Here is the configuration and similar configuration is on the other end ot the TUNNEL.

int tunnel 10

ip add 10.1.1.1

tunnel source s0/0

tunnel destination 10.2.1.2

crypto map NAP //** Crypto MAP applied **//

int s0/0

ip add 10.2.1.1 255.255.255.2.252

int fa0/0

ip add 10.3.1.1 255.255.255.0

router ospf 10

network 10.3.1.0 0.0.0.255 a 0 // *** Ethernet subnet published ***//

network 10.1.1.0 0.0.0.255 a 0 // *** Tunnel subnet published ***//

access-list 110 permit ip any any

access-list 110 permit icmp any any

access-list 110 permit ospf any any

crypto isakmp policy 10

encr aes

group 2

authen preshare

crypto isakmp key 0 cisco 10.2.1.2

crypto ipsec transform-set 10 trial esp-3des esp-sha-hmac

crypto map NAP 10 ipsec-isakmp

set peer 10.2.1.2

match address 110

set tranform-set trial

Please share the experience.

Any link of configuration example with GRE+IPSEC+OSPF on cisco.com?

Thanks in advance.

subodh

1 Accepted Solution

Accepted Solutions

Istvan_Rabai
Level 7
Level 7

Hi Bapat,

I can see 2 things that should be corrected in the configuration:

1. The crypto map should be applied to the s0/0 interface, NOT to the tunnel10 interface.

2. access-list 110 should specify the interesting traffic, but in the case of GRE over IPSec the interesting traffic is the following:

access-list 110 permit gre host 10.2.1.1 host 10.2.1.2

Of course, the configuration on the other side of the tunnel must be corrected as well, and it should be symmetrical to this, that is:

access-list 110 permit gre host 10.2.1.2 host 10.2.1.1

Cheers:

Istvan

View solution in original post

5 Replies 5

pompeychimes
Level 4
Level 4

Apply the crypto map to the physcial interface s0/0

Leo Laohoo
Hall of Fame
Hall of Fame

Avoid using interface when defining source/destination as this would cost more CPU than using IP Addresses.

You don't need "network 10.1.1.0 0.0.0.255 a 0".

Try this config:

crypto isakmp policy

encr aes

authentication pre-share

group 2

crypto isakmp key address

!

crypto ipsec transform-set esp-3des esp-sha-hmac

!

crypto ipsec profile

set transform-set

!

interface Tunnel

ip address xxx.xxx.xxx.xxx 255.255.255.252

tunnel source

tunnel destination

tunnel protection ipsec profile

tunnel mode ipsec ipv4

no shutdown

exit

!

router ospf

network 10.3.1.0 0.0.0.255 area 0

exit

Hope this helps. Please rate when helpful and/or applicable..

Istvan_Rabai
Level 7
Level 7

Hi Bapat,

I can see 2 things that should be corrected in the configuration:

1. The crypto map should be applied to the s0/0 interface, NOT to the tunnel10 interface.

2. access-list 110 should specify the interesting traffic, but in the case of GRE over IPSec the interesting traffic is the following:

access-list 110 permit gre host 10.2.1.1 host 10.2.1.2

Of course, the configuration on the other side of the tunnel must be corrected as well, and it should be symmetrical to this, that is:

access-list 110 permit gre host 10.2.1.2 host 10.2.1.1

Cheers:

Istvan

hi friends,

It did work !

I have applied crypto to serial interface and in access list I permitted GRE !!

It worked in first shot !

Your timely help is highly appreciable!

Thanks again

Subodh Bapat.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco