07-04-2009 07:04 PM - edited 03-04-2019 05:19 AM
Hi,
We are configuring GRE-IPsec with OSPF. Without IPSEC configuration we are able to form OSPF neighbor realtionship across the two end of GRE tunnel. But when we apply "crypto map NAP" to tunnel interface OSPF is not getting formed.
Here is the configuration and similar configuration is on the other end ot the TUNNEL.
int tunnel 10
ip add 10.1.1.1
tunnel source s0/0
tunnel destination 10.2.1.2
crypto map NAP //** Crypto MAP applied **//
int s0/0
ip add 10.2.1.1 255.255.255.2.252
int fa0/0
ip add 10.3.1.1 255.255.255.0
router ospf 10
network 10.3.1.0 0.0.0.255 a 0 // *** Ethernet subnet published ***//
network 10.1.1.0 0.0.0.255 a 0 // *** Tunnel subnet published ***//
access-list 110 permit ip any any
access-list 110 permit icmp any any
access-list 110 permit ospf any any
crypto isakmp policy 10
encr aes
group 2
authen preshare
crypto isakmp key 0 cisco 10.2.1.2
crypto ipsec transform-set 10 trial esp-3des esp-sha-hmac
crypto map NAP 10 ipsec-isakmp
set peer 10.2.1.2
match address 110
set tranform-set trial
Please share the experience.
Any link of configuration example with GRE+IPSEC+OSPF on cisco.com?
Thanks in advance.
subodh
Solved! Go to Solution.
07-04-2009 11:40 PM
Hi Bapat,
I can see 2 things that should be corrected in the configuration:
1. The crypto map should be applied to the s0/0 interface, NOT to the tunnel10 interface.
2. access-list 110 should specify the interesting traffic, but in the case of GRE over IPSec the interesting traffic is the following:
access-list 110 permit gre host 10.2.1.1 host 10.2.1.2
Of course, the configuration on the other side of the tunnel must be corrected as well, and it should be symmetrical to this, that is:
access-list 110 permit gre host 10.2.1.2 host 10.2.1.1
Cheers:
Istvan
07-04-2009 08:39 PM
Apply the crypto map to the physcial interface s0/0
07-04-2009 09:38 PM
Avoid using interface when defining source/destination as this would cost more CPU than using IP Addresses.
You don't need "network 10.1.1.0 0.0.0.255 a 0".
Try this config:
crypto isakmp policy
encr aes
authentication pre-share
group 2
crypto isakmp key
!
crypto ipsec transform-set
!
crypto ipsec profile
set transform-set
!
interface Tunnel
ip address xxx.xxx.xxx.xxx 255.255.255.252
tunnel source
tunnel destination
tunnel protection ipsec profile
tunnel mode ipsec ipv4
no shutdown
exit
!
router ospf
network 10.3.1.0 0.0.0.255 area 0
exit
Hope this helps. Please rate when helpful and/or applicable..
07-04-2009 11:40 PM
Hi Bapat,
I can see 2 things that should be corrected in the configuration:
1. The crypto map should be applied to the s0/0 interface, NOT to the tunnel10 interface.
2. access-list 110 should specify the interesting traffic, but in the case of GRE over IPSec the interesting traffic is the following:
access-list 110 permit gre host 10.2.1.1 host 10.2.1.2
Of course, the configuration on the other side of the tunnel must be corrected as well, and it should be symmetrical to this, that is:
access-list 110 permit gre host 10.2.1.2 host 10.2.1.1
Cheers:
Istvan
07-05-2009 04:43 AM
hi friends,
It did work !
I have applied crypto to serial interface and in access list I permitted GRE !!
It worked in first shot !
Your timely help is highly appreciable!
Thanks again
Subodh Bapat.
07-05-2009 09:57 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: