IPSEC over GRE issue

Unanswered Question
Jul 15th, 2009
User Badges:

Hi , i am unable to establish Ipsec over GRE, can any one help, what i am missing.

sh crypto isakamp sa

192.167.250.5 58.27.234.42 MM_NO_STATE 0 0 ACTIVE (deleted)


actually, my tunnel ip are source 192.167.250.5 and destination 192.167.250.6 , but for some reason from one side connection is replying back with public ip as you can see above output 58.27.193.42


my tunnel configuration is below, and crypto is applied on it as well,

interface Tunnel2223

ip address 192.167.250.6 255.255.255.252

keepalive 10 3

tunnel source 58.27.234.42

tunnel destination 117.20.44.58

crypto map manager


any suggest? why one side responding with public ip of tunnel?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Wed, 07/15/2009 - 09:46
User Badges:
  • Gold, 750 points or more

Hi Muhammad,


I can't see your entire IPSec configuration, but from what you provided I can see that you applied the crypto map on the tunnel interface.


The crypto map must be applied to the physical interface on both sides of the tunnel.


If still doesn't work, please post your entire config related to GRE over IPSec.


Cheers:

Istvan

ahmad82pkn Fri, 07/17/2009 - 01:13
User Badges:

why i need to apply it on physical interface on both sides?


i want to apply it on GRE tunnel, that is a virtual interface as well, and then encrypt traffic that is traveling inside my GRE.



Like ip route 10.0.0.0/8 tunnel5000


i want to encrypt 10.0.0.0/8 when its passing through GRE.


and i want to apply my crypto like

int tun 5000

crypto map mycrypto


isnt that possible?


ahmad82pkn Fri, 07/17/2009 - 01:20
User Badges:

here is my full config

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 5000


crypto isakmp key xyz address 192.167.250.5

crypto ipsec security-association lifetime seconds 86400


crypto ipsec transform-set auth2 esp-3des

crypto map manager 10 ipsec-isakmp

set peer 192.167.250.5

set transform-set auth2

match address 101



ip access-list extended 101

permit ip any 10.110.26.0 0.0.0.255





interface Tunnel2223

ip address 192.167.250.6 255.255.255.252

tunnel source 58.27.234.42

tunnel destination 117.20.44.58

crypto man manager

end


ip route 10.0.0.0 255.0.0.0 tunnel 2223

Istvan_Rabai Fri, 07/17/2009 - 02:53
User Badges:
  • Gold, 750 points or more

Hi Muhammad,


The following needs correction in your config:


crypto isakmp key xyz address 117.20.44.58


crypto map manager 10 ipsec-isakmp

set peer 117.20.44.58

set transform-set auth2

match address 101


where 117.20.44.58 (I suppose) is the ip address of the PHYSICAL interface on the other IPSec tunnel endpoint.


Your interesting traffic for IPSec encryption will be the traffic going through the GRE Tunnel:


ip access-list extended 101

permit gre host 58.27.234.42 host 117.20.44.58


You have to correct your configuration on the other IPSec tunnel endpoint, too.

The ACL should be symmetrical on the other side:


ip access-list extended 101

permit gre host 117.20.44.58 host 58.27.234.42


You should remove the crypto map from the Tunnel interfaces.


Cheers:

Istvan


Giuseppe Larosa Tue, 07/21/2009 - 22:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Muhammad,

First of all at the beginning you were trying to do GRE over IPSec and not the opposite.

I also wonder if you have understood what you have done.


Istvan suggestions are clear and correct if you want to learn this subject I would give a try to them (Istvan suggestions).


Understanding that in GRE over IPSec the crypto map has to be applied on the physical interface and not on the tunnel GRE interface, because it represents traffic to be encrypted, is important.



Hope to help

Giuseppe

Actions

This Discussion