07-15-2009 09:40 AM - edited 03-04-2019 05:26 AM
Hi , i am unable to establish Ipsec over GRE, can any one help, what i am missing.
sh crypto isakamp sa
192.167.250.5 58.27.234.42 MM_NO_STATE 0 0 ACTIVE (deleted)
actually, my tunnel ip are source 192.167.250.5 and destination 192.167.250.6 , but for some reason from one side connection is replying back with public ip as you can see above output 58.27.193.42
my tunnel configuration is below, and crypto is applied on it as well,
interface Tunnel2223
ip address 192.167.250.6 255.255.255.252
keepalive 10 3
tunnel source 58.27.234.42
tunnel destination 117.20.44.58
crypto map manager
any suggest? why one side responding with public ip of tunnel?
07-15-2009 09:46 AM
Hi Muhammad,
I can't see your entire IPSec configuration, but from what you provided I can see that you applied the crypto map on the tunnel interface.
The crypto map must be applied to the physical interface on both sides of the tunnel.
If still doesn't work, please post your entire config related to GRE over IPSec.
Cheers:
Istvan
07-17-2009 01:13 AM
why i need to apply it on physical interface on both sides?
i want to apply it on GRE tunnel, that is a virtual interface as well, and then encrypt traffic that is traveling inside my GRE.
Like ip route 10.0.0.0/8 tunnel5000
i want to encrypt 10.0.0.0/8 when its passing through GRE.
and i want to apply my crypto like
int tun 5000
crypto map mycrypto
isnt that possible?
07-17-2009 01:20 AM
here is my full config
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 5000
crypto isakmp key xyz address 192.167.250.5
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set auth2 esp-3des
crypto map manager 10 ipsec-isakmp
set peer 192.167.250.5
set transform-set auth2
match address 101
ip access-list extended 101
permit ip any 10.110.26.0 0.0.0.255
interface Tunnel2223
ip address 192.167.250.6 255.255.255.252
tunnel source 58.27.234.42
tunnel destination 117.20.44.58
crypto man manager
end
ip route 10.0.0.0 255.0.0.0 tunnel 2223
07-17-2009 02:53 AM
Hi Muhammad,
The following needs correction in your config:
crypto isakmp key xyz address 117.20.44.58
crypto map manager 10 ipsec-isakmp
set peer 117.20.44.58
set transform-set auth2
match address 101
where 117.20.44.58 (I suppose) is the ip address of the PHYSICAL interface on the other IPSec tunnel endpoint.
Your interesting traffic for IPSec encryption will be the traffic going through the GRE Tunnel:
ip access-list extended 101
permit gre host 58.27.234.42 host 117.20.44.58
You have to correct your configuration on the other IPSec tunnel endpoint, too.
The ACL should be symmetrical on the other side:
ip access-list extended 101
permit gre host 117.20.44.58 host 58.27.234.42
You should remove the crypto map from the Tunnel interfaces.
Cheers:
Istvan
07-21-2009 06:33 AM
Istvan_Rabai - Thank you for your help.
i finally achieved what i wanted with help of this link . thanx again :)
http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html
07-21-2009 10:26 PM
Hello Muhammad,
First of all at the beginning you were trying to do GRE over IPSec and not the opposite.
I also wonder if you have understood what you have done.
Istvan suggestions are clear and correct if you want to learn this subject I would give a try to them (Istvan suggestions).
Understanding that in GRE over IPSec the crypto map has to be applied on the physical interface and not on the tunnel GRE interface, because it represents traffic to be encrypted, is important.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: