IPSEC over GRE issue

ahmad82pkn · ‎07-15-2009

Hi , i am unable to establish Ipsec over GRE, can any one help, what i am missing.

sh crypto isakamp sa

192.167.250.5 58.27.234.42 MM_NO_STATE 0 0 ACTIVE (deleted)

actually, my tunnel ip are source 192.167.250.5 and destination 192.167.250.6 , but for some reason from one side connection is replying back with public ip as you can see above output 58.27.193.42

my tunnel configuration is below, and crypto is applied on it as well,

interface Tunnel2223

ip address 192.167.250.6 255.255.255.252

keepalive 10 3

tunnel source 58.27.234.42

tunnel destination 117.20.44.58

crypto map manager

any suggest? why one side responding with public ip of tunnel?

Istvan_Rabai · ‎07-15-2009

Hi Muhammad,

I can't see your entire IPSec configuration, but from what you provided I can see that you applied the crypto map on the tunnel interface.

The crypto map must be applied to the physical interface on both sides of the tunnel.

If still doesn't work, please post your entire config related to GRE over IPSec.

Cheers:

Istvan

ahmad82pkn · ‎07-17-2009

why i need to apply it on physical interface on both sides?

i want to apply it on GRE tunnel, that is a virtual interface as well, and then encrypt traffic that is traveling inside my GRE.

Like ip route 10.0.0.0/8 tunnel5000

i want to encrypt 10.0.0.0/8 when its passing through GRE.

and i want to apply my crypto like

int tun 5000

crypto map mycrypto

isnt that possible?

ahmad82pkn · ‎07-17-2009

here is my full config

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 5000

crypto isakmp key xyz address 192.167.250.5

crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set auth2 esp-3des

crypto map manager 10 ipsec-isakmp

set peer 192.167.250.5

set transform-set auth2

match address 101

ip access-list extended 101

permit ip any 10.110.26.0 0.0.0.255

interface Tunnel2223

ip address 192.167.250.6 255.255.255.252

tunnel source 58.27.234.42

tunnel destination 117.20.44.58

crypto man manager

end

ip route 10.0.0.0 255.0.0.0 tunnel 2223

Istvan_Rabai · ‎07-17-2009

Hi Muhammad,

The following needs correction in your config:

crypto isakmp key xyz address 117.20.44.58

crypto map manager 10 ipsec-isakmp

set peer 117.20.44.58

set transform-set auth2

match address 101

where 117.20.44.58 (I suppose) is the ip address of the PHYSICAL interface on the other IPSec tunnel endpoint.

Your interesting traffic for IPSec encryption will be the traffic going through the GRE Tunnel:

ip access-list extended 101

permit gre host 58.27.234.42 host 117.20.44.58

You have to correct your configuration on the other IPSec tunnel endpoint, too.

The ACL should be symmetrical on the other side:

ip access-list extended 101

permit gre host 117.20.44.58 host 58.27.234.42

You should remove the crypto map from the Tunnel interfaces.

Cheers:

Istvan

ahmad82pkn · ‎07-21-2009

Istvan_Rabai - Thank you for your help.

i finally achieved what i wanted with help of this link . thanx again :)

http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html

Giuseppe Larosa · ‎07-21-2009

Hello Muhammad,

First of all at the beginning you were trying to do GRE over IPSec and not the opposite.

I also wonder if you have understood what you have done.

Istvan suggestions are clear and correct if you want to learn this subject I would give a try to them (Istvan suggestions).

Understanding that in GRE over IPSec the crypto map has to be applied on the physical interface and not on the tunnel GRE interface, because it represents traffic to be encrypted, is important.

Hope to help

Giuseppe