11-04-2003 06:35 PM - edited 02-21-2020 12:51 PM
Dear All,
, Basically, I am trying to configure 2 IPSec tunnels, one with GRE but the other one without GRE. Can you please help check the following configuration for me ? Thanks ! :-)
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key aicentgrxdigi address 203.208.128.120
crypto isakmp key digi-maxis address (remote Maxis IPSec peer IP address)
!
crypto ipsec transform-set Aicent esp-des esp-md5-hmac
!
crypto map ToAicent 10 ipsec-isakmp
set peer 203.208.128.120
set transform-set Aicent
match address 101
!
crypto map ToAicent 20 ipsec-isakmp
set peer (remote Maxis IPSec peer IP address)
set transform-set Aicent
match address 102
!
interface Tunnel0
ip address x.x.x.145 255.255.255.252
tunnel source 203.92.154.1
tunnel destination 203.208.128.120
crypto map ToAicent
!
interface FastEthernet0/0
description LAN||N|100|100||SDCIGW FE1/0||| Connection to 7206VXR
ip address x.x.x.1 255.255.255.252
duplex auto
speed auto
crypto map ToAicent
!
access-list 101 permit gre host 203.92.154.1 host 203.208.128.120
access-list 102 permit (local DiGi MMSC host/subnet IP address) (remote Maxis MMSC host/subnet IP address)
!
ip route 0.0.0.0 0.0.0.0 203.92.154.2
ip route (remote Maxis MMSC host/subnet IP address) (remote Maxis IPSec peer IP address)
!
11-04-2003 11:42 PM
Hi,
We are using GRE tunneling by default and have linked the same crypto map to both the physical and tunnel interface.
let me know in case you need more info.
Regards, Martijn
11-05-2003 01:07 AM
Thank you for your prompt reply...
But, what I mean is that I already have one GRE over IPSec working. But, what should I do if I need to configure another IPSec without GRE tunnel on the same physical interface. Please help
11-05-2003 01:20 AM
just creat another cryto map using another seq number for your IPSEC tunnel without using GRE tunneling ?
11-05-2003 01:32 AM
Yep, that is exactly what I did in my configuration that I showed in the first place, please check it. IT does not work....Look forward to hear from you soon.
11-05-2003 01:52 AM
use the troubleshooting steps advised in the "troubleshooting IPSEC" doc on cisco.com:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
up to which step does it work ?
Regards, Martijn
11-05-2003 02:10 AM
Basically, no SA is succesfull when I tried what you suggested. Can I have your email address for further discussion tomorrow ?
11-05-2003 02:43 AM
I am willing to contact you by e-mail in case you post your e-mailaddress in this forum.
Let's also post the outcome in this forum for knowledge sharing purposes.
Regards, Martijn
11-05-2003 06:38 AM
Hi,
I might be missing something ,but I can't see any route that uses tunnel interface as next-hop. So It seems like your all traffic ( for both remote sites) goes out from Fastethernet, not tunnel interface. So how is it working?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide