09-05-2003 12:09 AM - edited 03-09-2019 04:40 AM
Has anyone experience with IPSec over GPRS?
I have troubles in getting LAN-to-LAN IPSec with two 805s running. Initially, the connection works (ping), but after some seconds/minutes the ISAKMP SA's will get deleted:
deleting SA reason "death by retransmission P1" st
ate (R) MM_SA_SETUP (peer 193.247.250.1) input queue 0
The hub router has a fixed IP and sits in the Internet (leased line), the spoke router dials in over GPRS.
The caller will get a 10.x.x.x address in the GPRS cloud and will be NATed towards the Internet (where the spoke sits), so IOS will mutually negotiate UDP Encapsulation.
What might be the problem?
Setup hub:
----------
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key *** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30
crypto isakmp nat keepalive 15
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map dynamic-tunnel 10
set transform-set esp-3des-sha
set pfs group2
!match address 120
!
crypto map to-Sites 10 ipsec-isakmp dynamic dynamic-tunnel
!
interface Loopback0
ip address 172.16.0.3 255.255.255.255
!
interface Ethernet0
ip address 3.3.3.3 255.0.0.0
no cdp enable
crypto map to-Sites
ip route 0.0.0.0 0.0.0.0 5.5.5.5
ip route 172.16.0.0 255.255.255.252 Ethernet0
ip route 192.168.0.0 255.255.255.0 Ethernet0
Setup spoke:
------------
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key *** address 3.3.3.3
crypto isakmp keepalive 30
crypto isakmp nat keepalive 15
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-to-Central 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set esp-3des-sha
set pfs group2
match address 120
!
interface Loopback0
ip address 172.16.0.1 255.255.255.255
!
interface Ethernet0
ip address 192.168.0.130 255.255.255.0
no keepalive
!
interface Serial0
physical-layer async
no ip address
encapsulation ppp
ppp authentication chap callin
dialer in-band
dialer pool-member 1
async mode dedicated
no keepalive
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 3600
dialer string "*99***1#"
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ***
ppp chap password 0 ***
crypto map ipsec-to-Central
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 120 permit ip host 172.16.0.1 host 172.16.0.2
access-list 120 permit ip host 172.16.0.1 host 172.16.0.3
dialer-list 1 protocol ip permit
09-11-2003 11:49 AM
The problem probably does not have anything to do with GPRS. We were seeing these messages on a 'plain' network and the problem turned out to be BGP filters at our ISP. It would be a good idea to have a look at your configurations and also if the route learning process is ok.
10-16-2003 06:56 AM
What kind of GPRS modem u are used and what kind of modemcap for modem configuration u are used?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide