router 1760 config with GRE and IPsec, outgoing encrypted traffic problems
I have a 1760 router connected to the internet via ADSL. The other route end connects to a pc that runs a server sending packets through the router to the internet. The PC private local ip is 172.16.0.1 the router is 172.16.30.1 and the static public ip address from the ISP is x.x.x.x
I have setup a GRE tunnel to connect to another company, with IPsec as show in the configuration below
The problem i have has to do with the traffic directed through the tunnel to the internet. I want to send all packets with destination 10.20.44.* through the tunnel When i send packets from the server running in the PC behind the router, i can see packets from 172.16.0.1 to 10.20.44.1. The problem comes after i sent 2 such packets, i can no longer receive a correct answer from the sestination (10.20.44.1) i sent them.
So every time i can send just 2 packets out to the net correctly, through the tunnel with destination 10.x.x.1 and source 172.x.x.1. I have found that when i delete the ip route command that directs traffic in the tunnel0 and REAPPLY the same ip route immediatly after deleting it, i can again send just 2 more packets and receive answer, then again stops.
Also if i wait long enough (about 10minutes) after the 2 packets have been sent, i can send one more packet then stops again.
I also receive packets from them correctly, so i suspect it has to do with ipsec, since it is the only thing that gets in the way, and the tunnel works fine for the first 2 packets.
Re: router 1760 config with GRE and IPsec, outgoing encrypted tr
Well the problem is still unresolved.
I have found some more things though. When i shut the tunnel and turn it on i can send 2 packets, and get answer. Then the rest are problematic.
When i CAN send and receive, the debug at the other end i try to communicate sees the IPsec first, then the GRE and then the inside packet from 172.16.0.1 to 10.20.44.1. When i CAN'T send anymore, the debugger on the other end sees packets with IPsec, then GRE and after opening GRE sees AGAIN IPsec packet with source 188.8.131.52 and destination 184.108.40.206 instead of the inside network packets from 172.16.0.1 to 10.20.44.1.
What i want is NOT to encrypt the inside packet of the GRE, but the gre itself only. This is the problem mainly.
I have tryed to put gre instead of ip in the ipsec access-list "extended cosmote" but the connection fails completly either side. I have tryed to DENY the source 172.16.0.1 and destination 10.20.44.1 and does not work.
How can i prevent the packets from FastEthernet0/0 beeing encrypted ??? I suspect the ip route command directing the data through the tunnel tells the router to encrypt that data automatically. But why the access-list does not work?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...