Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

1841 and IPSec configuration

Hi All,

Would like to connect Site A to Site B using IPSec/GRE tunnel. I came up with a template to use and wondering if my sample configuration will work.

Thanks in advance,

-J

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key <key> address <public interface ip>

!

!

crypto ipsec transform-set ESP_SHA esp-3des esp-sha-hmac

!

crypto map ENCRYPT 10 ipsec-isakmp

description VPN to BIS

set peer <public interface ip>

set transform-set ESP_SHA

set pfs group2

match address GRE_TUNNEL0

!

!

interface Tunnel0

description Tunnel to

ip address <private interface ip> 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1300

tunnel source Loopback1

tunnel destination <remote loopback ip>

!

interface Null0

no ip unreachables

!

interface Loopback1

description GRE endpoint

ip address <private interface ip> 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

!

!

interface fa-x/x ====================================>(Public-facing Interface)

ip address <public interface ip>

no cdp enable

crypto map ENCRYPT

!

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 (Internet Next-Hop) 254

ip route <LAN IP> 255.255.255.0 Null0 254

ip route <local loopback> 255.255.255.255 (Internet Next-Hop)

ip route <remote-public-interface> 255.255.255.255 (Internet Next-Hop)

!

no ip http server

!

ip access-list extended GRE_TUNNEL0

permit ip host <remote loopback> host <local-loopback>

3 REPLIES

Re: 1841 and IPSec configuration

Hi

You have created a GRE as well as an IPSEC tunnel but through which tunnel you are going to pass the traffic out to the remote location ?

Also the routes which you have defined for internet next hop and lan ip with some admin distance is not required.

Instead you need to have a static route pointing via either the fax/x followed by the default ip/gateway provided by your isp and a backup route pointing towards your gre tunnel..

regds

Community Member

Re: 1841 and IPSec configuration

Hi,

It is better idea to keep the tunnel souce loopback having pubuc ip to ensure that it is reachable from the tunnel destination.

--Jaffer

Community Member

Re: 1841 and IPSec configuration

Hi All,

I'm trying to get the IPSec tunnel up and running but running into some troubles

The far end device is a Netscreen 5gt.

This is the error message i'm getting

000035: Jun 1 17:00:31.369 PCTime: No peer struct to get peer description

000036: Jun 1 17:00:31.373 PCTime: No peer struct to get peer description

any help would be appreciated

549
Views
0
Helpful
3
Replies
CreatePlease to create content