07-16-2012 01:47 PM - edited 02-21-2020 06:12 PM
hi, im trying to configure IpSEC over Gre tunnel, but the traffic pass unencrypted, i cant find why this is happening. Here are the confg of the two routers (1841)
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFICINA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
!
!
!
username administrador privilege 15 secret 5 $1$hHkv$/7fp8YDQ25MKqqBwSwxo31
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 192.168.150.1
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
!
!
!
interface Tunnel0
ip address 10.254.25.2 255.255.255.254
tunnel source 192.168.150.2
tunnel destination 192.168.150.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 192.168.150.2 255.255.255.252
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFICINA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
!
!
!
username administrador privilege 15 secret 5 $1$hHkv$/7fp8YDQ25MKqqBwSwxo31
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 192.168.150.1
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
!
!
!
interface Tunnel0
ip address 10.254.25.2 255.255.255.254
tunnel source 192.168.150.2
tunnel destination 192.168.150.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 192.168.150.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.150.1
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 3
login local
line vty 4
login
!
scheduler allocate 20000 1000
end
OFICINA#
ACO(config)#^Z
ACO#sh r
*Jul 16 20:56:28.759: %SYS-5-CONFIG_I: Configured from console by console
ACO#sh run br
Building configuration...
Current configuration : 1345 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACO
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PK6g$UNH80nfXPgCuo2cj5uNl31
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
username administrador privilege 15 secret 5 $1$o3WB$Wrlxl..N901pBEMnJHgaV/
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 192.168.150.2
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
!
!
!
interface Tunnel0
ip address 10.254.25.1 255.255.255.252
tunnel source 192.168.150.1
tunnel destination 192.168.150.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 192.168.150.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.5.25 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.150.2
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local
line vty 5 15
login local
!
end
ACO#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.150.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.150.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.150.1, remote crypto endpt.: 192.168.150.2
path mtu 1514, ip mtu 1514
current outbound spi: 0x5B67BC1A(1533525018)
inbound esp sas:
spi: 0x761E04B5(1981678773)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397592/939)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x1A2B14A8(439030952)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4441589/935)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x652102EB(1696662251)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397592/932)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x5B67BC1A(1533525018)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4441589/932)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
ACO#
ACO#sh cry
ACO#sh crypto isa
ACO#sh crypto isakmp sa
dst src state conn-id slot status
192.168.150.1 192.168.150.2 QM_IDLE 1 0 ACTIVE
192.168.150.2 192.168.150.1 QM_IDLE 2 0 ACTIVE
Thanks in advance.....
07-16-2012 01:56 PM
route all traffic via ip tunnel interface not ip tunnel destination
and add a static for 192.168.150.1 .2 via f0/0
regards
07-16-2012 02:18 PM
the tunnel is up, but ping request do not responde between the two routers....
i made the changes you said, but nothing happened.
thanks.
07-16-2012 02:22 PM
the problem was the netmask of the tunnel.
07-16-2012 02:27 PM
router OFICINA
interface Tunnel0
ip address 10.254.25.2 255.255.255.252
!
!
ip route 0.0.0.0 0.0.0.0.0 tunnel0
router ACO
ip route 0.0.0.0 0.0.0.0 tunnel0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: