- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IPSEC + Tunnels posted 09/28/2001
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Disagree here - I've tried to make it work and it doesn't - I think the
example below COULD work (never tried the approach used), because you have
assigned the source address of your IPSec packets as the Tunnel 0 interface
('crypto map ipsec local-address tunnel 0).  All the examples I've seen on
CCO assign map to both tunnel and real interface.

You would never do this in a real world situation as your tunnel addressing
would have to be public if on the Internet to ensure IPSec peer-to-peer
communications.  Your tunnel addressing is typically private...

With the route-caching, I've noticed this so far on routers with a dialer
interface...(e.g. ADSL), have had to turn off fast switching and it works
OK.  Also noticed with 7200's that CEF seems to cause intermittent issues.

Justin Menga CCIE #6640 
Network Solutions Architect 
Wireless & E-Infrastructure 
Compaq Computer New Zealand 
DDI: +64-9-918-9381 Mobile: +64-21-349-599 
mailto: justin.menga@xxxxxxxxxx 

-----Original Message-----
From: brian apley [mailto:ccie7599@xxxxxxxxx] 
Sent: Friday, 28 September 2001 12:16 p.m.
To: routerjocky; Fear, Russell H; ccielab@xxxxxxxxxxxxxx
Subject: Re: IPSEC + Tunnels

 Just to correct- you don't need to apply it to both interfaces (in fact
doing so will certainly lock up the router if the encryption domain rule
isn't written properly). 
crypto isakmp policy 5
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key xxxxxxxxxxxxx address XX.XX.XX.XX
crypto ipsec transform-set ipsec esp-des esp-md5-hmac 
crypto ipsec transform-set 3des esp-3des esp-md5-hmac 
crypto map ipsec local-address Tunnel0
crypto map ipsec 10 ipsec-isakmp   
 set peer XX.XX.XX.XX

 set transform-set ipsec 
 match address 101
crypto map ipsec 20 ipsec-isakmp   
 set peer XX.XX.XX.XX
 set transform-set 3des 
 match address 102
interface Tunnel0
 ip address 12.X.X.X
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 tunnel source Ethernet0/1
 tunnel destination X.X.X.X
 crypto map ipsec

interface Ethernet0/0
 ip address 198.X.X.X
 ip nat inside
 no ip route-cache
 no ip mroute-cache
interface Ethernet0/1
 ip address 63.X.X.X
 no ip route-cache
 no ip mroute-cache

This example just happens to be using NAT, of course that's not necessary.

One funny thing- we've noticed (and there's some evidence in the bug
navigator) that it's best to turn route-caching and fast-switching in this
setup. We troubleshot a case where one particular tunnel wouldn't work on
this router until we turned both off.


Hope that helps

Brian Apley

CCIE #7599, CCDP

  routerjocky <elouie@xxxxxxxxx> wrote: yup... right from the TAC and
assuming you mean router-to-router vpn via a GRE tunnel... start here:

and find your particular topology

Remember that when using GRE tunnels, you apply the crypto map to both the
tunnel interface and the serial/outbound inteface in order for the
encryption to occur.

Best to do these in layers, too... get the GRE tunnel up first and check
that your routing is okay before encrypting... then after applying the
crypto maps, debug crypto ipsec to see how your crypto tunnels are being


----- Original Message -----
From: "Fear, Russell H" 
Sent: Thursday, September 27, 2001 8:42 AM
Subject: IPSEC + Tunnels

> Can anyone in the group send me a working config of a vpn using GRE 
> and IPSEC with pre-shared keys or point me to an example of this. I'm 
> having great difficulty getting it going in my lab. I have no problem 
> with e/n -> r1 -> serial -> r2 -> e/n encrypting between both 
> ethernets but can't get the tunnel stuff going.
> Russell
> * 700 2201 Internal
> * +44 ( 0 ) 870 238 2201 External
> * russell.fear@xxxxxxxxxxxxxxx
> " This message contains information that may be privileged or 
> confidential
> is the property of the Cap Gemini Ernst & Young Group. It is intended 
> only
> the person to whom it is addressed. If you are not the intended 
> recipient,
> are not authorized to read, print, retain, copy, disseminate, 
> distribute,
or use
> this message or any part thereof. If you receive this message in 
> error,
> notify the sender immediately and delete all copies of this message ".
> **Please read:
Do You Yahoo!?
Get your free address at **Please
Brian Apley

CCIE #7599

Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone with Yahoo! by Phone.
**Please read:
**Please read:
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab