Hello,

krystianstrycharz · ‎03-11-2017

I don't understand why durning pinging from Router9 to PC1, R2 after NAT transaltion additionaly match the packet to IPSec transform map. The packet should leave out R2 without encryption. Where is a trap? Thanks in advance.

Here is most important part R2's configuration:

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

!

crypto isakmp key MYKEY address 192.168.0.2

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

!

crypto map MYMAP 20 ipsec-isakmp

set peer 192.168.0.2

set transform-set MYSET

match address 100

!

interface Tunnel0

ip address 10.10.0.2 255.255.255.252

mtu 1476

tunnel source Serial0/0/0

tunnel destination 192.168.0.2

!

interface Serial0/0/0

ip address 192.168.0.6 255.255.255.252

ip nat outside

crypto map MYMAP

!

ip nat inside source list NAT_LIST interface Serial0/0/0 overload

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

access-list 100 permit gre any any

ip access-list extended NAT_LIST

permit ip 172.16.0.0 0.0.0.255 any

ACL 100 permit only GRE packts, but not ICMP. Communincats show that packet isn't encapsulated in GRE header. Here are communicats from PT.

Georg Pauwen · ‎03-11-2017

Hello,

is this a Packet Tracer project ? Post the project (ZIP it first), so we can have a look at the configs.

krystianstrycharz · ‎03-12-2017

Ok, it's attached to main post.

Masoud Pourshabanian · ‎03-11-2017

Hello,

Are trying to configure GRE over Ipsec or Ipsec over GRE? It is GRE over Ipsec If you are configuring crypto-map under the physical interface. It is shown Ipsec over GRE in your picture.

Try this on R2:

You need to direct traffic into the tunnel interface

Ip route ( network behind R0 ) 10.10.0.1

access-list 100 permit GRE host 192.168.0.6 host 192.168.0.2

do the same on R0

Masoud

krystianstrycharz · ‎03-12-2017

You are right it's GRE over IPSec.
Traffics are directed to tunnel interface, Traces come from OSPF routing. I attached file project from Packet Tracer so you can look at it.

I can write line: access-list 100 permit GRE host 192.168.0.6 host 192.168.0.2 but i think it doesn't change anything.

Masoud Pourshabanian · ‎03-12-2017

Hello,

I ran your project in packet tracer but faced an error. Then, I tried a different environment and it worked after a little tweak.

Try it in a different environment. The error was recursive routing even though I had static routes toward internet. it might be a bug.

To avoid recursive routing, add static routes on both R0 and R2

ip route 192.168.0.6 255.255.255.252 Serial0/1/0

ip route 192.168.0.2 255.255.255.252 Serial0/1/0

Complete your NAT

ip nat inside source list 99 interface Serial0/0/0 overload

access-list 99 permit 172.16.0.0 0.0.255.255

Add static or dynamic default route on R9

It should work.

Masoud

paul driver · ‎03-13-2017

Hello

R2 after NAT translation additionally match the packet to IPSec transform map. The packet should leave out R2 without encryption. Where is a trap?

My understanding it wouldn't, There would be first a rib table check first for host destination,then It would get Nat'ted, Then checked against the Crypto-map and relating acl.

I would also suggest to refine from if possible using an interface as your specified next-hop so to negate your NAT rtr having to arp for every outside address, which is cpu resourceful it can also fail if the attached (next hop) rtr has proxy arp disabled?

try:
no ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 x.x.x..x
or
ip route 0.0.0.0 0.0.0.0 x.x.x.x

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

NAT & IPSec where is a fail?