10-13-2016 02:53 PM - edited 03-08-2019 07:47 AM
Hi Friends,
In one of the project in our company i had to add IPsec over the GRE tunnels for security.
However doing so prevented DECnet from working over these links!
Does DECnet work over the "GRE over IPsec" tunnel ?
If yes could you please explain how to fix it ?
When i do a DECnet ping i get the following log message:
Here is a copy of the configuration:
R1#
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set ESP-AES-128-SHA
!
interface Tunnel2
ip address 10.11.12.1 255.255.255.0
decnet cost 10
tunnel source Serial0/0/0
tunnel destination 10.12.12.2
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
!
R2#
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set ESP-AES-128-SHA
!
interface Tunnel2
ip address 10.11.12.2 255.255.255.0
decnet cost 10
tunnel source Serial0/0/0
tunnel destination 10.12.12.1
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile IPSEC_PROFILE
no shutdown
!
Thanks Friends
Solved! Go to Solution.
10-17-2016 09:50 AM
Hello,
just out of curiosity, did you get this to work, and if, how ?
10-18-2016 10:40 AM
Hi gpauwen,
Sorry for the late respond.
I was busy working on other project i will get back to it today or tomorrow to check what other option i have to try.
However let me add this since the Tunnel is above a Serial interfaces i can't put the sub-interfaces encryption to ISL
Router(config)#inter serial 0/0/0.1
Router(config-subif)#encapsulation ?
% Unrecognized command
Thanks
10-18-2016 11:30 AM
Hello,
subinterfaces with ISL encapsulation can be configured on FastEthernet and GigabitEthernet only. What devices to you have ? Typically, your clients should be connected to Ethernet ports...
10-19-2016 08:53 AM
gpauwen,
I have Cisco 2921 (Security and Data licenses installed) and HWIC-4T1/E1 on one end and multiple Cisco 1841 with HWIC-1DSU-T1 on the other end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide