Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1289
Views
49
Helpful
18
Replies

DECnet over "GRE over IPsec"!

Go to solution
TheDukeofBaghdad
Level 1
Level 1

‎10-13-2016 02:53 PM - edited ‎03-08-2019 07:47 AM

Hi Friends,

In one of the project in our company i had to add IPsec over the GRE tunnels for security.

However doing so prevented DECnet from working over these links!

Does DECnet work over the "GRE over IPsec" tunnel ?

If yes could you please explain how to fix it ? 

When i do a DECnet ping i get the following log message:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.12.12.2, src_addr= 10.12.12.1, prot= 47

Here is a copy of the configuration:

R1#

!
crypto isakmp policy 10
 encr aes 256
 hash sha512
 authentication pre-share
 group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set ESP-AES-128-SHA
!
interface Tunnel2
 ip address 10.11.12.1 255.255.255.0
 decnet cost 10
 tunnel source Serial0/0/0
 tunnel destination 10.12.12.2
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel protection ipsec profile IPSEC_PROFILE
 no shutdown
!

R2#

!
crypto isakmp policy 10
 encr aes 256
 hash sha512
 authentication pre-share
 group 5
!
crypto isakmp key IPSEC_PSK address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set ESP-AES-128-SHA
!
interface Tunnel2
 ip address 10.11.12.2 255.255.255.0
 decnet cost 10
 tunnel source Serial0/0/0
 tunnel destination 10.12.12.1
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel protection ipsec profile IPSEC_PROFILE
 no shutdown
!

Thanks Friends

Labels:
0 Helpful
18 Replies 18

Go to solution
Georg Pauwen
VIP
VIP

‎10-17-2016 09:50 AM

Hello,

just out of curiosity, did you get this to work, and if, how ?

0 Helpful

Go to solution
TheDukeofBaghdad
Level 1
Level 1
In response to Georg Pauwen

‎10-18-2016 10:40 AM

Hi gpauwen,

Sorry for the late respond.

I was busy working on other project i will get back to it today or tomorrow to check what other option i have to try.

However let me add this since the Tunnel is above a Serial interfaces i can't put the sub-interfaces encryption to ISL
Router(config)#inter serial 0/0/0.1
Router(config-subif)#encapsulation ?
% Unrecognized command

Thanks 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to TheDukeofBaghdad

‎10-18-2016 11:30 AM

Hello,

subinterfaces with ISL encapsulation can be configured on FastEthernet and GigabitEthernet only. What devices to you have ? Typically, your clients should be connected to Ethernet ports...

0 Helpful

Go to solution
TheDukeofBaghdad
Level 1
Level 1
In response to Georg Pauwen

‎10-19-2016 08:53 AM

gpauwen,

I have Cisco 2921 (Security and Data licenses installed) and HWIC-4T1/E1 on one end and multiple Cisco 1841 with HWIC-1DSU-T1 on the other end.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card