hi guatam . here's my setup can u pls tell me whether ipsec will work in transport mode without gre tunnel here.

10.1.1.0/24---R1(1.1.1.1/24)----(1.1.1.2/24)R2---10.1.2.0/24

R1 and R2 are running ipsec . i have set same isakmp policy and transform set between them.in the transform set i have mode to transport.in the crypto map of R1 i have set peer to 1.1.1.2. and in the crypto acl i have set source 10.1.1.0/24 to dest 10.1.2.0/24. same way on R2 in the crypto map i have set peer to 1.1.1.1.and in the crypto acl i have set source 10.1.2.0 to dest 10.1.1.0.i have applied the crypto maps to the approriate interfaces. the ike sa is established perfectly without any problem. but rhe quick mode fails . i guess the reason is the crypto ends points are 1.1.1.1 and 1.1.1.2 but the traffic to be encrypted are 10.1.1.0 and 10.1.2.0. could u pls help me out with the problem.is my config right. pls reply back as soon as possible. waiting for ur reply. thank u once again

sebastan

Sebastan

This should work. Do you see encryption and decryption of traffic when you do a sh crypto ipsec sa. Is the routing fine ? If possible can u paste the config

hi gautam as far as my knowledge abt transport mode is that. in transport mode there is no new ip header attached to the priginal ip packet.say when host 10.1.1.1 pings to host 10.1.2.1. now the ipsec endpoints are 1.1.1.1 and 1.1.1.2.now since the opriginal ip header dest is 10.1.2.1 it is not destined for 1.1.1.2 the ipsec endpoint. that's the rule of transport mode that the addresses between whom u want o secure data should the ipsec endpoints here we are trying to secure between 10.1.1.1 to 10.1.2.1 but the ipsec endpoints are 1.1.1.1 and 1.1.1.2. kindly give ur inputs on this. discussing this with u is fun. waiting for ur reply.

sebastan

Hi Sebastan

Yes what you say abt transport mode is correct. THe existing IP header is not rewritten. Just the data packet is encapsulated. So ur destination is also retained.

Also i have attached the sample config

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 192.168.0.6

!

!

crypto ipsec transform-set test esp-3des esp-sha-hmac

mode transport

!

crypto map test 10 ipsec-isakmp

set peer 192.168.0.6

set transform-set test

match address test

ip access-list extended test

permit ip 6.6.6.0 0.0.0.255 5.5.5.0 0.0.0.255

Other side

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco address 192.168.0.5

!

!

crypto ipsec transform-set test esp-3des esp-sha-hmac

mode transport

!

crypto map test 10 ipsec-isakmp

set peer 192.168.0.5

set transform-set test

match address 123

!

access-list 123 permit ip 5.5.5.0 0.0.0.255 6.6.6.0 0.0.0.255

HTH

hi gautam thanks for ur config . tell me one thing did this config of ur's worked fine. i mean did the ipsec sa establish in ur scenario. waiting for ur reply. one more thing i forgot to tell u in my scenario . the subnets were actually loopback addresses on the routers's itself. will that make a difference. my config is exactly same as urs. except for the ip addresses . the ike sa was established properly but the quick mode failed.pls reply back . thanks once again.

sebastan

Looks like i spoke a bit early. Well let me think of this. I got the same error too.

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.0.6

Chk this link

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00801d55aa.shtml .

hi guatam i guess we both have arrived to the same conclusion. that in transport mode ipsec endpoints should be the ones used in the crypto map acl.guatam where are u from . it's fun talking talkin to buddy.are u from india . do u have a msn or yahoo id. we can talk online and share knowledge . take care and see ya soon.

sebastan