Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
3
Replies

GRE over IPSEC

paul amaral
Level 4
Level 4

‎10-03-2011 07:27 AM - edited ‎02-21-2020 05:38 PM

Hi, recently i configured GRE over IPSEC in transport mode, i haven't done this in awhile, and all appears to be setup correctly. However I can't seem to get packets encrypted based on the gre access list I have set up. If i change the list to an ip icmp list it encrypts/decrypts packets in tunnel mode. FYI i'm testing from within the router since there is no Lan plugged in yet.

here is the config i'm using,

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key XXX address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set my_transform_set esp-3des esp-sha-hmac

mode transport

!

crypto map my_cryptmap_tag 10 ipsec-isakmp

set peer 172.17.0.14

set transform-set my_transform_set

match address 100

!

!

!

interface Tunnel1

ip unnumbered Serial0

ip mtu 1400

load-interval 30

tunnel source 172.17.0.6

tunnel destination 172.17.0.14

crypto map my_cryptmap_tag

!

interface FastEthernet0

description to Lan

ip address 192.168.3.1 255.255.255.0

speed 100

full-duplex

no keepalive

!

access-list 100 permit gre host 172.17.0.6 host 172.17.0.14

if i change the above access list to something like "permit ip icmp any any" when i ping i see it encrypting decrypting. however all the cisco examples show a GRE access list since I have the config setup and I'm using transport mode. I'm confused because it looks like it should work but testing from the router tells me it's not working.

thanks, Paul

Labels:
0 Helpful
3 Replies 3

paul amaral
Level 4
Level 4

‎10-03-2011 07:55 AM

ok i just figured this out, i had to apply the crypto map statement to the actual physical interfaces and not the tunnel interfaces. All is working now in transport mode.

thanks, Paul

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎10-03-2011 08:05 AM

Paul

Based on the small amount of the configuration that you posted I would assume that the major issue you are running into is that you do not have any traffic going through the tunnel. I can not tell, based on the limited information provided, whether that would change when you do have a LAN plugged in.

The access list as you have configured it should work fine for a transport mode tunnel.

I notice that you have configured the crypto map on the tunnel interface. It depends a bit on the platform and the version of code that you are running, but most recent IOS versions you should put the crypto map on the outbound interface and not on the tunnel. We do not know your platform or your code version and so can not know how much of an issue this might be but I would suggest that you take the crypto map off of the tunnel and make sure that it is on the outbound interface.

HTH

Rick

[edit] I see that while I was typing my response Paul posted that he had figured out that the issue was the placement of the crypto map. I am glad that Paul was able to figure out the solution to his own problem and did not need my suggestion.

HTH

Rick
0 Helpful

paul amaral
Level 4
Level 4
In response to Richard Burts

‎10-03-2011 09:38 AM

Rick thanks for the reply, even though I had figured it out, your response is welcomed and will help others, thanks again Rick.

paul

0 Helpful
Customers Also Viewed These Support Documents