Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
0
Helpful
3
Replies

ipsec over gre

evr
Level 1
Level 1

‎07-16-2003 03:32 AM - edited ‎02-21-2020 12:40 PM

Hi all,

We have IPSEC over GRE between a C3725 and a C1721 with ADSL. We can ping from

a host to the remote router but not ping from a host to a remote host. We can also ping

from the router to a remote host. What's wrong with our configuration?

Thanks

3725 ios 12.2(13)T4

1721 ios 12.2(15)T2

!

hostname HK

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key test address 0.0.0.0 0.0.0.0

!

!

!

crypto ipsec transform-set uw esp-3des esp-md5-hmac

!

!

!

crypto map vpn 10 ipsec-isakmp

description NBW

set peer 94.10.160.64

set transform-set uw

match address 122

!

interface Loopback0

description Loopback interface

ip address xxx.xxx.xxx.1 255.255.255.0

!

interface Tunnel0

description Tunnel Headquarter-NBW via Power ADSL

bandwidth 450

ip unnumbered FastEthernet0/0

tunnel source dialer10

tunnel destination 94.10.160.64

crypto map vpn

!

!

!

interface ATM0/0

description Power ADSL Headquarter

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 4/23

encapsulation aal5mux ppp dialer

dialer pool-member 10

!

dsl operating-mode auto

!

interface FastEthernet0/0

description LAN Hoofdkantoor

ip address xxx.xxx.254.254 255.255.0.0

ip broadcast-address 172.20.255.255

ip access-group lan-in in

ip access-group lan-out out

ip nat inside

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Dialer10

description PPPoA Power ADSL HeadQuarter

bandwidth 450

ip address negotiated

ip access-group adsl-in in

ip access-group adsl-out-10 out

ip nat outside

encapsulation ppp

dialer pool 10

dialer idle-timeout 0

dialer persistent

dialer-group 10

fair-queue

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxx password yyy

crypto map vpn

!

!

router eigrp 1

variance 10

redistribute connected route-map map-distribute

passive-interface FastEthernet0/0

passive-interface Dialer10

network 172.20.0.0

maximum-paths 3

no auto-summary

!

ip nat translation timeout 300

ip nat translation finrst-timeout 30

ip nat translation syn-timeout 30

ip nat translation icmp-timeout 10

ip nat inside source static udp 192.168.1.4 459 interface Dialer10 459

ip nat inside source static tcp 192.168.1.7 4080 interface Dialer10 4080

ip nat inside source static tcp 192.168.1.7 3080 interface Dialer10 3080

ip nat inside source static tcp 192.168.1.5 443 interface Dialer10 443

ip nat inside source static tcp 192.168.1.5 80 interface Dialer10 80

ip nat inside source static tcp 192.168.1.3 113 interface Dialer10 113

ip nat inside source static tcp 192.168.1.3 25 interface Dialer10 25

ip nat inside source static tcp 192.168.1.3 22 interface Dialer10 22

ip nat inside source route-map map-dialer10 interface Dialer10 overload

ip classless

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

ip route 0.0.0.0 0.0.0.0 Dialer10 100

ip route 172.22.253.0 255.255.255.0 172.20.11.4 permanent

ip route 94.10.160.64 255.255.255.255 Dialer10

ip route 195.112.162.253 255.255.255.255 FastEthernet0/0 permanent

ip http server

!

!

ip access-list extended adsl-in

remark Spoofed addresses

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

deny ip host 255.255.255.255 any log

remark VPN

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit gre 94.10.160.0 0.0.0.255 94.10.160.0 0.0.0.255

permit esp any any

remark Established sessions

permit tcp any any established

remark TCP services

permit tcp any any eq 22

permit tcp any any eq smtp

permit tcp any any eq www

permit tcp any any eq ident

permit tcp any any eq 443

permit tcp any any eq 3080

permit tcp any any eq 4080

ip access-list extended adsl-out-10

permit ip host 94.10.160.114 any

deny tcp any any eq 1 log

deny ip any any log

ip access-list extended dialer10-overload

permit ip 192.168.1.0 0.0.0.255 any

permit ip host 172.20.11.2 any

ip access-list extended lan-in

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit ip any 10.0.0.0 0.255.255.255

permit ip any 224.0.0.0 15.255.255.255

permit ip any host 255.255.255.255

permit ip any 212.136.50.0 0.0.1.255

permit ip 195.112.162.252 0.0.0.3 any

permit ip host 172.20.11.11 host 213.84.187.156

deny tcp any any eq 1 log

deny ip any any log

ip access-list extended lan-out

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

permit ip 212.136.50.0 0.0.1.255 any

permit ip any 195.112.162.252 0.0.0.3

permit ip host 94.10.6.12 host 172.20.11.2

permit ip host 213.84.187.156 host 172.20.11.11

deny tcp any any eq 1 log

deny ip any any log

!

map-class dialer perm

dialer idle-timeout 86400

dialer wait-for-carrier-time 20

logging trap debugging

logging facility local0

logging 172.20.11.2

access-list 122 remark IPsec NBW

access-list 122 permit gre host 94.10.160.114 host 94.10.160.64

dialer-list 10 protocol ip permit

!

route-map map-distribute permit 100

description Routes distributed via EIGRP

match interface Loopback0

!

route-map map-dialer10 permit 10

match ip address dialer10-overload

match interface Dialer10

!

!

hostname Indus2

!

!

!

ip cef

ip audit notify log

ip audit po max-events 100

!

isdn switch-type basic-net3

!

!

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key test address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set uw esp-3des esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 94.10.160.114

set transform-set uw

match address 110

!

!

!

interface Tunnel0

description Tunnel NBW-Hoofdkantoor via Power ADSL

bandwidth 450

ip unnumbered FastEthernet0

tunnel source Dialer10

tunnel destination 94.10.160.114

crypto map vpn

!

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 4/23

encapsulation aal5mux ppp dialer

dialer pool-member 10

!

dsl operating-mode auto

!

interface FastEthernet0

ip address 172.22.254.254 255.255.0.0

ip access-group lan-in in

ip access-group lan-out out

ip helper-address 172.20.11.2

no ip mroute-cache

speed auto

full-duplex

no cdp enable

!

interface Dialer10

description PPoA Power ADSL NBW - 94.10.160.64

bandwidth 450

ip address negotiated

ip access-group adsl-in in

ip access-group adsl-out out

encapsulation ppp

dialer pool 10

dialer idle-timeout 0

dialer persistent

dialer-group 10

no cdp enable

ppp authentication chap callin

ppp pap sent-username xxx password yyy

crypto map vpn

!

router eigrp 1

variance 10

passive-interface FastEthernet0

network 172.22.0.0

maximum-paths 3

no auto-summary

!

ip classless

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

ip route 0.0.0.0 0.0.0.0 Dialer10

ip route 94.10.160.114 255.255.255.255 Dialer10

no ip http server

no ip http secure-server

!

!

!

ip access-list extended adsl-in

remark Spoofed addresses

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

deny ip host 255.255.255.255 any log

remark VPN

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit gre 94.10.160.0 0.0.0.255 94.10.160.0 0.0.0.255

permit esp any any

ip access-list extended adsl-out

permit ip host 194.109.160.64 any

deny tcp any any eq 1 log

deny ip any any log

ip access-list extended lan-in

permit ip any 172.16.0.0 0.15.255.255

permit ip any 192.168.0.0 0.0.255.255

permit ip any 10.0.0.0 0.255.255.255

permit ip any 224.0.0.0 15.255.255.255

permit ip any host 255.255.255.255

deny tcp any any eq 1 log

deny ip any any log

ip access-list extended lan-out

permit ip 172.16.0.0 0.15.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

deny tcp any any eq 1 log

deny ip any any log

!

logging trap debugging

logging facility local0

logging 172.20.11.2

access-list 1 permit any

access-list 10 permit 172.22.0.0 0.0.255.255

access-list 110 permit gre host 94.10.160.64 host 94.10.160.114

dialer-list 1 protocol ip permit

dialer-list 10 protocol ip permit

no cdp run

!

Labels:
0 Helpful
3 Replies 3

mnaveen
Level 1
Level 1

‎07-17-2003 01:53 AM

Hi,

The first thing that strikes to my mind is to use the address of your peer in the "crypto map key ..." command. I suggest you to use each others' peer's addresses 94.10.160.64 and 94.10.160.114 in your "crypto isakmp key test address 0.0.0.0 0.0.0.0" command.

Secondly, force all default traffic into Tunnel0 (this is for testing only) rather than through the Dialer interface. To do this, just change the default ip route to "ip route 0.0.0.0 0.0.0.0 Tunnel0". With this basic configuration, you should be able to reach both the remote router and the remote hosts.

Post your reply back if you still see any issues.

Also, try to force all default

Thanks,

Naveen.

0 Helpful

evr
Level 1
Level 1
In response to mnaveen

‎07-18-2003 12:35 AM

Hi,

We have done what you write but it still doesn't work

Thanks,

evr

0 Helpful

rlcarr
Level 1
Level 1

‎07-22-2003 09:40 AM

Sounds like you don't have a fully converged routing table. Does your EIGRP show a neighbor adjacency?

You mention the router can ping a remote host. Can the router still ping the remote host if you change the source address to the local Lan and not the default of the exiting interface.

You can also remove the "crypto map vpn" command from your Tunnel interfaces. That command was only necessary on GREs due to a bug. That bug was fixed in 12.2(13)T

Happy Routing,

~ron

0 Helpful
Customers Also Viewed These Support Documents