07-16-2012 01:47 PM - edited 02-21-2020 06:12 PM
hi, im trying to configure IpSEC over Gre tunnel, but the traffic pass unencrypted, i cant find why this is happening. Here are the confg of the two routers (1841)
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFICINA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
!
!
!
username administrador privilege 15 secret 5 $1$hHkv$/7fp8YDQ25MKqqBwSwxo31
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 192.168.150.1
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
!
!
!
interface Tunnel0
ip address 10.254.25.2 255.255.255.254
tunnel source 192.168.150.2
tunnel destination 192.168.150.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 192.168.150.2 255.255.255.252
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFICINA
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
!
!
!
username administrador privilege 15 secret 5 $1$hHkv$/7fp8YDQ25MKqqBwSwxo31
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 192.168.150.1
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
!
!
!
interface Tunnel0
ip address 10.254.25.2 255.255.255.254
tunnel source 192.168.150.2
tunnel destination 192.168.150.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 192.168.150.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.150.1
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 3
login local
line vty 4
login
!
scheduler allocate 20000 1000
end
OFICINA#
ACO(config)#^Z
ACO#sh r
*Jul 16 20:56:28.759: %SYS-5-CONFIG_I: Configured from console by console
ACO#sh run br
Building configuration...
Current configuration : 1345 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACO
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$PK6g$UNH80nfXPgCuo2cj5uNl31
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
username administrador privilege 15 secret 5 $1$o3WB$Wrlxl..N901pBEMnJHgaV/
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key CISCO address 192.168.150.2
!
!
crypto ipsec transform-set MyTransSet esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile MyProfile
set transform-set MyTransSet
!
!
!
!
interface Tunnel0
ip address 10.254.25.1 255.255.255.252
tunnel source 192.168.150.1
tunnel destination 192.168.150.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MyProfile
!
interface FastEthernet0/0
ip address 192.168.150.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.5.25 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.150.2
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local
line vty 5 15
login local
!
end
ACO#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.150.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.150.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.150.1, remote crypto endpt.: 192.168.150.2
path mtu 1514, ip mtu 1514
current outbound spi: 0x5B67BC1A(1533525018)
inbound esp sas:
spi: 0x761E04B5(1981678773)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397592/939)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x1A2B14A8(439030952)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4441589/935)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x652102EB(1696662251)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4397592/932)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x5B67BC1A(1533525018)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4441589/932)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
ACO#
ACO#sh cry
ACO#sh crypto isa
ACO#sh crypto isakmp sa
dst src state conn-id slot status
192.168.150.1 192.168.150.2 QM_IDLE 1 0 ACTIVE
192.168.150.2 192.168.150.1 QM_IDLE 2 0 ACTIVE
Thanks in advance.....
07-16-2012 01:56 PM
route all traffic via ip tunnel interface not ip tunnel destination
and add a static for 192.168.150.1 .2 via f0/0
regards
07-16-2012 02:18 PM
the tunnel is up, but ping request do not responde between the two routers....
i made the changes you said, but nothing happened.
thanks.
07-16-2012 02:22 PM
the problem was the netmask of the tunnel.
07-16-2012 02:27 PM
router OFICINA
interface Tunnel0
ip address 10.254.25.2 255.255.255.252
!
!
ip route 0.0.0.0 0.0.0.0.0 tunnel0
router ACO
ip route 0.0.0.0 0.0.0.0 tunnel0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide