08-31-2024 06:47 AM
Hello I am trying implement gre with ipsec....before ipsec implemenation....I am able to ping from R1 loopback to R3 loopback. But, after ipsec implemenation no communication between them...any help appreciated..!!
Here is the configuration for R1 and R3
R1
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco@123 address 3.3.3.3
!
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 3.3.3.3 255.255.255.255 FastEthernet0/0
ip route 192.168.23.0 255.255.255.0 FastEthernet0/0
!
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 log
!
R3
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco@123 address 1.1.1.1
!
!
crypto ipsec transform-set TS3 esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS3
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.12.1
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0
ip route 192.168.12.0 255.255.255.0 FastEthernet0/0
!
Solved! Go to Solution.
08-31-2024 01:10 PM
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 200.0.0.3
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 200.0.0.3
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 3.3.3.3 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 100.0.0.1
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.3 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.2
ip route 1.1.1.1 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
09-02-2024 08:03 AM
Sorry for the late response..!!
it work's perfectly..!! Thanks for the configuration..!!
previously... i used crypto isakmp key cisco@123 address 3.3.3.3, changed to crypto isakmp key cisco@123 address 192.168.23.3
same way I changed in R3 crypto isakmp key cisco@123 address 1.1.1.1 changed to crypto isakmp key cisco@123 address 192.168.12.1
Thanks
08-31-2024 06:51 AM - edited 08-31-2024 06:53 AM
Only one step wrong
Instead of using LO IP in crypto isakmp key use tunnel destination.
That it
Do change abd check
Note:- you need static route in each peer of LO the egress interface will be tunnel interface' this route based vpn not policy vpn' so traffic need to encrypt must pass through tunnel
MHM
08-31-2024 07:07 AM
Still tunnel status is Down
I have done following changes
R1
ip route 3.3.3.3 255.255.255.255 Tunnel0
crypto isakmp key cisco@123 address 172.16.0.3
R3
ip route 1.1.1.1 255.255.255.255 tunnel 0
crypto isakmp key cisco@123 address 172.16.0.1
08-31-2024 07:10 AM
Tunnel destination not tunnel IP
Use 192.168.12.1 and 192.168.23.3
MHM
08-31-2024 07:19 AM
I changed to physical int ip's
R1--> crypto isakmp key cisco@123 address 192.168.23.3
R3--> crypto isakmp key cisco@123 address 192.168.12.1
Still...status down...
08-31-2024 07:27 AM
If you remove ipsec profile form tunnel
And do show ip interface breif
Do you see tunnel up/up?
MHM
08-31-2024 07:32 AM
Yes...it is up
08-31-2024 07:33 AM
Show ip route in both peer
Thanks
MHM
08-31-2024 01:10 PM
this lab for you
check the routing
and use tunnel destination in crypto isakmp key
08-31-2024 01:10 PM
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 200.0.0.3
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 200.0.0.3
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 3.3.3.3 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 100.0.0.1
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.3 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.2
ip route 1.1.1.1 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end