It should work with the following access list for your crypto-map:
access-list 101 permit gre host 135.7.1.3 host 135.7.1.5 and vise versa
for the other router, just as you had it.
This will apply the crypto-map to traffic traversing the GRE tunnel.
Take a look at the following CCO documentation on IPX over IPSec/GRE
Tunnels:
http://www.cisco.com/warp/public/707/33.shtml
I don't have access to the working configurations, but this is what I have
used for the same situation, including Appletalk and IP instead of IPX.
Can you verify that it works with IP and not IPX traffic? If the IPX
traffic works without the crypto-map statements applied, then the GRE tunnel
is working. When you apply the crypto-map, if the IPX communication does
not work properly, then I would imagine IP traffic would not work properly
either. At this point, there is a problem with SA negotiation, and there is
most likely one of the following occuring:
1. Crypto-map not applied to both the physical and tunnel interface
2. Conflicting information in the transform-sets on each router
Can you provide us with the output of:
show crypto engine connections active
show crypto ipsec sa detail
show crypto isakmp policy
Ryan Moffett
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
vr4drvr .
Sent: Wednesday, June 07, 2000 5:12 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: gre/ipsec
not easily.
here's the deal...i can use an access list such as...
acc 132 per icmp ho 135.7.1.3 ho 135.7.1.5 log
on the host 135.7.1.3 pointing to 135.7.1.5, and of course the mirror image
on the other side. all works fine with the pings, in that the first 5
time-out while the SA is built. after that the pings are successful. but
when i use the following...
acc 132 per gre ho 135.7.1.3 ho 135.7.1.5 log
the ipx pings never bring up the line. shouldn't the above acl cover gre
encapsulated packets?
>From: "Kenny Sallee" <[EMAIL PROTECTED]>
>To: "vr4drvr ." <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>Subject: Re: gre/ipsec
>Date: Wed, 7 Jun 2000 13:59:57 -0700
>
>Can you post your configs?
>
>Kenny
>
>----- Original Message -----
>From: "vr4drvr ." <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Wednesday, June 07, 2000 11:32 AM
>Subject: gre/ipsec
>
>
> > i'm trying a simple GRE/IPSEC scenario that i can't seem to get to work.
> > i've built a tunnel between 2 router to pass ipx traffic, and for
>security
>i
> > would like to encrypt the tunnel traffic. my crypto map points to an
>access
> > list that allows gre traffic, but the crypto isakmp sa never builds.
>any
> > ideas?
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> > ___________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
