Are you using 'crypto map mymap' on the interface connected to R6? I did
not see it on your configuration.
Where is 102 access-list applied?
The access-list referenced by 'crypto map mymap 10 ipsec-isakmp' should be
something like this:
access-list xxx permit gre 120.20.59.0 255.255.255.0 yyy.yyy.yyy.yyy
255.255.255.0,
where yyy is the address of the remote tunnel.
This way you are telling the router to IPSEC the gre traffic sourced by the
tunnel, destinated to the remote tunnel. The OSPF traffic will be inside
the tunnel, so IPSEC will encrypt OSPF as well.
===========================================================================
R2#
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key shared address 6.6.6.6
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap local-address Loopback0
crypto map mymap 10 ipsec-isakmp
set peer 6.6.6.6
set transform-set myset
match address 199
!
interface Tunnel1
ip address 120.20.59.2 255.255.255.0
ip access-group 102 in
tunnel source 120.20.26.2
tunnel destination 120.20.26.6
crypto map mymap
!
access-list 102 permit ospf any any log
access-list 102 permit gre any any log
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any eq 50
access-list 102 permit tcp any any eq 51
access-list 102 permit udp any any eq isakmp!
access-list 199 permit ip 120.20.0.0 0.0.255.255 120.20.0.0 0.0.255.255
access-list 199 permit ip 2.2.2.0 0.0.0.255 any log!What am I doing
wrong?Please help.Thank you.Sincerely,CN
"Cisco Nuts" @groupstudy.com em 30/01/2003 09:00:13
Favor responder a "Cisco Nuts"
Enviado Por: [EMAIL PROTECTED]
Para: [EMAIL PROTECTED]
cc:
Assunto: RE: IPSec over Tunnel - not working !! [7:62124]
Hello Claudio,
No luck.....I denied the tunnel intf. itself in the access-list and still
same problem. The ospf neighbor relation goes down...
R6-C#sh access-lists 199
Extended IP access list 199
deny ip 120.20.59.0 0.0.0.255 120.20.59.0 0.0.0.255
permit ip 120.20.0.0 0.0.255.55 120.20.0.0 0.0.255.255
permit ip 2.2.2.0 0.0.0.255 any log
R6-C#ri tu 1
Building configuration...
Current configuration : 164 bytes
!
interface Tunnel1
ip address 120.20.59.6 255.255.255.0
ip access-group 102 in
tunnel source 120.20.26.6
tunnel destination 120.20.26.2
crypto map mymap
end
R6-C#
2d23h: OSPF: 2.2.2.2 address 120.20.59.2 on Tunnel1 is dead
2d23h: OSPF: 2.2.2.2 address 120.20.59.2 on Tunnel1 is dead, state DOWN
R6-C#
2d23h: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to
DOWN, Neighbor Down: Dead timer expired
The moment I remove the crypto map from the tunnel intf. it all starts
working again!!
Any ideas?
>From: "Claudio Spescha" >Reply-To: "Claudio Spescha" >To:
[EMAIL PROTECTED] >Subject: RE: IPSec over Tunnel - not working !!
[7:62124] >Date: Wed, 29 Jan 2003 20:54:40 GMT > >Hello > >You should not
encrypt the tunnel network itself. >First line of access-list 199 should
be: access-list 199 deny ip 120.20.59.0 >0.0.0.255 120.20.59.0 0.0.0.255
>The router can not build an OSPF adjacency on encrypted traffic. > >see
misconduct and Nondisclosure violations to [EMAIL PROTECTED]
------------------------------------------------------------------------
The new MSN 8: smart spam protection and 2 months FREE*
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62243&t=62124
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
