YES!!!!!!!!!!!!!!!! It finally worked!!!!!!!!!!!!!!
I had to permit the tunnel ip of the other side(A) to the serial ip on this side(B) for gre and vice versa on the other side. Thank you very much for your help. This gives me great confidence to surge forward regarding tackling route redistribution and routing loops in the real Lab.....(next month)!! >From: "[EMAIL PROTECTED]" >Reply-To: "[EMAIL PROTECTED]" >To: [EMAIL PROTECTED] >Subject: RE: IPSec over Tunnel - not working !! [7:62124] >Date: Fri, 31 Jan 2003 13:30:54 GMT > >Are you using 'crypto map mymap' on the interface connected to R6? I did >not see it on your configuration. > >Where is 102 access-list applied? > >The access-list referenced by 'crypto map mymap 10 ipsec-isakmp' should be >something like this: > >access-list xxx permit gre 120.20.59.0 255.255.255.0 yyy.yyy.yyy.yyy >255.255.255.0, >where yyy is the address of the remote tunnel. > >This way you are telling the router to IPSEC the gre traffic sourced by the >tunnel, destinated to the remote tunnel. The OSPF traffic will be inside >the tunnel, so IPSEC will encrypt OSPF as well. > >=========================================================================== > >R2# >crypto isakmp policy 1 >authentication pre-share >group 2 >crypto isakmp key shared address 6.6.6.6 >! >! >crypto ipsec transform-set myset esp-des esp-md5-hmac >! >crypto map mymap local-address Loopback0 >crypto map mymap 10 ipsec-isakmp >set peer 6.6.6.6 >set transform-set myset >match address 199 >! >interface Tunnel1 >ip address 120.20.59.2 255.255.255.0 >ip access-group 102 in >tunnel source 120.20.26.2 >tunnel destination 120.20.26.6 >crypto map mymap >! >access-list 102 permit ospf any any log >access-list 102 permit gre any any log >access-list 102 permit icmp any any echo >access-list 102 permit icmp any any echo-reply >access-list 102 permit tcp any any eq 50 >access-list 102 permit tcp any any eq 51 >access-list 102 permit udp any any eq isakmp! >access-list 199 permit ip 120.20.0.0 0.0.255.255 120.20.0.0 0.0.255.255 >access-list 199 permit ip 2.2.2.0 0.0.0.255 any log!What am I doing >wrong?Please help.Thank you.Sincerely,CN > > > > > >"Cisco Nuts" @groupstudy.com em 30/01/2003 09:00:13 > >Favor responder a "Cisco Nuts" > >Enviado Por: [EMAIL PROTECTED] > > >Para: [EMAIL PROTECTED] >cc: > >Assunto: RE: IPSec over Tunnel - not working !! [7:62124] > > >Hello Claudio, > >No luck.....I denied the tunnel intf. itself in the access-list and still >same problem. The ospf neighbor relation goes down... > >R6-C#sh access-lists 199 >Extended IP access list 199 > deny ip 120.20.59.0 0.0.0.255 120.20.59.0 0.0.0.255 > permit ip 120.20.0.0 0.0.255.55 120.20.0.0 0.0.255.255 > permit ip 2.2.2.0 0.0.0.255 any log > >R6-C#ri tu 1 >Building configuration... > >Current configuration : 164 bytes >! >interface Tunnel1 > ip address 120.20.59.6 255.255.255.0 > ip access-group 102 in > tunnel source 120.20.26.6 > tunnel destination 120.20.26.2 > crypto map mymap >end > >R6-C# >2d23h: OSPF: 2.2.2.2 address 120.20.59.2 on Tunnel1 is dead >2d23h: OSPF: 2.2.2.2 address 120.20.59.2 on Tunnel1 is dead, state DOWN >R6-C# >2d23h: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to >DOWN, Neighbor Down: Dead timer expired > >The moment I remove the crypto map from the tunnel intf. it all starts >working again!! > >Any ideas? > > >From: "Claudio Spescha" >Reply-To: "Claudio Spescha" >To: >[EMAIL PROTECTED] >Subject: RE: IPSec over Tunnel - not working !! >[7:62124] >Date: Wed, 29 Jan 2003 20:54:40 GMT > >Hello > >You should not >encrypt the tunnel network itself. >First line of access-list 199 should >be: access-list 199 deny ip 120.20.59.0 >0.0.0.255 120.20.59.0 0.0.0.255 > >The router can not build an OSPF adjacency on encrypted traffic. > >see >misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >------------------------------------------------------------------------ > >The new MSN 8: smart spam protection and 2 months FREE* > > > > misconduct and Nondisclosure violations to [EMAIL PROTECTED] ------------------------------------------------------------------------ The new MSN 8: smart spam protection and 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62260&t=62260 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
