It's exactly as I have in my email earlier. The only thing that I changed was:
#remove access-list 102 -----not needed as ospf and other ip traffic is inside the tunnel #change access-list 199 referenced in the cryptomap: RTA# serial ip = 120.20.26.2 255.255.255.0 tunnel ip = 120.20.59.2 255.255.255.0 Similiar setup on RTB: On both routers set the access-list 199 to: #access-list 199 permit gre 120.20.59.0 0.0.0.255 120.20.26.0 0.0.0.255 The key here is gre not ip and permit source(tunnel netw) to dest. (serial ip). I do not have access to my routers right now but if you need more I will email it to you once I get my new ip from Cox. Sincerely, CN >From: "cebuano" >To: "'Cisco Nuts'" >Subject: RE: Working - Finallly !!! RE: IPSec over Tunnel [7:62260] >Date: Fri, 31 Jan 2003 13:31:39 -0500 > >Hey CN, >Do you mind sending me the configs? I'd like to mock this up too. > >TIA. > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of >Cisco Nuts >Sent: Friday, January 31, 2003 11:42 AM >To: [EMAIL PROTECTED] >Subject: Working - Finallly !!! RE: IPSec over Tunnel [7:62260] > >YES!!!!!!!!!!!!!!!! > >It finally worked!!!!!!!!!!!!!! > >I had to permit the tunnel ip of the other side(A) to the serial ip on >this side(B) for gre and vice versa on the other side. > >Thank you very much for your help. > >This gives me great confidence to surge forward regarding tackling route >redistribution and routing loops in the real Lab.....(next month)!! > > > > > > > > >From: "[EMAIL PROTECTED]" >Reply-To: "[EMAIL PROTECTED]" > >To: [EMAIL PROTECTED] >Subject: RE: IPSec over Tunnel - not working >!! [7:62124] >Date: Fri, 31 Jan 2003 13:30:54 GMT > >Are you using >'crypto map mymap' on the interface connected to R6? I did >not see it >on >your configuration. > >Where is 102 access-list applied? > >The >access-list referenced by 'crypto map mymap 10 ipsec-isakmp' should be > >something like this: > >access-list xxx permit gre 120.20.59.0 >255.255.255.0 yyy.yyy.yyy.yyy >255.255.255.0, >where yyy is the address >of the remote tunnel. > >This way you are telling the router to IPSEC >the >gre traffic sourced by the >tunnel, destinated to the remote tunnel. The >OSPF traffic will be inside >the tunnel, so IPSEC will encrypt OSPF as >well. > > >======================================================================= >==== > > >R2# >crypto isakmp policy 1 >authentication pre-share >group 2 > >crypto >isakmp key shared address 6.6.6.6 >! >! >crypto ipsec transform-set >myset >esp-des esp-md5-hmac >! >crypto map mymap local-address Loopback0 > >crypto >map mymap 10 ipsec-isakmp >set peer 6.6.6.6 >set transform-set myset > >match address 199 >! >interface Tunnel1 >ip address 120.20.59.2 >255.255.255.0 >ip access-group 102 in >tunnel source 120.20.26.2 >tunnel >destination 120.20.26.6 >crypto map mymap >! >access-list 102 permit >ospf >any any log >access-list 102 permit gre any any log >access-list 102 >permit icmp any any echo >access-list 102 permit icmp any any echo-reply > >access-list 102 permit tcp any any eq 50 >access-list 102 permit tcp >any >any eq 51 >access-list 102 permit udp any any eq isakmp! >access-list >199 >permit ip 120.20.0.0 0.0.255.255 120.20.0.0 0.0.255.255 >access-list 199 >permit ip 2.2.2.0 0.0.0.255 any log!What am I doing >wrong?Please >help.Thank you.Sincerely,CN > > > > > >"Cisco Nuts" @groupstudy.com em >30/01/2003 09:00:13 > >Favor responder a "Cisco Nuts" > >Enviado Por: >[EMAIL PROTECTED] > > >Para: [EMAIL PROTECTED] >cc: > >Assunto: >RE: IPSec over Tunnel - not working !! [7:62124] > > >Hello Claudio, > > >No luck.....I denied the tunnel intf. itself in the access-list and >still >same problem. The ospf neighbor relation goes down... > >R6-C#sh >access-lists 199 >Extended IP access list 199 > deny ip 120.20.59.0 >0.0.0.255 120.20.59.0 0.0.0.255 > permit ip 120.20.0.0 0.0.255.55 >120.20.0.0 0.0.255.255 > permit ip 2.2.2.0 0.0.0.255 any log > >R6-C#ri >tu 1 >Building configuration... > >Current configuration : 164 bytes >! > >interface Tunnel1 > ip address 120.20.59.6 255.255.255.0 > ip >access-group 102 in > tunnel source 120.20.26.6 > tunnel destination >120.20.26.2 > crypto map mymap >end > >R6-C# >2d23h: OSPF: 2.2.2.2 >address 120.20.59.2 on Tunnel1 is dead >2d23h: OSPF: 2.2.2.2 address >120.20.59.2 on Tunnel1 is dead, state DOWN >R6-C# >2d23h: >%OSPF-5-ADJCHG: >Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to >DOWN, Neighbor Down: >Dead >timer expired > >The moment I remove the crypto map from the tunnel >intf. >it all starts >working again!! > >Any ideas? > > >From: "Claudio >Spescha" > >Reply-To: "Claudio Spescha" >To: >[EMAIL PROTECTED] >Subject: RE: >IPSec over Tunnel - not working !! >[7:62124] >Date: Wed, 29 Jan 2003 >20:54:40 GMT > >Hello > >You should not >encrypt the tunnel network >itself. >First line of access-list 199 should >be: access-list 199 deny >ip 120.20.59.0 >0.0.0.255 120.20.59.0 0.0.0.255 > >The router can not >build an OSPF adjacency on encrypted traffic. > >see >misconduct and >Nondisclosure violations to [EMAIL PROTECTED] > > >----------------------------------------------------------------------- >- > > >The new MSN 8: smart spam protection and 2 months FREE* > > > > >misconduct and Nondisclosure violations to [EMAIL PROTECTED] > >------------------------------------------------------------------------ > >The new MSN 8: smart spam protection and 2 months FREE* > > > > misconduct and Nondisclosure violations to [EMAIL PROTECTED] ------------------------------------------------------------------------ MSN 8 helps ELIMINATE E-MAIL VIRUSES. Get 2 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62308&t=62260 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
