[c-nsp] IPSEC - CISCO (GRE and NAT too!)
Gert Doering
gert at greenie.muc.de
Wed Nov 1 05:08:06 EST 2006
Hi,
On Tue, Oct 31, 2006 at 05:30:16PM -0500, Tuc at T-B-O-H.NET wrote:
> ERDA/192.136.64.116/IPSEC-TOOLS:
>
> erda# cd /usr/local/etc/racoon/
> erda# cat psk.txt
> 69.28.185.2 donttell
> erda# cat spdadd
> setkey -F
> setkey -FP
> setkey -c <<EOF
> spdadd 0.0.0.0/0 172.16.0.0/24 any -P out ipsec
> esp/tunnel/192.136.64.116-69.28.185.2/unique ;
> spdadd 172.16.0.0/24 0.0.0.0/0 any -P in ipsec
> esp/tunnel/69.28.185.2-192.136.64.116/unique ;
I'm fairly sure that this will not do what you want -- at least not the
way I've understood your original problem ("set up an ecrypted GRE tunnel").
*This* is a typical "connection to a remote site over IPSEC (!) tunnel"
setup - it will encrypt everything between "all local addresses" and
"172.16.0.0/24", but it will not care for GRE tunnels or whatever.
If you want GRE tunnel + IPSEC, you need to encrypt *only* (!) packets
with the source and destination IP address matching the tunnel endpoints.
Maybe you could describe your goals a bit more detailed? Until now, you've
posted non-working fragments, but fragments of "different problems" every
time - understanding your aims might help us in helping you with a solution.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list