[c-nsp] RIP over GRE/IPSec tunnel problem

Andris Zarins andris.zarins at microlink.lv
Thu Mar 9 09:52:39 EST 2006 

Hi all,

 

Taking
http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_config
uration_example09186a0080093f85.shtml as example, I'm trying to
configure dynamic RIP routing over GRE/IPSec tunnel. Below you can find
very basic configuration of one of routers, peer one's configuration is
all the same, except vice-versa swapped IP addresses. 

 

Problem is that traffic seem to miss ACL (access-list 101 permit gre
host 1.1.1.1 host 2.2.2.2) configured and no tunnel is build, although,
I can see traffic matching that access-list in debug. 

 

*Mar  9 14:42:40.771: IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2
(FastEthernet0/1), len 48, sending, proto=47

*Mar  9 14:42:50.771: IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2
(FastEthernet0/1), len 48, sending, proto=47

*Mar  9 14:43:00.771: IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2
(FastEthernet0/1), len 48, sending, proto=47

*Mar  9 14:43:00.855: IP: s=1.1.1.1 (Tunnel0), d=2.2.2.2
(FastEthernet0/1), len 76, sending, proto=47

 

If I add something like "ip access-list extended 101 permit ip
192.168.123.0 0.0.0.255 any" - traffic seem to match the list and tunnel
is built. 

 

 

Any ideas / suggestions ?

 

 

 

hostname test1

!

resource policy

!

ip subnet-zero

ip cef

!

crypto isakmp policy 25

 hash md5

 authentication pre-share

crypto isakmp key cisco123 address 2.2.2.2

!

!

crypto ipsec transform-set test esp-3des esp-md5-hmac 

 mode transport

!

crypto map gre local-address Loopback0

crypto map gre 50 ipsec-isakmp 

 set peer 2.2.2.2

 set transform-set test 

 match address 101

!

!

!

interface Tunnel0

 ip address 10.1.1.1 255.255.255.252

 ip mtu 1440

 keepalive 10 3

 tunnel source Loopback0

 tunnel destination 2.2.2.2

 crypto map gre

!

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

!         

interface FastEthernet0/0

  description TEST segment 1

 ip address 192.168.123.100 255.255.255.0

 speed auto

 full-duplex

 no mop enabled

!

interface FastEthernet0/1

 description link to second router            

 

 ip address 192.168.5.1 255.255.255.252

 duplex auto

 speed auto

!

router rip

 version 2

 network 10.0.0.0

 network 192.168.123.0

 no auto-summary

!

ip classless

ip route 2.2.2.2 255.255.255.255 192.168.5.2

!

ip http server

no ip http secure-server

!

access-list 101 permit gre host 1.1.1.1 host 2.2.2.2

 

snmp-server community public RO

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

End

More information about the cisco-nsp mailing list