[c-nsp] IPSEC - CISCO (GRE and NAT too!)
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Fri Nov 3 13:45:06 EST 2006
> R1:
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 5
> !
> crypto isakmp key mykey address 10.0.0.5
> !
> crypto ipsec transform-set myipsec esp-3des esp-sha-hmac
> !
> crypto map mymap 10 ipsec-isakmp
> set peer 10.0.0.5
> set transform-set myipsec
> match address 100
> !
> interface Loopback1
> ip address 1.1.1.1 255.255.255.255
> !
> interface Tunnel1
> ip unnumbered Loopback1
> tunnel source Ethernet1/0
> tunnel destination 10.0.0.5
> !
> interface FastEthernet0/0
> desc ** inside **
> ip address 192.168.10.1 255.255.255.0
> !
> interface Ethernet1/0
> desc ** outside **
> ip address 10.0.0.1 255.255.255.252
> crypto map mymap
> !
> ip route 10.0.0.5 255.255.255.255 10.0.0.2
> ip route 192.168.20.0 255.255.255.0 Tunnel1
> !
> access-list 100 permit gre host 10.0.0.1 host 10.0.0.5
>
>
> R3:
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 5
> !
> crypto isakmp key mykey address 10.0.0.1
> !
> crypto ipsec transform-set myipsec esp-3des esp-sha-hmac
> !
> crypto map mymap 10 ipsec-isakmp
> set peer 10.0.0.1
> set transform-set myipsec
> match address 100
> !
> interface Loopback1
> ip address 1.1.1.3 255.255.255.255
> !
> interface Tunnel1
> ip unnumbered Loopback1
> tunnel source Ethernet1/0
> tunnel destination 10.0.0.1
> !
> interface FastEthernet0/0
> desc ** inside **
> ip address 192.168.20.1 255.255.255.0
> !
> interface Ethernet1/0
> desc ** outside **
> ip address 10.0.0.5 255.255.255.252
> crypto map mymap
> !
> ip route 10.0.0.1 255.255.255.255 10.0.0.6
> ip route 192.168.10.0 255.255.255.0 Tunnel1
> !
> access-list 100 permit gre host 10.0.0.5 host 10.0.0.1
>
>
>
Hi Christian,
Thank you very much. Sorry its taken so long to get back.
I've re-looked this over and have 2 items to bring up.
1) On R1 and R3 you have :
ip route 10.0.0.5 255.255.255.255 10.0.0.2
and
ip route 10.0.0.1 255.255.255.255 10.0.0.6
respectively. That is the "next hop" for each of the 2 routers?
(Thus not showing in the configuration) Am I correct on this?
2) In your example you have both the GRE and the IPSEC on the
outside interface. In the example I'm looking at otherwise
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml
They have the IPSEC on the outside interfaces, and Tunnel from
the inside interfaces. Is there any differences between one versus the
other, or does it change how it does things? I need the IPSec as the
outer layer, and the GRE as the inner layer because I am dealing with
NAT.
Thanks, Tuc
More information about the cisco-nsp
mailing list