[c-nsp] A bit of backup on IPSEC/GRE/NAT

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Sun Nov 5 21:00:44 EST 2006 

Hi,

	I've decided to take another step back. Or
maybe just sideways.

	I've compiled dynamips and installed it on
my laptop (And routed a public block there) and compiled
it on my test "server" system on the net. I'm emulating a 
3640 in both places.  I used the configs Christian Zeng 
sent previously, with minor changes only because of setting 
up for the IPSec to the PC (I already have configs I know 
work atleast on the IPSec side with it) and not having a 2nd 
interface. 

	So of course this works and seems to be doing
everything properly. (Of course I'm sure everyone
expected it to too)

	So, next I re-ip the one on my laptop for it
to appear to be behind a consumer wireless router.
I open up and forward ports 500 and 4500 to it. I
change the configs what I THINK is correct.  No work... 
It looks like the IPSec is happy, I see what seems 
like the session being up, but it looks like the GRE 
is having serious issues. 

	Can someone desk check me and see if I'm
doing something wrong....

R1:

crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 6000
crypto isakmp key donttell address 69.249.95.230
!
crypto ipsec security-association lifetime seconds 6000
!
crypto ipsec transform-set MB esp-des esp-md5-hmac 
!
crypto map FreeBSDIPSEC-MAP 1 ipsec-isakmp 
 set peer 69.249.95.230
 set transform-set MB 
 set pfs group2
 match address 100
!
interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.4.1 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 69.249.95.230
!
interface Ethernet0/0
 ip address 192.136.64.117 255.255.255.0
 full-duplex
 no mop enabled
 crypto map FreeBSDIPSEC-MAP
!
ip route 172.16.3.0 255.255.255.0 Tunnel0
ip route 69.249.95.230 255.255.255.255 192.136.64.1
!
access-list 100 permit gre host 192.136.64.117 host 69.249.95.230






R3:

crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 6000
crypto isakmp key donttell address 192.136.64.117
!
crypto ipsec security-association lifetime seconds 6000
!
crypto ipsec transform-set MB esp-des esp-md5-hmac 
!
crypto map FreeBSDIPSEC-MAP 1 ipsec-isakmp 
 set peer 192.136.64.117
 set transform-set MB 
 set pfs group2
 match address 100
!
interface Loopback0
 ip address 172.16.3.1 255.255.255.0
!
interface Tunnel0
 ip address 192.168.4.2 255.255.255.252
 tunnel source Ethernet0/0
 tunnel destination 192.136.64.117
!
interface Ethernet0/0
 ip address 129.11.8.11 255.255.255.0
 full-duplex
 crypto map FreeBSDIPSEC-MAP
!
ip route 172.16.1.0 255.255.255.0 Tunnel0
ip route 192.136.64.117 255.255.255.255 129.11.8.1
!
access-list 100 permit gre host 69.249.95.230 host 192.136.64.117
(I've also tried "host 129.11.8.11 host 192.136.64.117")




	Once I can get the "Cisco <>NAT|Cisco" running, I'll
know its possible and how to do and then can go off and 
address the PC side myself.

		Thanks, Tuc

More information about the cisco-nsp mailing list