[c-nsp] IPSEC - CISCO (GRE and NAT too!)

Christian Zeng christian at zengl.net
Sat Oct 28 04:29:48 EDT 2006 

Hi,

I cant say anything about the FBSD side, but for your Cisco setup.

* Tuc at T-B-O-H.NET <ml at t-b-o-h.net> wrote:
>crypto isakmp key TBOHIPSECGRE address 192.136.64.116
>crypto isakmp key TBOHIPSECGRE address 192.168.4.1

The first line seems not correct, you have to put the IP address of the
remote end in there (192.136.64.116). The second line is not needed then.

>crypto map mymap local-address Ethernet0

Delete this one too, this is redundant after moving the crypto map.

>crypto map mymap 10 ipsec-isakmp   
> set peer 192.136.64.116
> set transform-set myset 
> match address 101
>
>interface Tunnel0
> ip address 192.168.4.2 255.255.255.0
> tunnel source Ethernet0
> tunnel destination 192.136.64.116

> crypto map mymap

Remove this and put it at int Eth0

>access-list 101 permit gre any host 192.168.4.2

Change this to

access-list 101 permit gre host 69.28.185.2 host 192.136.64.116

An example config, known to work with 12.3(20):

R1:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
!
crypto isakmp key mykey address 10.0.0.5
!
crypto ipsec transform-set myipsec esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.0.0.5
 set transform-set myipsec
 match address 100
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
 ip unnumbered Loopback1
 tunnel source Ethernet1/0
 tunnel destination 10.0.0.5
!
interface FastEthernet0/0
 desc ** inside **
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet1/0
 desc ** outside **
 ip address 10.0.0.1 255.255.255.252
 crypto map mymap
!
ip route 10.0.0.5 255.255.255.255 10.0.0.2
ip route 192.168.20.0 255.255.255.0 Tunnel1
!
access-list 100 permit gre host 10.0.0.1 host 10.0.0.5


R3:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 5
!
crypto isakmp key mykey address 10.0.0.1
!
crypto ipsec transform-set myipsec esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 10.0.0.1
 set transform-set myipsec
 match address 100
!
interface Loopback1
 ip address 1.1.1.3 255.255.255.255
!
interface Tunnel1
 ip unnumbered Loopback1
 tunnel source Ethernet1/0
 tunnel destination 10.0.0.1
!
interface FastEthernet0/0
 desc ** inside **
 ip address 192.168.20.1 255.255.255.0
!
interface Ethernet1/0
 desc ** outside **
 ip address 10.0.0.5 255.255.255.252
 crypto map mymap
!
ip route 10.0.0.1 255.255.255.255 10.0.0.6
ip route 192.168.10.0 255.255.255.0 Tunnel1 
!
access-list 100 permit gre host 10.0.0.5 host 10.0.0.1

More information about the cisco-nsp mailing list