[c-nsp] GRE tunnel on GSR

J. Oquendo sil at infiltrated.net
Tue Apr 24 09:37:20 EDT 2007


iwan wibisana wrote:
 > Add "Tunnel mode " at your config :-)
 >
 > Salam
 > Iwan Wibisana
 > NOC Indo.net
 >
 >
 >
 > -----Original Message-----
 > From: cisco-nsp-bounces at puck.nether.net
 > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Primoz Jeroncic
 > Sent: 23 April 2007 16:21
 > To: Cisco Mailing list
 > Subject: [c-nsp] GRE tunnel on GSR
 >
 > box 1
 > interface Tunnel0
 > ip address 10.1.1.1 255.255.255.252
 > tunnel source 10.2.2.1
 > tunnel destination 10.3.3.1
 > !
 > interface FastEthernet2/0
 > ip address 10.2.2.1 255.255.255.0
 >
 > box 2
 > interface Tunnel0
 > ip address 10.1.1.2 255.255.255.252
 > tunnel source 10.3.3.1
 > tunnel destination 10.2.2.1
 > !
 > interface FastEthernet2/0
 > ip address 10.3.3.1 255.255.255.0
 >
 > Both Ethernet interfaces are of course connected and ping works fine
 > between
 > 10.2.2.1 and 10.3.3.1. Also based on Cisco feature navigator this IOS
 > supports
 > GRE, so I have really no idea anymore.
 >
 > I would appreciate any hint, since I'm really without any further ideas
 > about this.

Tunnels need to both be on the same network (10.2.x.x != 10.3.x.x) Anyhow,
did it on the same network and it works fine for me. So here is a test
set-up retried and verified... Check your debug output...

LAB_A#ping 10.20.30.211

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.30.211, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
LAB_A#


My RouterA (LAB_A)

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 lifetime 43200
crypto isakmp key testkey address 10.20.30.211

crypto ipsec transform-set TRANS-ESP esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS-AH-ESP ah-sha-hmac esp-3des

crypto map testmap 10 ipsec-isakmp
 set peer 10.20.30.211
 set transform-set TRANS-AH-ESP
 set pfs group5
 match address 104

interface Ethernet0/0
 ip address 10.20.30.210 255.255.255.0
 half-duplex
 crypto map testmap

access-list 104 permit ip 10.20.30.0 0.0.0.255 10.20.30.0 0.0.0.255



My RouterB

crypto map testmap 10 ipsec-isakmp
 set peer 10.20.30.210
 set transform-set TRANS-AH-ESP
 set pfs group5
 match address 104

interface Tunnel0
 ip unnumbered Loopback30
 ip address 10.20.30.211 255.255.255.0
 tunnel source Ethernet0/0
 tunnel destination
 tunnel mode gre ip
 tunnel destination 10.20.30.210

interface Ethernet0/0
 ip address 10.20.30.211 255.255.255.0
 ip access-group 101 out
 ip pim dense-mode
 full-duplex
 crypto map testmap

access-list 101 permit ip 10.20.30.0 0.0.0.255 10.20.30.0 0.0.0.255



-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
echo infiltrated.net|sed 's/^/sil@/g'

"Wise men talk because they have something to say;
fools, because they have to say something." -- Plato

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20070424/0075a2eb/attachment.bin 


More information about the cisco-nsp mailing list