[c-nsp] GRE over IPSEC wtf?!
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 26 09:45:14 EDT 2011
On 26/10/11 14:29, Persio Pucci wrote:
> crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac
I think you want "mode transport" here
>
> interface Loopback100
>
> description LOOPBACK GRE
>
> ip vrf forwarding CUSTOMER
>
> ip address y.y.y.y 255.255.255.255
You might need the "crypto map" here; I can't remember
> !
>
> access-list 151 permit ip any any
I think this ACL is too broad; you just want to match GRE.
We do something very similar to this. Here is an example from our 2800
tunnel aggregation router:
crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
mode transport
crypto map cm1 local-address Loopback1
crypto map cm1 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ts1
match address 101
interface Loopback1
ip address ....
crypto map cm1
interface Tunnel1
tunnel source Loopback1
tunnel destination ....
crypto map cm1
interface GigabitEthernet0/0
description core
...
crypto map cm1
access-list 101 permit gre host <Our IP> host <Peer IP>
More information about the cisco-nsp
mailing list