ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Tuesday, 6 October 2015

GRE over IPSec

  October 06, 2015    




R2#
! Interface configuration:
conf t
inter fa1/1
no shut
ip address 1.1.1.1 255.255.255.252
exit
!
! Interface configuration:
inter fa1/0
no shut
ip add 10.10.10.1 255.255.255.0
exit
!
! Create a virtual tunnel Interface, give an IP address to this interface. This IP address must not be used anywhere else in your internal network. Then we define tunnel source and destination.
inter tu0
ip add 172.16.14.1 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 1.1.1.2
exit
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.2
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac
!
ip access-list ex GRE1
permit gre 1.1.1.1 255.255.255.255 1.1.1.2 255.255.255.255
!
! Create a Crypto map
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set tunnel1
match address GRE1
!
! Apply the crypto map to exit interface
interface fa1/1
crypto map mymap
!
! Turn ON the tunnel :) 
inter tun0
no shut
!
exit
=========

on R3

R3#
conf t
inter fa1/0
no shut
ip address 1.1.1.2 255.255.255.252
exit
!
inter fa1/1
no shut
ip add 20.20.20.1 255.255.255.0
exit
!
inter tu0
ip add 172.16.14.2 255.255.255.252
tunnel source 1.1.1.2
tunnel destination 1.1.1.1
exit
!
! define policies for phase 1
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key cisco address 1.1.1.1
!
crypto ipsec transform-set tunnel1 esp-aes esp-sha-hmac

!
ip access-list ex GRE1
permit gre 1.1.1.2 255.255.255.255 1.1.1.1 255.255.255.255
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set tunnel1
match address GRE1
!
interface fa1/0
crypto map mymap
!
inter tun0
no shut
!
exit

=================
Debug command:

debug tunnel

 These are the debugs taken when your tunnel comes up:
=================================================
*Oct 11 04:28:30.027: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies
*Oct 11 04:28:35.771: Tunnel0: GRE/IP encapsulated 1.1.1.1->1.1.1.2 (linktype=7, len=84)
*Oct 11 04:28:35.775: Tunnel0 count tx, adding 0 encap bytes
*Oct 11 04:28:36.955: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=96 ttl=254 tos=0xC0)
*Oct 11 04:28:36.959: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=96 ttl=254 tos=0xC0)
*Oct 11 04:28:36.963: Tunnel0: GRE/IP (PS) to decaps 1.1.1.2->1.1.1.1 (tbl=0,"default" len=96 ttl=253)
*Oct 11 04:28:36.967: Tunnel0: GRE decapsulated IP packet (linktype=7, len=72)
*Oct 11 04:28:36.971: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=64 ttl=254 tos=0xC0)
*Oct 11 04:28:36.971: Tunnel0: GRE/IP to classify 1.1.1.2->1.1.1.1 (tbl=0,"Default" len=64 ttl=254 tos=0xC0)
*Oct 11 04:28:36.983: %DUAL-5-NBRCHANGE: EIGRP-IPv4 110: Neighbor 172.168.16.2 (Tunnel0) is up: new adjacency


Router#sh inter tu0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 172.168.16.1/30
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 1.1.1.2
  Tunnel protocol/transport GRE/IP

  No Comments

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)