Re: [c-nsp] GRE over IPSEC wtf?!

Phil Mayers Wed, 26 Oct 2011 07:11:19 -0700

On 26/10/11 14:29, Persio Pucci wrote:

crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac


I think you want "mode transport" here


interface Loopback100

description LOOPBACK GRE

ip vrf forwarding CUSTOMER

ip address y.y.y.y 255.255.255.255


You might need the "crypto map" here; I can't remember

!

access-list 151 permit ip any any


I think this ACL is too broad; you just want to match GRE.

We do something very similar to this. Here is an example from our 2800tunnel aggregation router:


crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
 mode transport

crypto map cm1 local-address Loopback1
crypto map cm1 1 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ts1
 match address 101

interface Loopback1
 ip address ....
 crypto map cm1

interface Tunnel1
 tunnel source Loopback1
 tunnel destination ....
 crypto map cm1

interface GigabitEthernet0/0
 description core
 ...
 crypto map cm1

access-list 101 permit gre host <Our IP> host <Peer IP>
_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] GRE over IPSEC wtf?!

Reply via email to