Re: [inet-admins] IPSec GRE Tunnel via NAT

["Modest M. Sokolov" <modest@nwgsm.ru>]

"Michael V. Smirnoff" wrote:
> 
> On Wed, 26 Jun 2002, Modest M. Sokolov wrote:
> Кусок про crypto и всем, что с ним связано посмотреть бы.
> 
Cisco26XX---PIX----INTERNET----AS3500
Вот конфиг с AS5300:
!
! AS3500 configuration
!
crypto isakmp policy 1
 authentication pre-share
 lifetime 600
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 lifetime 600
!
crypto isakmp policy 3
 hash md5
 lifetime 600
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 lifetime 600
!
crypto isakmp policy 10
 authentication pre-share
 lifetime 600
!
crypto ipsec transform-set dessha esp-des esp-sha-hmac 
crypto ipsec transform-set desmd5 esp-des esp-md5-hmac 
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac 
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac 
!
crypto isakmp key 12345 address 192.168.1.1
!
crypto map vpn-enterprise local-address Serial2:0
!
crypto map vpn-enterprise 1 ipsec-isakmp   
 set peer 192.168.1.1
 set transform-set 3dessha dessha 
 match address IPSecGRETunnel
!
crypto isakmp keepalive 3600
!
no ip access-list extended  IPSecGRETunnel
ip access-list extended  IPSecGRETunnel
 permit gre host 192.168.2.1 host 192.168.1.1
 deny   ip any any
!
interface Tunnel1
 description Tunnel #1 to Office2
 ip address 10.254.1.5 255.255.255.252
 ip broadcast-address 10.254.1.7
 ip accounting output-packets
 no ip route-cache
 no ip mroute-cache
 tunnel source Serial2:0
 tunnel destination 192.168.1.1
 crypto map vpn-enterprise
!
interface Serial2:0
 description Connection to ISP
 ip address 192.168.2.1 255.255.255.252
 ip access-group WorldFilter_Serial2_0 in
 ip access-group OutboundFilter out
 crypto map vpn-enterprise
!
no ip access-list extended OutboundFilter
ip access-list extended OutboundFilter
 permit ip any any reflect EvaluateTraffic
!
no ip access-list extended WorldFilter_Serial2_0
ip access-list extended WorldFilter_Serial2_0
 remark Filter For Inbound Traffic on ISP Interface
 permit gre any host 192.168.2.1
 permit esp any host 192.168.2.1
 permit ahp any host 192.168.2.1
 permit udp any host 192.168.2.1 eq isakmp
 permit ip host 192.168.1.1 host 192.168.2.1
 ... 
 evaluate EvaluateTraffic 
 deny   ip any any
!

--
Modest M. Sokolov       MMS101-RIPE
mailto:modest@nwgsm.ru  +7 812 9673532



=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html