Hello,
there's a newer and more radical solution to your problem, Jimmy;
just add the following command under interface Tunnel:
tunnel mode ipsec ipv4
You MAY use keepalives now on tunnel.
You MAY use any mode (tunnel or transport) on ipsec profile.
(Was tested on 12.4(15)T* and 12.4(24)T)
==================================================
Date: Tue, 16 Mar 2010 23:05:33 +0100
From: Jimmy Larsson <[email protected]>
Subject: Re: [OSL | CCIE_Security] problem protecting gre-tunnel with
ipsec profile
To: Pieter-Jan Nefkens <[email protected]>
Cc: [email protected]
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="iso-8859-1"
That was it! After removing the keep-alives the tunnel started to
rock-and-roll. Thanks alot Pieter-Jan!
--------------
This document explains what GRE keepalives are and how they work. The
GRE tunnel keepalives are not supported in conjunction with the
*tunnel protection ipsec profile*command. This document discusses this
issue.
*Note: * *GRE keepalives are not supported together with IPSec tunnel
protection under any circumstances*.
-------------------
2010/3/16 Pieter-Jan Nefkens <[email protected]>
> Hi Jimmy,
>
> Remove the keepalive from the tunnel interface. That usually gives the
> problems..
>
> Check out:
>
> http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note0918
> 6a008048cffc.shtml
>
> Altough it's a document from 2005, my experience is that keep alive on
> the tunnel interface just don't go with ipsec profiles (Which I use
> alot)
>
> HTH
>
> Kind regards
> Pieter-Jan Nefkens
>
> On 16 mrt 2010, at 22:04, Jimmy Larsson wrote:
>
> Hi there
>
> In my home lab I?ve setup a GRE-tunnel between two routers. It works
> fine until I apply the protection of the tunnel-interface. The the
> tunnel goes down without me finding out why.
>
> Any idea? The configs looks like this:
>
> R1:
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 2
> crypto isakmp key cisco address 10.10.30.3 !
> !
> crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport !
> crypto ipsec profile IPSECPROF
> set transform-set TSET
> set pfs group2
> !
> interface Tunnel0
> ip address 10.99.99.1 255.255.255.0
> keepalive 2 3
> tunnel source FastEthernet0.11
> tunnel destination 10.10.30.3
> !
>
> R3:
> crypto isakmp policy 10
> encr aes
> authentication pre-share
> group 2
> crypto isakmp key cisco address 10.10.11.1
> !
> !
> crypto ipsec transform-set TSET esp-aes esp-sha-hmac
> mode transport
> !
> crypto ipsec profile IPSECPROF
> set transform-set TSET
> set pfs group2
> !
> interface Tunnel0
> ip address 10.99.99.3 255.255.255.0
> keepalive 2 3
> tunnel source FastEthernet0.30
> tunnel destination 10.10.11.1
> !
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
