Does this apply for the ccie lab also? Which versions of 12.4T are in labb-routers?
Does this support dynamic routing protocols / multicast? Are there any other drawbacks? Br Jimmy 2010/3/17 Peter Debye <[email protected]> > Hello, > > there's a newer and more radical solution to your problem, Jimmy; > just add the following command under interface Tunnel: > tunnel mode ipsec ipv4 > > You MAY use keepalives now on tunnel. > You MAY use any mode (tunnel or transport) on ipsec profile. > (Was tested on 12.4(15)T* and 12.4(24)T) > > ================================================== > > > Date: Tue, 16 Mar 2010 23:05:33 +0100 > From: Jimmy Larsson <[email protected]> > Subject: Re: [OSL | CCIE_Security] problem protecting gre-tunnel with > ipsec profile > To: Pieter-Jan Nefkens <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > That was it! After removing the keep-alives the tunnel started to > rock-and-roll. Thanks alot Pieter-Jan! > > -------------- > > This document explains what GRE keepalives are and how they work. The > GRE tunnel keepalives are not supported in conjunction with the > *tunnel protection ipsec profile*command. This document discusses this > issue. > > *Note: * *GRE keepalives are not supported together with IPSec tunnel > protection under any circumstances*. > > ------------------- > 2010/3/16 Pieter-Jan Nefkens <[email protected]> > > > Hi Jimmy, > > > > Remove the keepalive from the tunnel interface. That usually gives the > > problems.. > > > > Check out: > > > > http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note0918 > > 6a008048cffc.shtml > > > > Altough it's a document from 2005, my experience is that keep alive on > > the tunnel interface just don't go with ipsec profiles (Which I use > > alot) > > > > HTH > > > > Kind regards > > Pieter-Jan Nefkens > > > > On 16 mrt 2010, at 22:04, Jimmy Larsson wrote: > > > > Hi there > > > > In my home lab I?ve setup a GRE-tunnel between two routers. It works > > fine until I apply the protection of the tunnel-interface. The the > > tunnel goes down without me finding out why. > > > > Any idea? The configs looks like this: > > > > R1: > > crypto isakmp policy 10 > > encr aes > > authentication pre-share > > group 2 > > crypto isakmp key cisco address 10.10.30.3 ! > > ! > > crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport ! > > crypto ipsec profile IPSECPROF > > set transform-set TSET > > set pfs group2 > > ! > > interface Tunnel0 > > ip address 10.99.99.1 255.255.255.0 > > keepalive 2 3 > > tunnel source FastEthernet0.11 > > tunnel destination 10.10.30.3 > > ! > > > > R3: > > crypto isakmp policy 10 > > encr aes > > authentication pre-share > > group 2 > > crypto isakmp key cisco address 10.10.11.1 > > ! > > ! > > crypto ipsec transform-set TSET esp-aes esp-sha-hmac > > mode transport > > ! > > crypto ipsec profile IPSECPROF > > set transform-set TSET > > set pfs group2 > > ! > > interface Tunnel0 > > ip address 10.99.99.3 255.255.255.0 > > keepalive 2 3 > > tunnel source FastEthernet0.30 > > tunnel destination 10.10.11.1 > > ! > > > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
