Jimmy, Please refer to : http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
Other information can be found in the documentation. Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Wed, Mar 17, 2010 at 11:19 AM, Jimmy Larsson <[email protected]> wrote: > Does this apply for the ccie lab also? Which versions of 12.4T are in > labb-routers? > > Does this support dynamic routing protocols / multicast? Are there any > other drawbacks? > > Br Jimmy > > > > 2010/3/17 Peter Debye <[email protected]> > > Hello, >> >> there's a newer and more radical solution to your problem, Jimmy; >> just add the following command under interface Tunnel: >> tunnel mode ipsec ipv4 >> >> You MAY use keepalives now on tunnel. >> You MAY use any mode (tunnel or transport) on ipsec profile. >> (Was tested on 12.4(15)T* and 12.4(24)T) >> >> ================================================== >> >> >> Date: Tue, 16 Mar 2010 23:05:33 +0100 >> From: Jimmy Larsson <[email protected]> >> Subject: Re: [OSL | CCIE_Security] problem protecting gre-tunnel with >> ipsec profile >> To: Pieter-Jan Nefkens <[email protected]> >> Cc: [email protected] >> Message-ID: >> <[email protected]> >> Content-Type: text/plain; charset="iso-8859-1" >> >> That was it! After removing the keep-alives the tunnel started to >> rock-and-roll. Thanks alot Pieter-Jan! >> >> -------------- >> >> This document explains what GRE keepalives are and how they work. The >> GRE tunnel keepalives are not supported in conjunction with the >> *tunnel protection ipsec profile*command. This document discusses this >> issue. >> >> *Note: * *GRE keepalives are not supported together with IPSec tunnel >> protection under any circumstances*. >> >> ------------------- >> 2010/3/16 Pieter-Jan Nefkens <[email protected]> >> >> > Hi Jimmy, >> > >> > Remove the keepalive from the tunnel interface. That usually gives the >> > problems.. >> > >> > Check out: >> > >> > http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note0918 >> > 6a008048cffc.shtml >> > >> > Altough it's a document from 2005, my experience is that keep alive on >> > the tunnel interface just don't go with ipsec profiles (Which I use >> > alot) >> > >> > HTH >> > >> > Kind regards >> > Pieter-Jan Nefkens >> > >> > On 16 mrt 2010, at 22:04, Jimmy Larsson wrote: >> > >> > Hi there >> > >> > In my home lab I?ve setup a GRE-tunnel between two routers. It works >> > fine until I apply the protection of the tunnel-interface. The the >> > tunnel goes down without me finding out why. >> > >> > Any idea? The configs looks like this: >> > >> > R1: >> > crypto isakmp policy 10 >> > encr aes >> > authentication pre-share >> > group 2 >> > crypto isakmp key cisco address 10.10.30.3 ! >> > ! >> > crypto ipsec transform-set TSET esp-aes esp-sha-hmac mode transport ! >> > crypto ipsec profile IPSECPROF >> > set transform-set TSET >> > set pfs group2 >> > ! >> > interface Tunnel0 >> > ip address 10.99.99.1 255.255.255.0 >> > keepalive 2 3 >> > tunnel source FastEthernet0.11 >> > tunnel destination 10.10.30.3 >> > ! >> > >> > R3: >> > crypto isakmp policy 10 >> > encr aes >> > authentication pre-share >> > group 2 >> > crypto isakmp key cisco address 10.10.11.1 >> > ! >> > ! >> > crypto ipsec transform-set TSET esp-aes esp-sha-hmac >> > mode transport >> > ! >> > crypto ipsec profile IPSECPROF >> > set transform-set TSET >> > set pfs group2 >> > ! >> > interface Tunnel0 >> > ip address 10.99.99.3 255.255.255.0 >> > keepalive 2 3 >> > tunnel source FastEthernet0.30 >> > tunnel destination 10.10.11.1 >> > ! >> > >> > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
