Phill, 3745 on my side, using 12.4(25c).
Here is the rundown on the configs (again, my side but I assume the other side is fine and there's not much on the tunnel cfg to be wrong). IPs removed to protect the innocent. ip vrf CUSTOMER rd 1:25 route-target export 1:25 route-target import 1:25 ! crypto keyring CUSTOMER_CERT vrf CUSTOMER pre-shared-key address x.x.x.x key ***** ! crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac ! crypto map CUSTOMER_CERT 50 ipsec-isakmp description CUSTOMER_CERT set peer x.x.x.x set transform-set CUSTOMER_CERT match address 151 ! interface Loopback100 description LOOPBACK GRE ip vrf forwarding CUSTOMER ip address y.y.y.y 255.255.255.255 ! interface Tunnel100 ip vrf forwarding CUSTOMER ip address z.z.z.z 255.255.255.252 ip pim sparse-mode ip virtual-reassembly load-interval 30 keepalive 10 3 tunnel source Loopback100 tunnel destination d.d.d.d crypto map CUSTOMER_CERT ! interface FastEthernet0/0.100 description VPN CUSTOMER_CERT encapsulation dot1Q 100 ip vrf forwarding CUSTOMER ip address s.s.s.s 255.255.255.252 ip pim sparse-dense-mode crypto map CUSTOMER_CERT ! ip route vrf CUSTOMER d.d.d.d 255.255.255.255 x.x.x.x ! access-list 151 permit ip any any ! On Wed, Oct 26, 2011 at 11:21 AM, Phil Mayers <[email protected]>wrote: > On 26/10/11 14:15, Persio Pucci wrote: > >> Hi all, >> >> I am trying to get a GRE tunnel to work over IPSEC but as expected I am >> running into problems, just not the expected ones. >> >> Phase 1 is fine and established, Phase 2 is fine, SAs are in place. We can >> mutually ping our loopbacks, and we see encaps/decaps increasing as we >> ping >> the loopbacks. This all means that the IPSEC part is done and working. >> >> Now the s****y part: GRE tunnel will not work. Tunnel has simple >> source/destination config, with proper IP addressing, but no good. >> >> Outgoing interface is on a VRF, so are Loopback and Tunnel (all on the >> same >> VRF). Removed keepalive from tunnel due to VRF. Still no good. >> > > This is a horribly tedious mess of nonsense on IOS platforms, and poorly > documented to boot. One of my colleagues has spent countless hours with > it... > > What hardware / IOS versions? > > Can you give the full IPSec & GRE config? > ______________________________**_________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp> > archive at > http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/> > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
