> > VPN#sh crypto engine connections active > ID Interface IP-Address State Algorithm > Encrypt Decrypt > 1478 Fa0/0.100 mypeer set HMAC_MD5+3DES_56_C 0 > 0 > 2011 Fa0/0.100 mypeer set 3DES+SHA 0 > 224 > 2012 Fa0/0.100 mypeer set 3DES+SHA 115 > 0 > VPN_#
VPN#sh cry isa sa > dst src state conn-id slot status > mypeer hispeer QM_IDLE 1478 0 ACTIVE > VPN# On Wed, Oct 26, 2011 at 11:29 AM, Persio Pucci <[email protected]> wrote: > Phill, > > 3745 on my side, using 12.4(25c). > > Here is the rundown on the configs (again, my side but I assume the other > side is fine and there's not much on the tunnel cfg to be wrong). IPs > removed to protect the innocent. > > ip vrf CUSTOMER > > rd 1:25 > > route-target export 1:25 > > route-target import 1:25 > > ! > > crypto keyring CUSTOMER_CERT vrf CUSTOMER > > pre-shared-key address x.x.x.x key ***** > > ! > > crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac > > ! > > crypto map CUSTOMER_CERT 50 ipsec-isakmp > > description CUSTOMER_CERT > > set peer x.x.x.x > > set transform-set CUSTOMER_CERT > > match address 151 > > ! > > interface Loopback100 > > description LOOPBACK GRE > > ip vrf forwarding CUSTOMER > > ip address y.y.y.y 255.255.255.255 > > ! > > interface Tunnel100 > > ip vrf forwarding CUSTOMER > > ip address z.z.z.z 255.255.255.252 > > ip pim sparse-mode > > ip virtual-reassembly > > load-interval 30 > > keepalive 10 3 > > tunnel source Loopback100 > > tunnel destination d.d.d.d > > crypto map CUSTOMER_CERT > > ! > > interface FastEthernet0/0.100 > > description VPN CUSTOMER_CERT > > encapsulation dot1Q 100 > > ip vrf forwarding CUSTOMER > > ip address s.s.s.s 255.255.255.252 > > ip pim sparse-dense-mode > > crypto map CUSTOMER_CERT > > ! > > ip route vrf CUSTOMER d.d.d.d 255.255.255.255 x.x.x.x > > ! > > access-list 151 permit ip any any > > ! > > On Wed, Oct 26, 2011 at 11:21 AM, Phil Mayers <[email protected]>wrote: > >> On 26/10/11 14:15, Persio Pucci wrote: >> >>> Hi all, >>> >>> I am trying to get a GRE tunnel to work over IPSEC but as expected I am >>> running into problems, just not the expected ones. >>> >>> Phase 1 is fine and established, Phase 2 is fine, SAs are in place. We >>> can >>> mutually ping our loopbacks, and we see encaps/decaps increasing as we >>> ping >>> the loopbacks. This all means that the IPSEC part is done and working. >>> >>> Now the s****y part: GRE tunnel will not work. Tunnel has simple >>> source/destination config, with proper IP addressing, but no good. >>> >>> Outgoing interface is on a VRF, so are Loopback and Tunnel (all on the >>> same >>> VRF). Removed keepalive from tunnel due to VRF. Still no good. >>> >> >> This is a horribly tedious mess of nonsense on IOS platforms, and poorly >> documented to boot. One of my colleagues has spent countless hours with >> it... >> >> What hardware / IOS versions? >> >> Can you give the full IPSec & GRE config? >> ______________________________**_________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp> >> archive at >> http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/> >> > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
