I'll try some of those later, for now I think they are doing something on the other side as phase 1 is not establishing anymore.
I have read somewhere that GRE tunnels need exclusivity on their loopbacks (can't share it with other tunnels), does that really apply? On Wed, Oct 26, 2011 at 11:45 AM, Phil Mayers <[email protected]>wrote: > On 26/10/11 14:29, Persio Pucci wrote: > > crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac >> > > I think you want "mode transport" here > > > >> interface Loopback100 >> >> description LOOPBACK GRE >> >> ip vrf forwarding CUSTOMER >> >> ip address y.y.y.y 255.255.255.255 >> > > You might need the "crypto map" here; I can't remember > > > ! >> >> access-list 151 permit ip any any >> > > I think this ACL is too broad; you just want to match GRE. > > > We do something very similar to this. Here is an example from our 2800 > tunnel aggregation router: > > crypto ipsec transform-set ts1 esp-3des esp-sha-hmac > mode transport > > crypto map cm1 local-address Loopback1 > crypto map cm1 1 ipsec-isakmp > set peer x.x.x.x > set transform-set ts1 > match address 101 > > interface Loopback1 > ip address .... > crypto map cm1 > > interface Tunnel1 > tunnel source Loopback1 > tunnel destination .... > crypto map cm1 > > interface GigabitEthernet0/0 > description core > ... > crypto map cm1 > > access-list 101 permit gre host <Our IP> host <Peer IP> > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
