Ding ding ding, we got a winner! "tunnel vrf" did the job.
Thank you for all your input! On Wednesday, October 26, 2011, Peter Rathlev <[email protected]> wrote: > On Wed, 2011-10-26 at 11:29 -0200, Persio Pucci wrote: >> Here is the rundown on the configs (again, my side but I assume the other >> side is fine and there's not much on the tunnel cfg to be wrong). IPs >> removed to protect the innocent. > ... >> interface Loopback100 >> description LOOPBACK GRE >> ip vrf forwarding CUSTOMER >> ip address y.y.y.y 255.255.255.255 >> ! >> interface Tunnel100 >> ip vrf forwarding CUSTOMER >> ip address z.z.z.z 255.255.255.252 >> ip pim sparse-mode >> ip virtual-reassembly >> load-interval 30 >> keepalive 10 3 >> tunnel source Loopback100 >> tunnel destination d.d.d.d > > I would think that you need "tunnel vrf CUSTOMER" here since Lo100 is > actually in that VRF. I'm not at all sure that this is the problem, but > it's worth a try. We use it on NPE-G1 12.4(25e). > >> crypto map CUSTOMER_CERT >> ! > > The crypto map on the tunnel interface? Should it not just appear on the > physical interface? I decided to use "tunnel protection" instead of > crypto maps, example here: > > http://www.gossamer-threads.com/lists/cisco/nsp/127635#127635 > > -- > Peter > > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
