03-23-2007 10:20 AM - edited 03-03-2019 04:16 PM
Hello all! I have a strange prolem, during I try to put IPSEC in GRE.
[IPSEC-PIX]---[GW]---[cisco 851], between PIX and 851 IPSEC, between GW and 851 - GRE. Now I try to put all IPSEC in GRE. Create tunnel, on 851 set following settings:
ip route 0.0.0.0 0.0.0.0 tun0
inter fast4
crypto map IPSEC
I can ping remote end of GRE tunnel, remote end of IPSEC tunnel, BUT, no IPSEC session created (access-list is right). What to do? )
03-23-2007 04:18 PM
Did you check your IKE parameters and IPSEC transform set to see if they match. If you are still having issues then can you post the configuration of both devices.
HTH
Sundar
03-24-2007 12:47 AM
I'll check it. I don't understand, can a tunnel using be a problem when I use IPSEC? I want to encapsulare entry IPSEC packet in GRE, it is possible?
03-24-2007 05:37 AM
Post your configurations.
It is possible to enacapsulate the ESP packet into a GRE tunnel.
Mostly people use it to send multicast routing protocol packets as IPSEC doesn't support multicast
Have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/aswan15/sig/sig_05.htm
HTH, rate if it does
Narayan
03-25-2007 05:45 AM
Can you post your config and the "show ver" output?
For a while, turn off the don't defragment bit with a route-map or using the crypto command 'crypto ipsec df-bit clear'.
03-26-2007 10:43 PM
Thanks your guys!
My config:
[851]
inter tunn0
ip address 10.10.10.1 255.255.255.252
tunnel src fast4
tunnel dest 100.100.100.1
tunnel mode ipip
inter fast4
ip address dhcp client-id fast4
ip mtu 1492
ip route-cache flow
crypto map MAP
On the PIX peer address for IPSEC is the address of fast4, not tunnel.
Important: GRE between 851 and ISP router, not between 851 and PIX.
03-24-2007 05:04 PM
Without seeing your configs it is hard to troubleshoot. Perhaps the config snippets of GRE over IPSEC that I have provided below will help. This config was used on an ISR router connecting to another ISR router. It will work for a router to PIX or VPN3K as well. If using a PIX or VPN3K you will need a router behind it to anchor the GRE tunnel. Also, with the GRE & IPSEC overhead, you may need to adjust the MTU on the Tunnel interface. I found that adjusting the MTU to 1400 and the MSS to 1360 works the best.
Enjoy!
interface Loopback0
description *** Loopback 0 ***
ip address X.X.X.X 255.255.255.255
!
interface Loopback2
description *** Anchor for GRE Tunnels ***
ip address X.X.X.X 255.255.255.255
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key
!
crypto ipsec transform-set secure esp-3des esp-md5-hmac
!
crypto map IOSVPN 105 ipsec-isakmp
description *** Crypto Map to ?????? ***
set peer
set transform-set secure
match address 105
!
interface Tunnel105
description *** GRE Tunnel to ????? ***
bandwidth 1024
ip address X.X.X.X 255.255.255.252
ip mtu 1400
ip route-cache flow
ip tcp adjust-mss 1360
keepalive 3 3
tunnel source
tunnel destination
!
interface FastEthernet0/0
description *** Public Interface ***
ip address X.X.X.X 255.255.255.X
crypto map IOSVPN
!
router eigrp 100
passive-interface FastEthernet0/0
network X.X.0.0
no auto-summary
eigrp stub connected summary
!
ip route X.X.X.X 255.255.255.255 ISP Next Hop name ?-GRE (Route to far-end Lo2)
ip route
!
access-list 105 remark ---
access-list 105 permit gre host
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide