Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
1
Replies

crypto ipsec gre tunels droped

badeageorge
Level 1
Level 1

‎02-01-2008 06:10 AM - edited ‎02-21-2020 03:31 PM

Hi,

From time to time lots of tunnels drop down due to:

Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 24

Feb 1 15:10:05 EET: CRYPTO_ENGINE: crypto_pak_coalesce: could not get buffer for new pak. requested size 90

Can somebody help me ?

#sho crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine VAM2+:1 details: state = Active

Capability : IPPCP, DES, 3DES, AES, RSA, IPv6

IKE-Session : 423 active, 5120 max, 0 failed

DH : 227 active, 5120 max, 0 failed

IPSec-Session : 746 active, 10230 max, 0 failed

Router:

Cisco 7206VXR (NPE-G1) processor (revision B) with 491520K/32768K bytes of memory.

Labels:
0 Helpful
1 Reply 1

sadbulali
Level 4
Level 4

‎02-07-2008 09:28 AM

To configure Generic Routing Encapsulation (GRE) over an IPSec tunnel between two routers, perform these steps:

Create a tunnel interface (the IP address of tunnel interface on both routers must be in the same subnet), and configure a tunnel source and tunnel destination under tunnel interface configuration, as shown:

interface Tunnel0

ip address 192.168.16.1 255.255.255.0

tunnel source

tunnel destination

Configure isakmp policies, as shown:

crypto isakmp policy 1

authentication pre-share

Configure pre share keys, as shown:

crypto isakmp key cisco123 address (Remote outside interface IP with 32 bit subnet mask)

Configure transform set, as shown:

crypto ipsec transform-set strong esp-3des esp-md5-hmac

Creat crypto ACI that permits GRE traffic from the outside interface of the local router to the outside interface of the remote router, as shown:

access-list 120 permit gre host (local outside interface ip) host (Remote outside interface IP)

Configure crypto map and bind transform set and crypto Access Control List (ACL) to crypto map. Define peer IP address under crypto map, as shown:

crypto map vpn 10 ipsec-isakmp

set peer

set transform-set strong

match address 120

Bind crypto map to the physical (outside) interface if you are running Cisco IOS? Software Release 12.2.15 or later. If not, then the crypto map must be applied to the tunnel interface as well as the physical interace, as shown:

interface Ethernet0/0

ip address

half-duplex

crypto map vpn

Configure Network Address Traslation (NAT) bypass if needed, as shown:

access-list 175 deny ip (local private network) (subnet mask) (remote private network) (subnet mask)

access-list 175 permit ip (local private network) (subnet mask) any

route-map nonat permit 10

match ip address 175

exit

ip nat inside source route-map nonat interface (outside interface name) overload

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents