ipsec over gre

Unanswered Question
Jul 7th, 2008
User Badges:

I am having an issue trying to setup a site to site tunnel using ipsec over gre. i think i have everything setup, but i still can't access the private ip space on the other side of tunnel 1. can someone take a look at it. i have been beating my brains out for a while. attached is my config.

the issue is with tunnel 1. everything is fine with tunnel0, tunnel 1 is giving me the problems. i just can't access anything on the 10.118.x.x network on the other side of t1

my config is attached

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
saugato2000 Mon, 07/07/2008 - 23:10
User Badges:

Hi Drummond,

Can you pls reattch the config. This time just copy the sh run from cli directly to fresh notepad. pls do use tftp, it not opening up properly.

I would also request you to attach a sh ip route for the 10.118.x.x segment and also a sh cry isa sa output.


drummond.r Tue, 07/08/2008 - 09:52
User Badges:

shy cry is sa:

dst src state conn-id slot status

x.y.203.4 a.b.180.83 MM_KEY_EXCH 2082 0 ACTIVE

x.y.203.4 a.b.180.83 MM_NO_STATE 2081 0 ACTIVE (deleted)

sh ip route

Routing entry for

Known via "static", distance 1, metric 0

Redistributing via ospf 11

Routing Descriptor Blocks:


Route metric is 0, traffic share count is 1


Is the IPSec is up at all?

You are refering to ipsec profile tunnel1 but there is only tunnel1-loh configured.

Let's check whether the tunnel itself is up and after the ipsec. If both are are you can further investigate the acls, routing etc.

Hope it helps, rate if does


saugato2000 Tue, 07/08/2008 - 01:38
User Badges:


Thanks Kerek. That helped.

I bilieve kerek is right you need to check if IPSEC is up at all. I do not see any match statements " vpn-dynamic " in the configurations part below.

crypto dynamic-map vpn-dynamic 10

set transform-set tr-transport-aes-sha tr-transport-3des-sha

In this config I find you are using NHSRP, if you are using NHSRP you can use " tunnel mode gre multipoint " command on the existing Tunnel 0 interface.

This will help you establish point to multipoint IPSEC over GRE.

drummond.r Tue, 07/08/2008 - 09:48
User Badges:

tunnel0 isn't the one i am worried about... i can get traffic in and out of that one just fine. it's tunnel1

drummond.r Tue, 07/08/2008 - 05:15
User Badges:

oops, i was trying to sanitize my config to remove public IPs, passwords, and etc....i will fix and repost.


This Discussion