cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
869
Views
0
Helpful
8
Replies

ipsec over gre

drummond.r
Level 1
Level 1

I am having an issue trying to setup a site to site tunnel using ipsec over gre. i think i have everything setup, but i still can't access the private ip space on the other side of tunnel 1. can someone take a look at it. i have been beating my brains out for a while. attached is my config.

the issue is with tunnel 1. everything is fine with tunnel0, tunnel 1 is giving me the problems. i just can't access anything on the 10.118.x.x network on the other side of t1

my config is attached

8 Replies 8

saugato2000
Level 1
Level 1

Hi Drummond,

Can you pls reattch the config. This time just copy the sh run from cli directly to fresh notepad. pls do use tftp, it not opening up properly.

I would also request you to attach a sh ip route for the 10.118.x.x segment and also a sh cry isa sa output.

thanks.

Hi,

Try to open with wordpad instead of notepad.

Krisztian

here is the config again......i might have messed it up when i was trying to sanitize it....

shy cry is sa:

dst src state conn-id slot status

x.y.203.4 a.b.180.83 MM_KEY_EXCH 2082 0 ACTIVE

x.y.203.4 a.b.180.83 MM_NO_STATE 2081 0 ACTIVE (deleted)

sh ip route 10.118.114.0

Routing entry for 10.118.144.0/20

Known via "static", distance 1, metric 0

Redistributing via ospf 11

Routing Descriptor Blocks:

* 172.16.100.1

Route metric is 0, traffic share count is 1

kerek
Level 4
Level 4

Hi,

Is the IPSec is up at all?

You are refering to ipsec profile tunnel1 but there is only tunnel1-loh configured.

Let's check whether the tunnel itself is up and after the ipsec. If both are are you can further investigate the acls, routing etc.

Hope it helps, rate if does

Krisztian

Hi,

Thanks Kerek. That helped.

I bilieve kerek is right you need to check if IPSEC is up at all. I do not see any match statements " vpn-dynamic " in the configurations part below.

crypto dynamic-map vpn-dynamic 10

set transform-set tr-transport-aes-sha tr-transport-3des-sha

In this config I find you are using NHSRP, if you are using NHSRP you can use " tunnel mode gre multipoint " command on the existing Tunnel 0 interface.

This will help you establish point to multipoint IPSEC over GRE.

tunnel0 isn't the one i am worried about... i can get traffic in and out of that one just fine. it's tunnel1

oops, i was trying to sanitize my config to remove public IPs, passwords, and etc....i will fix and repost.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: