Unable to create VPN tunnel on ospf environment.

Unanswered Question
Oct 9th, 2008


i'm stuggling from last 1 week to create successful VPN tunnel between each router in a tree type router network.I've tried md5 with 3des but i'm failed.someone suggest me to use gre tunnel with ipsec from this forum.Now i'm still unable to create successful gre tunnel between two routers in ospf routing environment.

I'm sending my configuration.Kindly check it if it is wrong give me right configuration of VPN tunnel in ospf routing environment between tro routers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Thu, 10/09/2008 - 03:48

add this on the routers

crypto isakmp policy 10

encryption des

now u have problem with ur ospf

u need to advertise the internal netowrk and the tunnels networks as well only

u done need to include the external IP address

remove it and add the tuneel network

also for the gre ACL i would suggest u to make source from internal network to remote site internal network

good luck

if helpful Rate

siddindia Fri, 10/10/2008 - 05:10


I have tried to follow your suggestions.actaully i'm very new in VPN tunnel.I'm sending my current tried configuration.

Now i'm able to create ipsec tunnel with GRE but data is not encrypted or decrypted and also a error message comes in 56 sec.

%cypto-6-isakmp_mode_failure:processing of informational mode failed with peer at xx.xx.xx.xx .

Dear Sir,Kindly help me to currect my configuration.Please update in my configuration.

singhsaju Fri, 10/10/2008 - 05:52

Hi Siddhartha,

Add following Static routes on the FHQ and Gandhinagar routers and posts results:

hostname FHQ

ip route Serial0/0/1

hostname Gandhinagar

ip route Serial0/0/0



Pls rate helpful posts

siddindia Fri, 10/10/2008 - 22:56

I'm still unable to short out problem.

same error is coming and data is not encrypted or decrypted.

My humble request to test these senarios and then suggest me.

i'm waiting your reply.

singhsaju Tue, 10/14/2008 - 10:08

Hi Siddhartha,

If you have added the two routes as i mentioned above , can you remove following commands from the the two routers and then check:


no crypto map mymap local-address FastEthernet0/1


no crypto map mymap local-address GigabitEthernet0/0

siddindia Fri, 10/17/2008 - 00:58


kindly send me a sample configuration of GRE tunnel with IPSEC between two routers.that will be very helpful to me...

waiting for your response....



Marwan ALshawi Sat, 10/11/2008 - 02:35

try to do the following

on BOTH routers

crypto isakmp identity address

crypto isakmp policy 10

hash md5

authentication pre-share

encryption des

group 2

change the ACLs as following:

access-list 100 permit gre

on the other router:

access-list 100 permit gre

good luck

gcsnetexpert Sat, 10/11/2008 - 06:12

As per my knowledge there is some problem with access-list 100 you should use intrusting traffic source and destination addresses in access-list 100 rather then peer address because this is a vpn access-list no the normnal access-list applied on any ionterface.

ariesc_33 Thu, 10/16/2008 - 02:20

isnt ipsec has issue with multicast? ospf uses muliticast to discover a neighbor.

siddindia Fri, 10/17/2008 - 00:53


kindly send me a tested configuration sample of gre tunnel with IPSEC between two routers.That will be very helpful to me.


This Discussion