Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
2
Replies

IPSEC + GRE using loopbacks?

thatgeekinit
Level 1
Level 1

‎02-22-2009 01:08 PM - edited ‎02-21-2020 04:09 PM

The remote site, Side A receives a single BGP route to 5.5.5.5/32 via the provider.

Side B receives a variety of OSPF routes including a default route and a specific route to 4.4.4.4/32 from the core of the campus network.

2 7206vxr routers running 12.4T

The GRE tunnel works fine before IPSEC is applied so it does not appear to be a routing issue. It could still be a firewall issue at Site B.

From the counters it appears the IPSEC sa only works in one direction with traffic going from A to B but not from B to A and therefore the GRE tunnel stays down.

Should the crypto map apply to the physical interface, the tunnel, both? I see conflicting docs and examples. Also keep in mind that neither side has a route to the other's physical addresses. Only the loopbacks.

Router A1

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set VPN1 esp-aes 256 esp-sha-hmac

mode transport

!

crypto map VPN local-address Loopback0

crypto map VPN 1041 ipsec-isakmp

set peer 5.5.5.5

set transform-set VPN1

match address 101

ip access list 101 permit gre host 4.4.4.4 host 5.5.5.5

loopback0

4.4.4.4/32

tunnel0

192.168.10.1/30

source loopback0

destination 5.5.5.5

gig0/1

LAN

gig 0/2

WAN

10.10.10.14/30

crypto map VPN

Router B1

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set VPN1 esp-aes 256 esp-sha-hmac

mode transport

!

crypto map VPN1 local-address Loopback0

crypto map VPN 1040 ipsec-isakmp

set peer 4.4.4.4

set transform-set VPN1

match address 101

ip access list 101 permit gre host 5.5.5.5 host 4.4.4.4

loopback

5.5.5.5/32

tunnel0

192.168.10.2/30

source loopback0

destination 4.4.4.4

g0/1

LAN

g0/2

WAN

192.168.100.1/30

crypto map VPN

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎02-27-2009 02:56 PM

Jason

Whether the crypto map goes on the physical, the tunnel, or both depends on the version of code that you are running. In older versions of code it went on both. In newer versions of code it goes on only the physical. I see that you are running 12.4T and so the crypto map should be only on the physical interfaces.

The partial configs that you posted look ok and I do not see any particular problem with what is posted. One possible issue is how you get traffic to go over the tunnel. Could you post the parts of the configs that direct traffic over the tunnels? This might help us to find the source of your problem.

HTH

Rick

HTH

Rick
0 Helpful

thatgeekinit
Level 1
Level 1
In response to Richard Burts

‎03-03-2009 01:16 PM

Turned out to be a routing issue. Pair 1 was receiving the routes to wan out the wrong interface. DOH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents