02-22-2009 01:08 PM - edited 02-21-2020 04:09 PM
The remote site, Side A receives a single BGP route to 5.5.5.5/32 via the provider.
Side B receives a variety of OSPF routes including a default route and a specific route to 4.4.4.4/32 from the core of the campus network.
2 7206vxr routers running 12.4T
The GRE tunnel works fine before IPSEC is applied so it does not appear to be a routing issue. It could still be a firewall issue at Site B.
From the counters it appears the IPSEC sa only works in one direction with traffic going from A to B but not from B to A and therefore the GRE tunnel stays down.
Should the crypto map apply to the physical interface, the tunnel, both? I see conflicting docs and examples. Also keep in mind that neither side has a route to the other's physical addresses. Only the loopbacks.
Router A1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set VPN1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto map VPN local-address Loopback0
crypto map VPN 1041 ipsec-isakmp
set peer 5.5.5.5
set transform-set VPN1
match address 101
ip access list 101 permit gre host 4.4.4.4 host 5.5.5.5
loopback0
4.4.4.4/32
tunnel0
192.168.10.1/30
source loopback0
destination 5.5.5.5
gig0/1
LAN
gig 0/2
WAN
10.10.10.14/30
crypto map VPN
Router B1
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set VPN1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto map VPN1 local-address Loopback0
crypto map VPN 1040 ipsec-isakmp
set peer 4.4.4.4
set transform-set VPN1
match address 101
ip access list 101 permit gre host 5.5.5.5 host 4.4.4.4
loopback
5.5.5.5/32
tunnel0
192.168.10.2/30
source loopback0
destination 4.4.4.4
g0/1
LAN
g0/2
WAN
192.168.100.1/30
crypto map VPN
02-27-2009 02:56 PM
Jason
Whether the crypto map goes on the physical, the tunnel, or both depends on the version of code that you are running. In older versions of code it went on both. In newer versions of code it goes on only the physical. I see that you are running 12.4T and so the crypto map should be only on the physical interfaces.
The partial configs that you posted look ok and I do not see any particular problem with what is posted. One possible issue is how you get traffic to go over the tunnel. Could you post the parts of the configs that direct traffic over the tunnels? This might help us to find the source of your problem.
HTH
Rick
03-03-2009 01:16 PM
Turned out to be a routing issue. Pair 1 was receiving the routes to wan out the wrong interface. DOH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: