×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSEC-GRP routing protocol

Answered Question
Jul 4th, 2009
User Badges:

Hi,

We are configuring GRE-IPsec with OSPF. Without IPSEC configuration we are able to form OSPF neighbor realtionship across the two end of GRE tunnel. But when we apply "crypto map NAP" to tunnel interface OSPF is not getting formed.

Here is the configuration and similar configuration is on the other end ot the TUNNEL.




int tunnel 10

ip add 10.1.1.1

tunnel source s0/0

tunnel destination 10.2.1.2

crypto map NAP //** Crypto MAP applied **//


int s0/0

ip add 10.2.1.1 255.255.255.2.252


int fa0/0

ip add 10.3.1.1 255.255.255.0


router ospf 10

network 10.3.1.0 0.0.0.255 a 0 // *** Ethernet subnet published ***//

network 10.1.1.0 0.0.0.255 a 0 // *** Tunnel subnet published ***//


access-list 110 permit ip any any

access-list 110 permit icmp any any

access-list 110 permit ospf any any


crypto isakmp policy 10

encr aes

group 2

authen preshare


crypto isakmp key 0 cisco 10.2.1.2


crypto ipsec transform-set 10 trial esp-3des esp-sha-hmac


crypto map NAP 10 ipsec-isakmp

set peer 10.2.1.2

match address 110

set tranform-set trial


Please share the experience.

Any link of configuration example with GRE+IPSEC+OSPF on cisco.com?

Thanks in advance.

subodh

Correct Answer by Istvan_Rabai about 8 years 1 month ago

Hi Bapat,


I can see 2 things that should be corrected in the configuration:


1. The crypto map should be applied to the s0/0 interface, NOT to the tunnel10 interface.


2. access-list 110 should specify the interesting traffic, but in the case of GRE over IPSec the interesting traffic is the following:

access-list 110 permit gre host 10.2.1.1 host 10.2.1.2


Of course, the configuration on the other side of the tunnel must be corrected as well, and it should be symmetrical to this, that is:

access-list 110 permit gre host 10.2.1.2 host 10.2.1.1


Cheers:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
pompeychimes Sat, 07/04/2009 - 20:39
User Badges:
  • Bronze, 100 points or more

Apply the crypto map to the physcial interface s0/0

Leo Laohoo Sat, 07/04/2009 - 21:38
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Avoid using interface when defining source/destination as this would cost more CPU than using IP Addresses.


You don't need "network 10.1.1.0 0.0.0.255 a 0".


Try this config:


crypto isakmp policy

encr aes

authentication pre-share

group 2

crypto isakmp key address

!

crypto ipsec transform-set esp-3des esp-sha-hmac

!

crypto ipsec profile

set transform-set

!

interface Tunnel

ip address xxx.xxx.xxx.xxx 255.255.255.252

tunnel source

tunnel destination

tunnel protection ipsec profile

tunnel mode ipsec ipv4

no shutdown

exit

!

router ospf

network 10.3.1.0 0.0.0.255 area 0

exit


Hope this helps. Please rate when helpful and/or applicable..

Correct Answer
Istvan_Rabai Sat, 07/04/2009 - 23:40
User Badges:
  • Gold, 750 points or more

Hi Bapat,


I can see 2 things that should be corrected in the configuration:


1. The crypto map should be applied to the s0/0 interface, NOT to the tunnel10 interface.


2. access-list 110 should specify the interesting traffic, but in the case of GRE over IPSec the interesting traffic is the following:

access-list 110 permit gre host 10.2.1.1 host 10.2.1.2


Of course, the configuration on the other side of the tunnel must be corrected as well, and it should be symmetrical to this, that is:

access-list 110 permit gre host 10.2.1.2 host 10.2.1.1


Cheers:

Istvan

bapatsubodh Sun, 07/05/2009 - 04:43
User Badges:

hi friends,

It did work !

I have applied crypto to serial interface and in access list I permitted GRE !!

It worked in first shot !

Your timely help is highly appreciable!

Thanks again

Subodh Bapat.

Leo Laohoo Sun, 07/05/2009 - 21:57
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Actions

This Discussion