VTI beween central site 7606 and remote offices, EIGRP issue?

Unanswered Question
Aug 4th, 2010

Have this weird issue with VTI tunnels on a 7606 running 12.2(33)SRE1 and several remote offices

1. When IPSec communication is established between two remote offices (this is with two VTI tunnels to the 7606), one remote office fails to connect to the other office unless we send the whole EIGRP routes belonging to the remote offices. When only the 0.0.0.0/0 route is sent from the 7606 to the remote offices, the remote offices can´t communicate between each other.

2. When one remote office is VTI and the other office is a plain GRE tunnel they can´t communicate at all unless we add the tunnel checksum command at either side but we would like to avoid it due to resource consumption

Any help is grately appreciated since we don´t want to send the whole EIGRP table to each and every remote office.

Central Site 7606:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key [email protected] address 10.10.1.253

crypto isakmp keepalive 60 10

!

crypto ipsec security-association lifetime kilobytes 1000000

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

!

crypto ipsec profile IPSEC

set transform-set ESP-AES256-SHA

set pfs group5

!

interface Tunnel1

description to remote office 1

bandwidth 10000

ip address 10.10.1.78 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip authentication mode eigrp 1 md5

ip authentication key-chain eigrp 1 KEY

ip flow ingress

ip flow egress

load-interval 60

delay 100

tunnel source 10.10.1.78

tunnel mode ipsec ipv4

tunnel destination 10.10.1.253

tunnel protection ipsec profile IPSEC

max-reserved-bandwidth 100

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jbrenesj2 Mon, 08/09/2010 - 15:44

Help please!

Any ideas why two remote offices can´t communicate between them through a 7606 when one office is VTI tunnel to the 7606 and the other office is plain GRE.

They won´t talk unless the "tunnel checksum" is enable on the GRE connection but since it´s CPU intensive we can´t use it.

Thanks, Jorge

Actions

This Discussion