Have this weird issue with VTI tunnels on a 7606 running 12.2(33)SRE1 and several remote offices
1. When IPSec communication is established between two remote offices (this is with two VTI tunnels to the 7606), one remote office fails to connect to the other office unless we send the whole EIGRP routes belonging to the remote offices. When only the 0.0.0.0/0 route is sent from the 7606 to the remote offices, the remote offices can´t communicate between each other.
2. When one remote office is VTI and the other office is a plain GRE tunnel they can´t communicate at all unless we add the tunnel checksum command at either side but we would like to avoid it due to resource consumption
Any help is grately appreciated since we don´t want to send the whole EIGRP table to each and every remote office.
Central Site 7606:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key 5KJfjp$6Q1@4f4xi address 10.10.1.253
crypto isakmp keepalive 60 10
!
crypto ipsec security-association lifetime kilobytes 1000000
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC
set transform-set ESP-AES256-SHA
set pfs group5
!
interface Tunnel1
description to remote office 1
bandwidth 10000
ip address 10.10.1.78 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 KEY
ip flow ingress
ip flow egress
load-interval 60
delay 100
tunnel source 10.10.1.78
tunnel mode ipsec ipv4
tunnel destination 10.10.1.253
tunnel protection ipsec profile IPSEC
max-reserved-bandwidth 100
!