GRE over IPSec - choosing a source interface

Answered Question
May 14th, 2003
User Badges:

I have a 3660 with two T1's from different providers, running BGP. Our ASN space is on f0/0, with the two T1 serial interfaces having a serial address on their respective provider's networks.

I am attempting to set up an IPSec tunnel, and have done so from either of the serial interfaces (the way I normally do it in smaller offices with a single T1). I then reconfigure the crypto map to be on f0/0, and make other relevant changes on both sides to source this traffic from f0/0. The IPSec negotiates, makes its way thorugh, and on the 3660, I even see an EIGRP peer come up with the remote. This peer eventually drops, and examining the sa's shows that the remote sends, and the 3660 receives, but no packets ever leave the 3660 (on the sa).

Any suggestions on where to start looking for this one, or is there a better/recomended/sample config of a similar setup I could look at?

Thanks in advance,


Correct Answer by b.mason about 14 years 2 months ago

To bind the crypto map to an interface use the command:

crypto map 'map-name' local-address 'interface'


crypto map crypt-map1 local-address Loopback2

- Brett

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jfrahim Wed, 05/14/2003 - 10:21
User Badges:
  • Cisco Employee,

Hi Daryl,

Does your tunnel interface flap a lot? if it does, can you check the logs on the router and see if recurrsive routing is causing that?

Also, what happens if you do not use an routing protocol and configure static routes? Do you still see packet drops?


lucifuge Wed, 05/14/2003 - 10:29
User Badges:

It's not a recursive route problem....I've seen those before.

I have "solved" it by modifying the remote side as follows:

-add isakmp keys for both serial interfaces (delete the f0/0 isakmp key)

-add a "set peer" for each serial address on the remote (in my crypto map)

-remove the crypto map from f0/0 on the 3660, add it to both serial interfaces.

The rest ramins the same. My GRE tunnel interface on the remote still opints to the f0/0 address on the 3660, and my "match address" list on both routers still goes to/from the f0/0 ip address on the 3660.

I believe this configuration will work if I lose a T1 on the 3660, but I'll need to simulate the failure after hours.

b.mason Thu, 05/15/2003 - 20:59
User Badges:

Why not bind the VPN peers to a loopback interface. Then if there is a route to the router the VPN will always stay up?

lucifuge Fri, 05/16/2003 - 04:55
User Badges:

If I could "bind" the VPN peers to anything I'd be fine. That is my entire problem/question.

If you could explain how it is possible to bind to lo0, then the same should apply to f0/0, and my problem is solved in a much more elegant way than what I am going now.

Correct Answer
b.mason Sun, 05/25/2003 - 16:01
User Badges:

To bind the crypto map to an interface use the command:

crypto map 'map-name' local-address 'interface'


crypto map crypt-map1 local-address Loopback2

- Brett


This Discussion