Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
6
Replies

GRE over IPSec - choosing a source interface

Go to solution
lucifuge
Level 1
Level 1

‎05-14-2003 07:17 AM - edited ‎02-21-2020 12:32 PM

I have a 3660 with two T1's from different providers, running BGP. Our ASN space is on f0/0, with the two T1 serial interfaces having a serial address on their respective provider's networks.

I am attempting to set up an IPSec tunnel, and have done so from either of the serial interfaces (the way I normally do it in smaller offices with a single T1). I then reconfigure the crypto map to be on f0/0, and make other relevant changes on both sides to source this traffic from f0/0. The IPSec negotiates, makes its way thorugh, and on the 3660, I even see an EIGRP peer come up with the remote. This peer eventually drops, and examining the sa's shows that the remote sends, and the 3660 receives, but no packets ever leave the 3660 (on the sa).

Any suggestions on where to start looking for this one, or is there a better/recomended/sample config of a similar setup I could look at?

Thanks in advance,

Daryl

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
b.mason
Level 1
Level 1
In response to lucifuge

‎05-25-2003 04:01 PM

To bind the crypto map to an interface use the command:

crypto map 'map-name' local-address 'interface'

EG:

crypto map crypt-map1 local-address Loopback2

- Brett

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jfrahim
Level 5
Level 5

‎05-14-2003 10:21 AM

Hi Daryl,

Does your tunnel interface flap a lot? if it does, can you check the logs on the router and see if recurrsive routing is causing that?

Also, what happens if you do not use an routing protocol and configure static routes? Do you still see packet drops?

Jazib

0 Helpful

Go to solution
lucifuge
Level 1
Level 1
In response to jfrahim

‎05-14-2003 10:29 AM

It's not a recursive route problem....I've seen those before.

I have "solved" it by modifying the remote side as follows:

-add isakmp keys for both serial interfaces (delete the f0/0 isakmp key)

-add a "set peer" for each serial address on the remote (in my crypto map)

-remove the crypto map from f0/0 on the 3660, add it to both serial interfaces.

The rest ramins the same. My GRE tunnel interface on the remote still opints to the f0/0 address on the 3660, and my "match address" list on both routers still goes to/from the f0/0 ip address on the 3660.

I believe this configuration will work if I lose a T1 on the 3660, but I'll need to simulate the failure after hours.

0 Helpful

Go to solution
b.mason
Level 1
Level 1
In response to lucifuge

‎05-15-2003 08:59 PM

Why not bind the VPN peers to a loopback interface. Then if there is a route to the router the VPN will always stay up?

0 Helpful

Go to solution
lucifuge
Level 1
Level 1
In response to b.mason

‎05-16-2003 04:55 AM

If I could "bind" the VPN peers to anything I'd be fine. That is my entire problem/question.

If you could explain how it is possible to bind to lo0, then the same should apply to f0/0, and my problem is solved in a much more elegant way than what I am going now.

0 Helpful

Go to solution
b.mason
Level 1
Level 1
In response to lucifuge

‎05-25-2003 04:01 PM

To bind the crypto map to an interface use the command:

crypto map 'map-name' local-address 'interface'

EG:

crypto map crypt-map1 local-address Loopback2

- Brett

0 Helpful

Go to solution
cflory
Level 1
Level 1

‎05-23-2003 07:16 AM

Daryl,

I have a similar setup, and I found this link useful:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#steps

Hope this helps!

-Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents