Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC + GRE using loopbacks?

The remote site, Side A receives a single BGP route to 5.5.5.5/32 via the provider.

Side B receives a variety of OSPF routes including a default route and a specific route to 4.4.4.4/32 from the core of the campus network.

2 7206vxr routers running 12.4T

The GRE tunnel works fine before IPSEC is applied so it does not appear to be a routing issue. It could still be a firewall issue at Site B.

From the counters it appears the IPSEC sa only works in one direction with traffic going from A to B but not from B to A and therefore the GRE tunnel stays down.

Should the crypto map apply to the physical interface, the tunnel, both? I see conflicting docs and examples. Also keep in mind that neither side has a route to the other's physical addresses. Only the loopbacks.

Router A1

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set VPN1 esp-aes 256 esp-sha-hmac

mode transport

!

crypto map VPN local-address Loopback0

crypto map VPN 1041 ipsec-isakmp

set peer 5.5.5.5

set transform-set VPN1

match address 101

ip access list 101 permit gre host 4.4.4.4 host 5.5.5.5

loopback0

4.4.4.4/32

tunnel0

192.168.10.1/30

source loopback0

destination 5.5.5.5

gig0/1

LAN

gig 0/2

WAN

10.10.10.14/30

crypto map VPN

Router B1

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key PASSWORD address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set VPN1 esp-aes 256 esp-sha-hmac

mode transport

!

crypto map VPN1 local-address Loopback0

crypto map VPN 1040 ipsec-isakmp

set peer 4.4.4.4

set transform-set VPN1

match address 101

ip access list 101 permit gre host 5.5.5.5 host 4.4.4.4

loopback

5.5.5.5/32

tunnel0

192.168.10.2/30

source loopback0

destination 4.4.4.4

g0/1

LAN

g0/2

WAN

192.168.100.1/30

crypto map VPN

2 REPLIES
Hall of Fame Super Silver

Re: IPSEC + GRE using loopbacks?

Jason

Whether the crypto map goes on the physical, the tunnel, or both depends on the version of code that you are running. In older versions of code it went on both. In newer versions of code it goes on only the physical. I see that you are running 12.4T and so the crypto map should be only on the physical interfaces.

The partial configs that you posted look ok and I do not see any particular problem with what is posted. One possible issue is how you get traffic to go over the tunnel. Could you post the parts of the configs that direct traffic over the tunnels? This might help us to find the source of your problem.

HTH

Rick

New Member

Re: IPSEC + GRE using loopbacks?

Turned out to be a routing issue. Pair 1 was receiving the routes to wan out the wrong interface. DOH

146
Views
0
Helpful
2
Replies