Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NO Traffic when the VPN and GRE tunnel up

Please help me to fix this issue, vpn tunnel is up, but no encrypt traffic on the PE site and the GRE tunnel can not ping.

PE config:

G-PE11#sh run

Building configuration...

Current configuration : 6660 bytes

!

! Last configuration change at 16:29:23 Beijing Sun Oct 20 2013 by gssnetnoc

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname PE11

!

!

redundancy

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key G-20131015-PE address 0.0.0.0       

crypto isakmp keepalive 10

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set G-PE-trans esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto dynamic-map G-PE-dmap 10

set transform-set G-PE-trans

!

!

crypto map dynamic-map local-address Loopback200

crypto map dynamic-map 10 ipsec-isakmp dynamic G-PE-dmap

!

!

!

!

interface Loopback200

ip address 22.126.229.125 255.255.255.255

crypto map dynamic-map

!

interface Tunnel201

ip address 10.0.96.5 255.255.255.252

ip mtu 1400

load-interval 30

tunnel source Loopback200

tunnel destination 10.0.99.101

tunnel key 10201

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!        

interface GigabitEthernet0/0

ip address 10.244.16.6 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 10.244.16.5

!

CPE config:

ADSL#sh run

Building configuration..

Current configuration : 2972 bytes

!

! Last configuration change at 16:39:59 BJ Sun Oct 20 2013

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ADSL

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key G-20131015-PE address 22.126.229.125

crypto isakmp keepalive 10

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set G-CPE-trans esp-3des esp-sha-hmac

mode transport

!

crypto map G1310201-Static-Map local-address Dialer0

crypto map G1310201-Static-Map 20 ipsec-isakmp

set peer 22.126.229.125

set transform-set G-CPE-trans

match address G-1310201-ACL

!

!

!

!

!

!

interface Loopback201

ip address 10.0.99.101 255.255.255.255

!

interface Tunnel1310201

ip address 10.0.96.6 255.255.255.252

ip mtu 1400

load-interval 30

tunnel source Loopback201

tunnel destination 22.126.229.125

tunnel key 10201

!

interface FastEthernet0/0

no ip address

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.0.100 255.255.255.0

duplex auto

speed auto

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username 154432 password 0 576

crypto map G1310201-Static-Map

!

ip route 0.0.0.0 0.0.0.0 10.0.96.5

ip route 22.126.229.125 255.255.255.255 Dialer0

!

ip access-list extended G-1310201-ACL

permit gre host 10.0.99.101 host 22.126.229.125

!

!

From CPE's info:

ADSL#show crypto ipsec sa

interface: Dialer0

    Crypto map tag:G1310201-Static-Map, local addr 221.221.155.96

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.99.101/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (22.126.229.125/255.255.255.255/47/0)

   current_peer 22.126.229.125 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 407, #pkts encrypt: 407, #pkts digest: 407

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 221.221.155.96, remote crypto endpt.: 22.126.229.125

     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0

     current outbound spi: 0x43D7FFCE(1138229198)

     PFS (Y/N): N, DH group: none

G-PE11#show cry ip sa

interface: Loopback200

    Crypto map tag: dynamic-map, local addr 22.126.229.125

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (22.126.229.125/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.0.99.101/255.255.255.255/47/0)

   current_peer 221.221.155.96 port 500

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 524, #pkts decrypt: 524, #pkts verify: 524

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 22.126.229.125, remote crypto endpt.: 222.128.169.253

     plaintext mtu 1462, path mtu 1514, ip mtu 1514, ip mtu idb Loopback200

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

GRE Tunnel Ping:

From PE to CE:

G-PE11#ping 10.0.96.6

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.96.6, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

174
Views
0
Helpful
0
Replies
CreatePlease to create content