Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site Over GRE

Hi, i am setting up site to site over gre tunnel with attached topology

For R1:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 1.1.1.2

access-list 110 permit gre host 1.1.1.1 host 1.1.1.2

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set strong

match address 110

router eigrp 1

network 2.0.0.0

network 192.168.1.0

auto-summary

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

interface Tunnel0

ip address 192.168.1.1 255.255.255.0

tunnel source FastEthernet0/0

tunnel destination 1.1.1.2

crypto map vpn

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

For R2:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 1.1.1.1

access-list 110 permit gre host 1.1.1.2 host 1.1.1.1

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set strong

match address 110

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0

interface Tunnel0

ip address 192.168.1.2 255.255.255.0

tunnel source FastEthernet0/0

tunnel destination 1.1.1.1

crypto map vpn

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

i am getting the followinf error on both R1 and R2

R1#

*Mar  1 01:33:47.875: IPSEC(key_engine): major = 1

*Mar  1 01:33:47.875: IPSEC(key_engine): expired_timer

R1#

plz help in this issue as i want to deploy it in production

thankssssssssss

2 ACCEPTED SOLUTIONS

Accepted Solutions

Site to Site Over GRE

Hi ,

As far as I know, you should put the crypto map on the physical interface. The traffic that is matched by the acl crypto map ( gre traffic ) is seen on the physical interface not on the GRE interface it self.

Dan

Cisco Employee

Site to Site Over GRE

That is correct Dan, Alkabeer only needs the crypto map applied to the physical interface! in old codes we used to apply the crypto map to both the physical interface and the tunnel interface but this changed long time ago.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

IOS Configuration Note:

With Cisco IOS  12.2(13)T and later codes (higher numbered T-train codes, 12.3 and later  codes) the configured IPSEC "crypto map" only needs to be applied to  the physical interface and is no longer required to be applied on the  GRE tunnel interface. Having the "crypto map" on the physical and tunnel  interface when using the 12.2.(13)T and later codes still works.  However, it is highly recommended to apply it just on the physical  interface.

Regards,

7 REPLIES
New Member

Site to Site Over GRE

From the config attached, I cannot find eigrp configuration on R2! did you forget adding it to the post?

Please remove the cryptomap from the tunnel interface and put it on the physical interface instead, applying the cryptomap to the tunnel interface isn't recommended! please try it and see how things go!

Ahmad

New Member

Site to Site Over GRE

Sorry i forget to add eigrp on R2

router eigrp 1

network 3.0.0.0

network 192.168.1.0

auto-summary

Connectivity is there between both routers.

I have removed the crypto from tunnel and apply it to physical. phase 1 and pase 2 established but still same log message appear

*Mar  1 03:51:07.891: IPSEC(key_engine): major = 1

*Mar  1 03:51:07.891: IPSEC(key_engine): expired_timer

My understanding is i am encrypting the tunnel not the physical interface, i did not read anything about recommandation to put on physical addresses, can u plz highlight where did u read it. i have read in some sites to enable on both the tunnel and physical there is no straight answer i read.

another question i have if i advertise the physical then show ip route will show that to reach loopback address of second router via physical can i make it through tunnel ???

thanksssssssss

Site to Site Over GRE

Hi ,

As far as I know, you should put the crypto map on the physical interface. The traffic that is matched by the acl crypto map ( gre traffic ) is seen on the physical interface not on the GRE interface it self.

Dan

New Member

Site to Site Over GRE

thanks Dan

Site to Site Over GRE

My pleasure

Dan

Cisco Employee

Site to Site Over GRE

That is correct Dan, Alkabeer only needs the crypto map applied to the physical interface! in old codes we used to apply the crypto map to both the physical interface and the tunnel interface but this changed long time ago.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

IOS Configuration Note:

With Cisco IOS  12.2(13)T and later codes (higher numbered T-train codes, 12.3 and later  codes) the configured IPSEC "crypto map" only needs to be applied to  the physical interface and is no longer required to be applied on the  GRE tunnel interface. Having the "crypto map" on the physical and tunnel  interface when using the 12.2.(13)T and later codes still works.  However, it is highly recommended to apply it just on the physical  interface.

Regards,

New Member

Site to Site Over GRE

Thanks Gustavo,

I have configured it on tunnel interface, but i will change to work with physical interface as per recommandation

thankssssssssss

470
Views
5
Helpful
7
Replies
CreatePlease login to create content