I have made a setup of point to multipoint vpn connections on routers. There are GRE tunnels on the routers. Pls find in attachment configuration of two routers, where LHR is the hub and RYK is one of the several spokes. Problem I am facing is that once I apply the crypto map on the tunnel interfaces, encryption begans (I verified through show crypto ipsec sa interface tunnel command) but after few days people in my organization complain that they are unable to fetch data from the branch (RYK). As soon as I remove the crypto map commands from both end, problem resolves. But let me add that I don't see any problem while I ping from the LAN of both routers (means end to end ping). Even Damewere sessions makes no problem. Please if anyone can help to resolve this issue.
Also I want to know that does extra load on the links cause problem to encryption or do I have to check the hardware for the said problem, like router RAM? Thanks.
RYK-City.Centre Router- create a loopback interface (lo0) addressed with a /32 address (I.E. 10.10.10.1/32)
hub router - create a loopback interface (lo0) addressed with a /32 address (I.E. 10.10.10.2/32)
add the above network to your OSPF config on both routers (I.E. network 10.10.10.0 0.0.0.255 area X)
change your tunnel ip address to lo0
change your tunnel0 source to lo0
remove the "tunnel mode ipip" command from the tunnel0 interface
remove the "crypto map" command from the tunnel0 interface
change tunnel0 destination to hub router lo0 address
change default route to point to lo0 address of hub router
add a static route for the lo0 address of hub router via 10.1.16.81
create a new tunnel1 interface
set address to lo0
source it to lo0
set dest to lo0 address of RYK router
above creates a GRE tunnel, but it won't pass traffic until we encap with IPSEC to get it accross the DSL link:
crypto isakmp policy 100
crypto isakmp key 6 xxxxxxxx address 10.1.16.132
crypto ipsec transform-set MYSET esp-des
crypto map RYKHMAP 110 ipsec-isakmp
set peer 10.1.16.132
set transform-set MYSET
match address 120
access-list 120 permit gre host host
appply the crypto map to your outbound interface
apply the same commands to your hub router, adding an ISAKMP key and a new crypto map for each remote device, and of course changing the ISAKMP key, peer, and access-list addresses as appropriate.
you should create seperate tunnel interfaces on your hub router fo each remote site... you should also have a mgt subnet configured on all loopback interfaces anyway, so this is a good way to get that project started...
I had this type of setup running between 60+ 2811's at one point.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...