05-10-2006 05:10 AM
Hi,
I have made a setup of point to multipoint vpn connections on routers. There are GRE tunnels on the routers. Pls find in attachment configuration of two routers, where LHR is the hub and RYK is one of the several spokes. Problem I am facing is that once I apply the crypto map on the tunnel interfaces, encryption begans (I verified through show crypto ipsec sa interface tunnel command) but after few days people in my organization complain that they are unable to fetch data from the branch (RYK). As soon as I remove the crypto map commands from both end, problem resolves. But let me add that I don't see any problem while I ping from the LAN of both routers (means end to end ping). Even Damewere sessions makes no problem. Please if anyone can help to resolve this issue.
Also I want to know that does extra load on the links cause problem to encryption or do I have to check the hardware for the said problem, like router RAM? Thanks.
05-11-2006 04:45 AM
Hello,
try and configure:
ip tcp adjust-mss 1436
on your tunnel interfaces, or, if that doesn't make a difference:
ip mtu 1524
or
ip mtu 1500
on your tunnel interfaces.
Regards,
GNT
05-20-2006 01:44 PM
try this:
RYK-City.Centre Router- create a loopback interface (lo0) addressed with a /32 address (I.E. 10.10.10.1/32)
hub router - create a loopback interface (lo0) addressed with a /32 address (I.E. 10.10.10.2/32)
add the above network to your OSPF config on both routers (I.E. network 10.10.10.0 0.0.0.255 area X)
RYK router:
change your tunnel ip address to lo0
change your tunnel0 source to lo0
remove the "tunnel mode ipip" command from the tunnel0 interface
remove the "crypto map" command from the tunnel0 interface
change tunnel0 destination to hub router lo0 address
change default route to point to lo0 address of hub router
add a static route for the lo0 address of hub router via 10.1.16.81
hub router
create a new tunnel1 interface
set address to lo0
source it to lo0
set dest to lo0 address of RYK router
above creates a GRE tunnel, but it won't pass traffic until we encap with IPSEC to get it accross the DSL link:
RYK router:
crypto isakmp policy 100
authentication pre-share
crypto isakmp key 6 xxxxxxxx address 10.1.16.132
crypto ipsec transform-set MYSET esp-des
crypto map RYKHMAP 110 ipsec-isakmp
set peer 10.1.16.132
set transform-set MYSET
match address 120
access-list 120 permit gre host
appply the crypto map to your outbound interface
apply the same commands to your hub router, adding an ISAKMP key and a new crypto map for each remote device, and of course changing the ISAKMP key, peer, and access-list addresses as appropriate.
you should create seperate tunnel interfaces on your hub router fo each remote site... you should also have a mgt subnet configured on all loopback interfaces anyway, so this is a good way to get that project started...
I had this type of setup running between 60+ 2811's at one point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide