I am building IPsec tunnels between two remote sites. I am creating just one of those tunnells to pass all traffic between two sync servers (two seperated subnet 10.10.10.21/24 and 10.10.11.21/24). Am I doing correct if I have a static route to the outbound interface; and have another static route just the server ip address to that tunnel? Here is an example:
interface tunnel 1
ip address 10.10.254.5 255.255.255.252
tunnel source 10.10.10.254
tunnel destination 10.10.11.254
ip route 10.10.10.254 255.255.255.255 Fastethernet0 name tunnel1-to-tunnel2
ip route 10.10.10.21 255.255.255.255 tunnel1 name tunnel1-to-tunnel2
Your post talks about building an IPSec tunnel. But the configuration shows more GRE tunnel than IPSec tunnel. It is sometimes done to run IPSec with GRE but it is not always necessary. You have not indicated what if anything requires the GRE. And that makes it more difficult for us to answer your question.
The configuration of the GRE tunnel as shown seems ok - assuming that 10.10.10.254 is a local connected address on some interface of the router. But in that case you certainly do not need the static route
ip route 10.10.10.254 255.255.255.255 Fastethernet0 name tunnel1-to-tunnel2 (why would you need a static route for a locally connected address?).
Also the second static route (for 10.10.10.21) indicates that you go through the tunnel to get to it. But if the tunnel source is 10.10.10.254 (and that must be a locally connected interface) it is hard to see how some other address in that subnet is reached through the tunnel.
You show an access list but you do not show how the access list is to be used. If the access list is to be used by the crypto map to identify traffic for IPSec to protect then it should use the addresses of the tunnel end points. (permit gre host 10.10.10.254 host 10.10.11.254).
The one thing that the GRE tunnel needs to work is a route to the tunnel destination (10.10.11.254). It is not clear from what you posted whether the router has a route such as this.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.