Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec over gre

I am having an issue trying to setup a site to site tunnel using ipsec over gre. i think i have everything setup, but i still can't access the private ip space on the other side of tunnel 1. can someone take a look at it. i have been beating my brains out for a while. attached is my config.

the issue is with tunnel 1. everything is fine with tunnel0, tunnel 1 is giving me the problems. i just can't access anything on the 10.118.x.x network on the other side of t1

my config is attached

8 REPLIES
New Member

Re: ipsec over gre

Hi Drummond,

Can you pls reattch the config. This time just copy the sh run from cli directly to fresh notepad. pls do use tftp, it not opening up properly.

I would also request you to attach a sh ip route for the 10.118.x.x segment and also a sh cry isa sa output.

thanks.

Silver

Re: ipsec over gre

Hi,

Try to open with wordpad instead of notepad.

Krisztian

New Member

Re: ipsec over gre

here is the config again......i might have messed it up when i was trying to sanitize it....

New Member

Re: ipsec over gre

shy cry is sa:

dst src state conn-id slot status

x.y.203.4 a.b.180.83 MM_KEY_EXCH 2082 0 ACTIVE

x.y.203.4 a.b.180.83 MM_NO_STATE 2081 0 ACTIVE (deleted)

sh ip route 10.118.114.0

Routing entry for 10.118.144.0/20

Known via "static", distance 1, metric 0

Redistributing via ospf 11

Routing Descriptor Blocks:

* 172.16.100.1

Route metric is 0, traffic share count is 1

Silver

Re: ipsec over gre

Hi,

Is the IPSec is up at all?

You are refering to ipsec profile tunnel1 but there is only tunnel1-loh configured.

Let's check whether the tunnel itself is up and after the ipsec. If both are are you can further investigate the acls, routing etc.

Hope it helps, rate if does

Krisztian

New Member

Re: ipsec over gre

Hi,

Thanks Kerek. That helped.

I bilieve kerek is right you need to check if IPSEC is up at all. I do not see any match statements " vpn-dynamic " in the configurations part below.

crypto dynamic-map vpn-dynamic 10

set transform-set tr-transport-aes-sha tr-transport-3des-sha

In this config I find you are using NHSRP, if you are using NHSRP you can use " tunnel mode gre multipoint " command on the existing Tunnel 0 interface.

This will help you establish point to multipoint IPSEC over GRE.

New Member

Re: ipsec over gre

tunnel0 isn't the one i am worried about... i can get traffic in and out of that one just fine. it's tunnel1

New Member

Re: ipsec over gre

oops, i was trying to sanitize my config to remove public IPs, passwords, and etc....i will fix and repost.

147
Views
0
Helpful
8
Replies