[c-nsp] GRE over IPSEC wtf?!

Persio Pucci persio at gmail.com
Wed Oct 26 09:29:24 EDT 2011 

Phill,

3745 on my side, using 12.4(25c).

Here is the rundown on the configs (again, my side but I assume the other
side is fine and there's not much on the tunnel cfg to be wrong). IPs
removed to protect the innocent.

ip vrf CUSTOMER

rd 1:25

route-target export 1:25

route-target import 1:25

!

crypto keyring CUSTOMER_CERT vrf CUSTOMER

  pre-shared-key address x.x.x.x key *****

!

crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac

!

crypto map CUSTOMER_CERT 50 ipsec-isakmp

description CUSTOMER_CERT

set peer x.x.x.x

set transform-set CUSTOMER_CERT

match address 151

!

interface Loopback100

description LOOPBACK GRE

ip vrf forwarding CUSTOMER

ip address y.y.y.y 255.255.255.255

!

interface Tunnel100

ip vrf forwarding CUSTOMER

ip address z.z.z.z 255.255.255.252

ip pim sparse-mode

ip virtual-reassembly

load-interval 30

keepalive 10 3

tunnel source Loopback100

tunnel destination d.d.d.d

crypto map CUSTOMER_CERT

!

interface FastEthernet0/0.100

description VPN CUSTOMER_CERT

encapsulation dot1Q 100

ip vrf forwarding CUSTOMER

ip address s.s.s.s 255.255.255.252

ip pim sparse-dense-mode

crypto map CUSTOMER_CERT

!

ip route vrf CUSTOMER d.d.d.d 255.255.255.255 x.x.x.x

!

access-list 151 permit ip any any

!

On Wed, Oct 26, 2011 at 11:21 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 26/10/11 14:15, Persio Pucci wrote:
>
>> Hi all,
>>
>> I am trying to get a GRE tunnel to work over IPSEC but as expected I am
>> running into problems, just not the expected ones.
>>
>> Phase 1 is fine and established, Phase 2 is fine, SAs are in place. We can
>> mutually ping our loopbacks, and we see encaps/decaps increasing as we
>> ping
>> the loopbacks. This all means that the IPSEC part is done and working.
>>
>> Now the s****y part: GRE tunnel will not work. Tunnel has simple
>> source/destination config, with proper IP addressing, but no good.
>>
>> Outgoing interface is on a VRF, so are Loopback and Tunnel (all on the
>> same
>> VRF). Removed keepalive from tunnel due to VRF. Still no good.
>>
>
> This is a horribly tedious mess of nonsense on IOS platforms, and poorly
> documented to boot. One of my colleagues has spent countless hours with
> it...
>
> What hardware / IOS versions?
>
> Can you give the full IPSec & GRE config?
> ______________________________**_________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
> archive at http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
>

More information about the cisco-nsp mailing list