[c-nsp] GRE over IPSEC wtf?!

Persio Pucci persio at gmail.com
Wed Oct 26 09:33:33 EDT 2011


>
> VPN#sh crypto engine connections active
>   ID Interface            IP-Address      State  Algorithm
> Encrypt  Decrypt
> 1478 Fa0/0.100            mypeer       set    HMAC_MD5+3DES_56_C        0
>      0
> 2011 Fa0/0.100            mypeer       set    3DES+SHA                  0
>    224
> 2012 Fa0/0.100            mypeer       set    3DES+SHA                115
>      0
> VPN_#


VPN#sh cry isa sa
> dst             src             state          conn-id slot status
> mypeer   hispeer   QM_IDLE           1478    0 ACTIVE
> VPN#



On Wed, Oct 26, 2011 at 11:29 AM, Persio Pucci <persio at gmail.com> wrote:

> Phill,
>
> 3745 on my side, using 12.4(25c).
>
> Here is the rundown on the configs (again, my side but I assume the other
> side is fine and there's not much on the tunnel cfg to be wrong). IPs
> removed to protect the innocent.
>
> ip vrf CUSTOMER
>
> rd 1:25
>
> route-target export 1:25
>
> route-target import 1:25
>
> !
>
> crypto keyring CUSTOMER_CERT vrf CUSTOMER
>
>   pre-shared-key address x.x.x.x key *****
>
> !
>
> crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac
>
> !
>
> crypto map CUSTOMER_CERT 50 ipsec-isakmp
>
> description CUSTOMER_CERT
>
> set peer x.x.x.x
>
> set transform-set CUSTOMER_CERT
>
> match address 151
>
> !
>
> interface Loopback100
>
> description LOOPBACK GRE
>
> ip vrf forwarding CUSTOMER
>
> ip address y.y.y.y 255.255.255.255
>
> !
>
> interface Tunnel100
>
> ip vrf forwarding CUSTOMER
>
> ip address z.z.z.z 255.255.255.252
>
> ip pim sparse-mode
>
> ip virtual-reassembly
>
> load-interval 30
>
> keepalive 10 3
>
> tunnel source Loopback100
>
> tunnel destination d.d.d.d
>
> crypto map CUSTOMER_CERT
>
> !
>
> interface FastEthernet0/0.100
>
> description VPN CUSTOMER_CERT
>
> encapsulation dot1Q 100
>
> ip vrf forwarding CUSTOMER
>
> ip address s.s.s.s 255.255.255.252
>
> ip pim sparse-dense-mode
>
> crypto map CUSTOMER_CERT
>
> !
>
> ip route vrf CUSTOMER d.d.d.d 255.255.255.255 x.x.x.x
>
> !
>
> access-list 151 permit ip any any
>
> !
>
> On Wed, Oct 26, 2011 at 11:21 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
>
>> On 26/10/11 14:15, Persio Pucci wrote:
>>
>>> Hi all,
>>>
>>> I am trying to get a GRE tunnel to work over IPSEC but as expected I am
>>> running into problems, just not the expected ones.
>>>
>>> Phase 1 is fine and established, Phase 2 is fine, SAs are in place. We
>>> can
>>> mutually ping our loopbacks, and we see encaps/decaps increasing as we
>>> ping
>>> the loopbacks. This all means that the IPSEC part is done and working.
>>>
>>> Now the s****y part: GRE tunnel will not work. Tunnel has simple
>>> source/destination config, with proper IP addressing, but no good.
>>>
>>> Outgoing interface is on a VRF, so are Loopback and Tunnel (all on the
>>> same
>>> VRF). Removed keepalive from tunnel due to VRF. Still no good.
>>>
>>
>> This is a horribly tedious mess of nonsense on IOS platforms, and poorly
>> documented to boot. One of my colleagues has spent countless hours with
>> it...
>>
>> What hardware / IOS versions?
>>
>> Can you give the full IPSec & GRE config?
>> ______________________________**_________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
>> archive at http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
>>
>
>


More information about the cisco-nsp mailing list