[c-nsp] GRE over IPSEC wtf?!
Persio Pucci
persio at gmail.com
Wed Oct 26 09:58:43 EDT 2011
I'll try some of those later, for now I think they are doing something on
the other side as phase 1 is not establishing anymore.
I have read somewhere that GRE tunnels need exclusivity on their loopbacks
(can't share it with other tunnels), does that really apply?
On Wed, Oct 26, 2011 at 11:45 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> On 26/10/11 14:29, Persio Pucci wrote:
>
> crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac
>>
>
> I think you want "mode transport" here
>
>
>
>> interface Loopback100
>>
>> description LOOPBACK GRE
>>
>> ip vrf forwarding CUSTOMER
>>
>> ip address y.y.y.y 255.255.255.255
>>
>
> You might need the "crypto map" here; I can't remember
>
>
> !
>>
>> access-list 151 permit ip any any
>>
>
> I think this ACL is too broad; you just want to match GRE.
>
>
> We do something very similar to this. Here is an example from our 2800
> tunnel aggregation router:
>
> crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
> mode transport
>
> crypto map cm1 local-address Loopback1
> crypto map cm1 1 ipsec-isakmp
> set peer x.x.x.x
> set transform-set ts1
> match address 101
>
> interface Loopback1
> ip address ....
> crypto map cm1
>
> interface Tunnel1
> tunnel source Loopback1
> tunnel destination ....
> crypto map cm1
>
> interface GigabitEthernet0/0
> description core
> ...
> crypto map cm1
>
> access-list 101 permit gre host <Our IP> host <Peer IP>
>
More information about the cisco-nsp
mailing list