[c-nsp] GRE over IPSEC wtf?!
Peter Rathlev
peter at rathlev.dk
Wed Oct 26 10:49:27 EDT 2011
On Wed, 2011-10-26 at 11:29 -0200, Persio Pucci wrote:
> Here is the rundown on the configs (again, my side but I assume the other
> side is fine and there's not much on the tunnel cfg to be wrong). IPs
> removed to protect the innocent.
...
> interface Loopback100
> description LOOPBACK GRE
> ip vrf forwarding CUSTOMER
> ip address y.y.y.y 255.255.255.255
> !
> interface Tunnel100
> ip vrf forwarding CUSTOMER
> ip address z.z.z.z 255.255.255.252
> ip pim sparse-mode
> ip virtual-reassembly
> load-interval 30
> keepalive 10 3
> tunnel source Loopback100
> tunnel destination d.d.d.d
I would think that you need "tunnel vrf CUSTOMER" here since Lo100 is
actually in that VRF. I'm not at all sure that this is the problem, but
it's worth a try. We use it on NPE-G1 12.4(25e).
> crypto map CUSTOMER_CERT
> !
The crypto map on the tunnel interface? Should it not just appear on the
physical interface? I decided to use "tunnel protection" instead of
crypto maps, example here:
http://www.gossamer-threads.com/lists/cisco/nsp/127635#127635
--
Peter
More information about the cisco-nsp
mailing list