[c-nsp] GRE over IPSEC wtf?!
Chuck Church
chuckchurch at gmail.com
Wed Oct 26 12:02:15 EDT 2011
Are all of the vrf-specific commands in the crypto map and isakmp policies?
I last worked on this about 8 months ago, and it was flaky and/or looked
like it should be working until we specified the VRF in the places it's
needed.
Chuck
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Persio Pucci
Sent: Wednesday, October 26, 2011 9:59 AM
To: Phil Mayers
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GRE over IPSEC wtf?!
I'll try some of those later, for now I think they are doing something on
the other side as phase 1 is not establishing anymore.
I have read somewhere that GRE tunnels need exclusivity on their loopbacks
(can't share it with other tunnels), does that really apply?
On Wed, Oct 26, 2011 at 11:45 AM, Phil Mayers
<p.mayers at imperial.ac.uk>wrote:
> On 26/10/11 14:29, Persio Pucci wrote:
>
> crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac
>>
>
> I think you want "mode transport" here
>
>
>
>> interface Loopback100
>>
>> description LOOPBACK GRE
>>
>> ip vrf forwarding CUSTOMER
>>
>> ip address y.y.y.y 255.255.255.255
>>
>
> You might need the "crypto map" here; I can't remember
>
>
> !
>>
>> access-list 151 permit ip any any
>>
>
> I think this ACL is too broad; you just want to match GRE.
>
>
> We do something very similar to this. Here is an example from our 2800
> tunnel aggregation router:
>
> crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
> mode transport
>
> crypto map cm1 local-address Loopback1
> crypto map cm1 1 ipsec-isakmp
> set peer x.x.x.x
> set transform-set ts1
> match address 101
>
> interface Loopback1
> ip address ....
> crypto map cm1
>
> interface Tunnel1
> tunnel source Loopback1
> tunnel destination ....
> crypto map cm1
>
> interface GigabitEthernet0/0
> description core
> ...
> crypto map cm1
>
> access-list 101 permit gre host <Our IP> host <Peer IP>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list