[c-nsp] GRE over IPSEC wtf?!

Chuck Church chuckchurch at gmail.com
Wed Oct 26 12:02:15 EDT 2011


Are all of the vrf-specific commands in the crypto map and isakmp policies?
I last worked on this about 8 months ago, and it was flaky and/or looked
like it should be working until we specified the VRF in the places it's
needed.

Chuck


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Persio Pucci
Sent: Wednesday, October 26, 2011 9:59 AM
To: Phil Mayers
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GRE over IPSEC wtf?!

I'll try some of those later, for now I think they are doing something on
the other side as phase 1 is not establishing anymore.

I have read somewhere that GRE tunnels need exclusivity on their loopbacks
(can't share it with other tunnels), does that really apply?

On Wed, Oct 26, 2011 at 11:45 AM, Phil Mayers
<p.mayers at imperial.ac.uk>wrote:

> On 26/10/11 14:29, Persio Pucci wrote:
>
>  crypto ipsec transform-set CUSTOMER_CERT esp-3des esp-sha-hmac
>>
>
> I think you want "mode transport" here
>
>
>
>> interface Loopback100
>>
>> description LOOPBACK GRE
>>
>> ip vrf forwarding CUSTOMER
>>
>> ip address y.y.y.y 255.255.255.255
>>
>
> You might need the "crypto map" here; I can't remember
>
>
>  !
>>
>> access-list 151 permit ip any any
>>
>
> I think this ACL is too broad; you just want to match GRE.
>
>
> We do something very similar to this. Here is an example from our 2800
> tunnel aggregation router:
>
> crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
>  mode transport
>
> crypto map cm1 local-address Loopback1
> crypto map cm1 1 ipsec-isakmp
>  set peer x.x.x.x
>  set transform-set ts1
>  match address 101
>
> interface Loopback1
>  ip address ....
>  crypto map cm1
>
> interface Tunnel1
>  tunnel source Loopback1
>  tunnel destination ....
>  crypto map cm1
>
> interface GigabitEthernet0/0
>  description core
>  ...
>  crypto map cm1
>
> access-list 101 permit gre host <Our IP> host <Peer IP>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list