[c-nsp] GRE over IPSEC wtf?!
Persio Pucci
persio at gmail.com
Wed Oct 26 12:47:04 EDT 2011
Ding ding ding, we got a winner!
"tunnel vrf" did the job.
Thank you for all your input!
On Wednesday, October 26, 2011, Peter Rathlev <peter at rathlev.dk> wrote:
> On Wed, 2011-10-26 at 11:29 -0200, Persio Pucci wrote:
>> Here is the rundown on the configs (again, my side but I assume the other
>> side is fine and there's not much on the tunnel cfg to be wrong). IPs
>> removed to protect the innocent.
> ...
>> interface Loopback100
>> description LOOPBACK GRE
>> ip vrf forwarding CUSTOMER
>> ip address y.y.y.y 255.255.255.255
>> !
>> interface Tunnel100
>> ip vrf forwarding CUSTOMER
>> ip address z.z.z.z 255.255.255.252
>> ip pim sparse-mode
>> ip virtual-reassembly
>> load-interval 30
>> keepalive 10 3
>> tunnel source Loopback100
>> tunnel destination d.d.d.d
>
> I would think that you need "tunnel vrf CUSTOMER" here since Lo100 is
> actually in that VRF. I'm not at all sure that this is the problem, but
> it's worth a try. We use it on NPE-G1 12.4(25e).
>
>> crypto map CUSTOMER_CERT
>> !
>
> The crypto map on the tunnel interface? Should it not just appear on the
> physical interface? I decided to use "tunnel protection" instead of
> crypto maps, example here:
>
> http://www.gossamer-threads.com/lists/cisco/nsp/127635#127635
>
> --
> Peter
>
>
>
More information about the cisco-nsp
mailing list