[c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!

Nick Hilliard nick at foobar.org
Mon Jan 14 16:53:06 EST 2013


On 14/01/2013 18:38, false wrote:
> I'm pretty sure I remember doing it this way several years ago. What changes need to be made to allow these multiple crypto maps and using just one crypto map tag on fa0/1 (isp interface)?

This looks wrong:

>>>> access-list 141 permit gre any any

When the crypto map is evaluated, it may be getting confused with vpnmap 10
which evaluates access-list 141, which contains a catch-all for all gre
traffic.  You should specify only the traffic to be encrypted in this
access list (and in 131), not the encapsulating traffic.

Nick



More information about the cisco-nsp mailing list