An interface of multipoint GRE tunnel on two physical interfaces?
Hi all
I use DMVPN double single cloud VPN network of hubs.
Our shelves (C831 SRI) are connected to the dynamic DHCP ISP and dynamic PPPoE ISP. I want to install a temporary kit that fits anywhere. Here is the configuration of my my ISP PPPoE tunnel:
interface Tunnel0
bandwidth 1000
IP 172.23.2.254 255.255.252.0
no ip redirection
IP mtu 1436
property intellectual PNDH authentication xxxxxx
map of PNDH 172.16.0.1 IP 230.2.2.1
map of PNDH IP multicast 230.2.2.1
map of PNDH 172.16.0.2 IP 230.2.2.2
map of PNDH IP multicast 230.2.2.1
PNDH id network IP-900001
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 172.16.0.1
property intellectual PNDH nhs 172.16.0.2
delay of 1000
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key xxxxxx
Tunnel MyIPSecProf ipsec protection profile
For my ISP DHCP, I only change the Ethernet1 tunnel source.
Is it possible to configure tunnel interfaces different related 2 on 2 physical interfaces (like: 1 Ethernet1 and 1 in Dialer1). The challenge is that I can not change the configuration of hubs at all. So I can't put the ip address of the tunnel in 2 different subnet. There is only 1 tunnel on the hub interface
Someone has an idea?
Thank you very much
Yes, I see it now. Unnumbered IP will provide the interface to the MTR and tunnel interface you have is point-to-multipoint. I'm afraid that there is no good solution to your needs.
Kind regards
Lei Tian
Tags: Cisco Security
Similar Questions
-
DMVPN GRE tunnel does not connect a failed encapsulate
Hello
I'm trying to set up the tunnel WILL map HWIC Verizon - 3 G-CDMA per Verizons document. Does anyone have a backup on EVDO working?
PDF schema - attached
Verizons - plug
The relevant commands are below
HUB END
interface Tunnel0
IP 192.168.255.89 255.255.255.0
no ip redirection
dynamic multicast of IP PNDH map
PNDH id network IP-100
tunnel source 152.176.219.158
multipoint gre tunnel modeinterface Serial1/0
Verizon MPLS VPN T3 description
IP 152.176.219.158 255.255.255.252
penetration of the IP stream
encapsulation ppp
DSU bandwidth 44210SPOKE ABOUT END
interface Tunnel0
description on the Hub GRE tunnel
IP 192.168.255.29 255.255.255.0
no ip redirection
property intellectual PNDH card 192.168.255.89 152.176.219.158
map of PNDH IP multicast 152.176.219.158
PNDH id network IP-100
property intellectual PNDH nhs 152.176.219.158
registration of the PNDH non-unique IP
source of tunnel Cellular0/1/0
multipoint gre tunnel modethe Cellular0/1/0 interface
Description * VzW EVDO Interface *.
the negotiated IP address
encapsulation ppp
Broadband Dialer
Dialer idle-timeout 0
EVDO Dialer string
Dialer-Group 1
interactive asynchronous mode
PPP chap password 7 120F1F00IP route 152.176.219.158 255.255.255.255 Cellular0/1/0
in the radius of the command... IP PNDH nhs 152.176.219.158 is bad, you need to use the IP tunnel... .IP PNDH nhs 192.168.255.89.
Just in case, here is an example configuration.
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008014bcd7.shtml
-
How a GRE tunnel is applied to a physical interface?
Within the tunnel configuration, we use the controls, the source and destination for the tunnel, but the physical interface does he know how to use the tunnel? The source code of the tunnel parameters replace the physical interface? If we don't configure a tunnel with the right source this interface would then send all information encapsulated in the GRE?
If we also configure IPSec on the interface, and specify a card encryption to encrypt only the corresponding traffic this corresponding traffic would not use the GREtunnel or information without worrying if it was encrypted IPSec is also be encapsulated in the GRE?
Also, I read here: https://supportforums.cisco.com/docs/DOC-3067
'Bind the card crypto to Physics (outside) interface if you are using the version of Cisco IOS 12.2.15 software or later. If not, then the card encryption should be applied to the tunnel as well as the physical interface interface. »
Why was it necessary to apply the crypto map to both physical and tunnel interfaces, and why is it not necessary with versions of IOS?
Thanks for any help! -Mark
Hi Mark,
When you set the source of the tunnel in the tunnel interface, the router adds the IP address of the specific interface (loopback or physical) to the GRE packet generated by the tunnel interface.
This is useful when you need to deliver a tunnel through the Internet WILL, but the tunnel interface has an IP of priivate, if you use the interface external (with a public IP address) as the source of the tunnel.
When remote endpoint WILL receive the packet, search interface tunnel there as destination of the tunnel and decaps the packets, and then he gets the GRE packet and forwards it to the specific tunnel interface.
Since 12.4 you simply apply the crypto map to the interface defined as the' tunnel', usually the one connected to the Internet, where all VPN tunnels are landed. The reason for this is the endpoint VPN termination being the physical and not the tunnel interface interface.
The reason why you need to add the encryption card for both is not clear for me, since I did not support older versions of code.
Do not forget that when configuring a GRE/IPsec tunnel in ACL Cryptography you set the source and tunnel destination IPs.
Hoping to help.
Portu.
Please note all useful posts
Post edited by: Javier Portuguez
-
Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.
Case 1:
We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:
- Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
- This will make the redundant paths between two routers
- This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
- Or we can tunnel just for the exchange of traffic between two routers.
My Question:
- What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
- What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?
Case 2:
If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.
My Question:
- I just want to know there is a valid case and also do we get this case in a review?
What comments can you do on both cases freely, I just create these two cases to clear my mind.
Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.
In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.
Answer to your question on my opinion are as below
case 1
- What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
- What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).
Case 2
- I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.
Please always evaluate the useful post!
Kind regards
Pawan (CCIE # 52104)
-
Multicast over GRE tunnel traffic
Hi guys,.
I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.
I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.
Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?
Hello
There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.
Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.
HTH.
Evaluate the useful ticket.
Kind regards
Terence
-
GRE tunnels will not come on VPN IPsec/GRE
Hi all
We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels. We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router. Remote sites use Cisco 831 s, central sites use Cisco 2821 s. There is a site where the tunnels WILL refuse just to come.
Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping. There is no NATing involved, two routers directly accessing the Internet. The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.
The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.
00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50I don't have the remote router log file, and is very long, so I joined her. Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.
Assorted useful details and matching orders of show results:
Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)
There are 2 connections of IPSEC/GRE tunnel:
Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)Site-382-831 #sho ip int br
Interface IP-Address OK? Method State Protocol
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset upward, upward
FastEthernet3 unassigned YES unset upward, upward
FastEthernet4 unassigned YES unset upward, upward
Ethernet0 10.3.82.10 YES NVRAM up up
Ethernet1 74.WW. XX.35 YES NVRAM up up
Ethernet2 172.16.1.10 YES NVRAM up up
Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<==== ="">====>
NVI0 unassigned don't unset upward upwardsSite-382-831 #.
Site-382-831 #sho run int tunnel101
Building configuration...Current configuration: 277 bytes
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
IP virtual-reassembly
IP tcp adjust-mss 1360
KeepAlive 3 3
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
endSite-382-831 #.
Site-382-831 #show isakmp crypto his
status of DST CBC State conn-id slot
208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
Site-382-831 #.Site-382-831 #.
Site-382-831 #show detail of the crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
X - IKE extended authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryptionC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 11:2 (hardware)
74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
Connection-id: motor-id = 10:2 (hardware)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec hisInterface: Ethernet1
Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
current_peer 208.YY. ZZ.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0x45047D1D (1157922077)SAS of the esp on arrival:
SPI: 0x15B97AEA (364477162)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486831/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x45047D1D (1157922077)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4486744/1056)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
current_peer 208.XX. YY.11 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
#send 21, #recv errors 0local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
current outbound SPI: 0xE82A86BC (3895101116)SAS of the esp on arrival:
SPI: 0x539697CA (1402378186)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432595/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0xE82A86BC (3895101116)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel}
Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
calendar of his: service life remaining (k/s) key: (4432508/1039)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Site-382-831 #.
Site-382-831 #show crypto isakmp policyWorld IKE policy
Priority protection Suite 10
encryption algorithm: three key triple a
hash algorithm: Secure Hash Standard
authentication method: pre-shared Key
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: - Data Encryption STANDARD (56-bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bits)
lifetime: 86400 seconds, no volume limit
Site-382-831 #.Site-382-831 #show crypto card
"IPVPN_MAP" 101-isakmp ipsec crypto map
Description: at the 2nd KC BGP 2821 - PRI - B
Peer = 208.YY. ZZ.11
Extend the PRI - B IP access list
access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
Current counterpart: 208.YY. ZZ.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}"IPVPN_MAP" 201-isakmp ipsec crypto map
Description: 2nd Dallas BGP 2821 - s-B
Peer = 208.XX. YY.11
Expand the list of IP SEC-B access
s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
Current counterpart: 208.XX. YY.11
Life safety association: 4608000 Kbytes / 3600 seconds
PFS (Y/N): N
Transform sets = {}
IPVPN,
}
Interfaces using crypto card IPVPN_MAP:
Ethernet1
Site-382-831 #.Tunnel between KC & the remote site configuration is:
Distance c831 - KC
crypto ISAKMP policy 10
BA 3des
preshared authentication
!
PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
!
Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
transport mode
!
IPVPN_MAP 101 ipsec-isakmp crypto map
Description of 2nd KC BGP 2821 - PRI - B
set of peer 208.YY. ZZ.11
game of transformation-IPVPN
match address PRI - B
!
interface Tunnel101
Description % connected to the 2nd KC BGP 2821 - PRI - B
IP 1.3.82.46 255.255.255.252
IP mtu 1500
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
source of tunnel Ethernet1
destination of the 208.YY tunnel. ZZ.11
!
interface Ethernet0
private network Description
IP 10.3.82.10 255.255.255.0
IP mtu 1500
no downtime
!
interface Ethernet1
IP 74.WW. XX.35 255.255.255.248
IP mtu 1500
automatic duplex
IP virtual-reassembly
card crypto IPVPN_MAP
no downtime
!
PRI - B extended IP access list
allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
!KC-2821 *.
PRI-B-382 address 74.WW isakmp encryption key. XX.35
!
PRI-B-382 extended IP access list
allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
!
IPVPN_MAP 382 ipsec-isakmp crypto map
Description % connected to the 2nd KC BGP 2821
set of peer 74.WW. XX.35
game of transformation-IPVPN
match address PRI-B-382
!
interface Tunnel382
Description %.
IP 1.3.82.45 255.255.255.252
KeepAlive 3 3
IP virtual-reassembly
IP tcp adjust-mss 1360
IP 1400 MTU
delay of 40000
tunnel of 208.YY origin. ZZ.11
destination of the 74.WW tunnel. XX.35
!
endAny help would be much appreciated!
Mark
Hello
logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?
Site-382-831 #show crypto ipsec his | Pkts Inc. | life
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4486831/862)
calendar of his: service life remaining (k/s) key: (4486738/862)
#pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
calendar of his: service life remaining (k/s) key: (4432595/846)
calendar of his: service life remaining (k/s) key: (4432501/846)
Site-382-831 #.Kind regards
Averroès.
-
Significant decline in performance on the GRE tunnel after using cryptographic protection
Hi all
I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.
Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.
No idea as to why this is?
My conclusions:
According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.
My config:
crypto ISAKMP policy 10
BA aes 256
sha512 hash
preshared authentication
Group 20
isakmp encryption key * address *.
!
Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
transport mode
!
Profile of crypto ipsec VPN
game of transformation-ESP-AES256-SHA
!
Tunnel10
IP 10.251.251.1 255.255.255.0
no ip redirection
no ip proxy-arp
load-interval 30
source of tunnel FastEthernet0
tunnel destination *.
tunnel path-mtu-discovery
Tunnel VPN ipsec protection profile
!Output:
ISR1811 #sh crypto ipsec his
Interface: Tunnel10
Tag crypto map: addr Tunnel10-head-0, local *.protégé of the vrf: (none)
ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
current_peer * port 500
LICENCE, flags is {origin_is_acl},
#pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
#pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorsendpt local crypto. : *, remote Start crypto. : ***
Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
current outbound SPI: 0x8D9A911E (2375717150)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
SPI: 0xD6F42959 (3606325593)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563208/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:outgoing esp sas:
SPI: 0x8D9A911E (2375717150)
transform: aes-256-esp esp-sha-hmac.
running parameters = {Transport}
Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
calendar of his: service life remaining (k/s) key: (4563239/1061)
Size IV: 16 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:ISR1811 #show in detail his crypto isakmp
Code: C - IKE configuration mode, D - Dead Peer Detection
NAT-traversal - KeepAlive, N - K
T - cTCP encapsulation, X - IKE Extended Authentication
PSK - GIPR pre-shared key - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP Security AssociationC - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
2015 * * ACTIVE aes sha5 psk 20 12:42:50
Engine-id: Conn-id = SW: 15
2016 * * ACTIVE aes sha5 psk 20 12:42:58
Engine-id: Conn-id = SW: 16
IPv6 Crypto ISAKMP Security AssociationUse of CPU for the transfer with crypto:
ISR1811 #sh proc cpu its
ISR1811 09:19:54 Tuesday Sep 2 2014 THIS
544444555555555544444444445555544444555556666644444555555555
355555000001111133333888884444444444333333333377777666662222
100
90
80
70
60 ***** *****
50 **************** ********** ************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)ISR1812 #sh proc cpu history
ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS
666666666666666666666666666666666666666666655555444445555544
777888883333344444555555555566666777770000055555777776666666
100
90
80
70 ******** ********************
60 ************************************************ *****
50 ************************************************************
40 ************************************************************
30 ************************************************************
20 ************************************************************
10 ************************************************************
0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
0 5 0 5 0 5 0 5 0 5 0
Processor: % per second (last 60 seconds)I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.
For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.
As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.
-
The GRE Tunnel descends?
So here's my setup:
Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)
Internal Cluster ASA a configured PAT production internal then all the VLANS.
The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.
The external control point is configured with NAT for the incoming and outgoing traffic.
The branch is a DSL router with a static IP address.
The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.
The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.
The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.
I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.
I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.
However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:
1 = to branch tunnel
Tunnel of 100 = internal
002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairsThe IPSec tunnel, for the branch remains in place throughout.
Can anyone help!?
The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.
This is how the branch was to learn the route to the tunnel destination:
Tunnel1 interface
Tandragee Sub Station router VPN Tunnel description
bandwidth 64
IP 172.17.205.62 255.255.255.252
no ip-cache cef route
delay of 20000
KeepAlive 10 3
source of tunnel Loopback1
tunnel destination 172.17.255.23
be-idz-vpn-01 #sh ip route 172.17.255.23
Routing for 172.17.255.23/32 entry
Through the 'static', the metric distance 1 0 known
Routing descriptor blocks:
* 172.17.252.129
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/25 entry
Known via 'connected', distance 0, metric 0 (connected, via the interface)
Routing descriptor blocks:
* directly connected by GigabitEthernet0/1
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #.
This is how the next hop as learned GRE Tunnel between internal and DMZ routers
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/27 entry
By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external
Redistribution via eigrp 1
Last updated on Tunnel100 192.168.5.66, ago 00:07:25
Routing descriptor blocks:
* 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25
Path metric is 40258816, 1/number of shares of traffic is
Time total is 10110 microseconds, minimum bandwidth 64 Kbps
Reliability 255/255, MTU minimum 1476 bytes
Loading 1/255, 2 hops
We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.
This case causes the Tunnel 1 drops.
The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.
The solution we applied:
Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.
Router eigrp 1
distribute-list 1
Network 10.10.10.0 0.0.0.3
network 172.17.203.56 0.0.0.3
network 172.17.203.60 0.0.0.3
network 172.17.205.60 0.0.0.3
network 172.19.98.18 0.0.0.0
network 192.168.5.64 0.0.0.3
passive-interface Loopback1
be-idz-vpn-01 #sh access-list 1
IP access list standard 1
10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)
20 permit (1230 matches)
be-idz-vpn-01 #.
Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.
-
Traffic is failed on plain IPSec tunnel between two 892 s
Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.
Note: I replaced the Networkid real to a mentined below.
Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.
Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.
Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.
Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.
I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.
So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.
Any idea? Two routers config are below
-------
892_DC #show ru
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 1.2.3.4
ISAKMP crypto keepalive 10 periodicals
!
address of 1.2.3.4 crypto isakmp peers
Description of-COIL-892
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 1.2.3.4
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match a lists 101
market arriere-route
QoS before filing
!
interface GigabitEthernet0
IP 10,20,30,40 255.255.255.240
IP 1400 MTU
IP tcp adjust-mss 1360
automatic duplex
automatic speed
card crypto IT-IPSec-Crypto-map
!
IP route 0.0.0.0 0.0.0.0 10.20.30.41
!
access list 101 ip allow any 100.100.100.0 0.0.0.255 connect
access list 101 ip allow any 100.100.200.0 0.0.0.255 connect
-------------------------------------------------------------------------------------
Branch_892 #sh run
!
crypto ISAKMP policy 10
BA aes 256
hash sha256
preshared authentication
Group 2
isakmp encryption key * address 10,20,30,40
ISAKMP crypto keepalive 10 periodicals
!
address peer isakmp crypto 10,20,30,40
!
!
Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac
Crypto ipsec df - bit clear
!
map IT ipsec - IPSec crypto - Crypto - map 10-isakmp
defined peer 10,20,30,40
disable the kilobytes of life together - the security association
86400 seconds, life of security association set
the transform-set IT-IPSec-Transform-Set value
match address 101
market arriere-route
QoS before filing
!
FastEthernet6 interface
Description VL92
switchport access vlan 92
!
interface FastEthernet7
Description VL93
switchport access vlan 93
!
interface GigabitEthernet0
Description # to WAN #.
no ip address
automatic duplex
automatic speed
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description # local to #.
IP 192.168.1.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan92
Description fa6-nexus e100/0/40
IP 100.100.200.1 255.255.255.0
!
interface Vlan93
Description fa7-nexus e100/0/38
IP 100.100.100.1 255.255.255.0
!
interface Dialer0
no ip address
No cdp enable
!
interface Dialer1
IP 1.2.3.4 255.255.255.248
IP mtu 1454
NAT outside IP
IP virtual-reassembly in max-pumping 256
encapsulation ppp
IP tcp adjust-mss 1414
Dialer pool 1
Dialer-Group 1
Authentication callin PPP chap Protocol
PPP chap hostname ~ ~ ~
PPP chap password =.
No cdp enable
card crypto IT-IPSec-Crypto-map
!
Dialer-list 1 ip protocol allow
!
access-list 101 permit ip 100.100.100.0 0.0.0.255 any
access-list 101 permit ip 100.100.200.0 0.0.0.255 any
!
IP route 0.0.0.0 0.0.0.0 Dialer1
Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?
-
Backup of the GRE Tunnel using the address IP of Seconadary
Is it possible to configure a GRE Tunnel to backup using an IP of Seconadary address on the WAN interface. The router is a
Cisco 871. Any help would be greatly appreciated.
Thank you.
Nicholas
I'm not sure it would work for use a secondary address on the WAN interface for a GRE tunnel. Maybe if you tell us more about what you're trying to do we could be able to help find alternatives that would work.
Two tunnels from the same interface (even though you could use a secondary address) to another router would not provide a backup, if they work at all. Work of two tunnels of the same interface of router (and two using the main address) fairly well if they go to different remote routers, and it is a common way to provide backup for the GRE tunnels.
HTH
Rick
-
VPN3000 as an end of GRE tunnel
Dear all,
Is it possible for a VPN3000 to close a GRE tunnel by its own interface (private or public)? As long as I see in the GUI, looks like there no option for config one end of GRE tunnel. You can configure a GRE filter, but it comes through a GRE traffic, I'm right?
Best regards
Engel
Engel,
You can not cancel a Grateful for lan-to-lan tunnel based on a hub (as in IOS). Protocol PPTP uses GRE as the transport protocol, which supports a concentrator of VPN3K (and therefore filters and debugs for GRE)
Hope that answers your question
Jean Marc
-
Questions about the Internet browsing GRE tunnel ISPec
I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.
Please guide what to do, I have attached a diagram of scenario
Hello
It is difficult to suggest, but MTU issue could be the reason for the problem.
Do you have the command of setting-mss tcp ip on both interfaces of tunnel?
If not, please try to add:
Tunnel X interface
IP tcp adjust-mss 1300
If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)
-
I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:
Tunnel1 interface
IP 10.1.1.1 255.255.255.252
IP access-group 10 out
IP nat inside
IP virtual-reassembly
KeepAlive 10 3
source of tunnel Vlan1
tunnel destination xxx.xxx.xxx.xxx
card crypto IPSEC_VPN
I have some doubts on that subnet to configure for the second tunnel.
In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?
When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?
Thanks and greetings
You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.
-
Hello
I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?
Thank you
R1
--
interface Tunnel0
IP 192.168.200.2 255.255.255.0
dissemination of IP ospf network
KeepAlive 10 3
source of tunnel FastEthernet0
tunnel destination 1.1.1.1
crypto mymap map
interface FastEthernet0
Outside of the Interface Description
1.1.1.2 IP 255.255.255.0
automatic speed
crypto mymap map
R2
--
Tunnel1 interface
192.168.200.1 IP address 255.255.255.0
dissemination of IP ospf network
KeepAlive 10 3
source of tunnel FastEthernet0
tunnel destination 1.1.1.2
crypto mymap map
interface FastEthernet0
Outside of the Interface Description
IP 1.1.1.1 255.255.255.0
automatic speed
crypto mymap map
Yes you are right.
-
Configuration of Site VPN connection to another via GRE Tunnels
I am trying to connect VPN site to site on the internet using GRE tunnels. I am able to reach from a WAN interface to another. But I am not able to get the ISAKMP and IPSec to work. Below the configuration and a simplified below flowchart. In the scenario below, I am also running BGP between these routers. The BGP neighbor-ships are trained through the tunnels. But I want traffic between tunnels to encrypt. IPsec and ISAKMP not running BGP routes and other traffic is not encrypted.
This is why I would like to know what could the reason for this.
Router config VPN 1
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.20.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.20.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.30.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.30.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.40.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.40.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.20.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.20.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.1 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64851 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64859 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64859 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.10.1 peer-group BGP_PEER_1 neighbor 192.168.10.2 peer-group BGP_PEER_2 ! ip route 192.168.10.1 255.255.255.255 Tunnel0 ip route 192.168.10.2 255.255.255.255 Tunnel1 ip route 192.168.20.1 255.255.255.255 GigabitEthernet0 ip route 192.168.20.2 255.255.255.255 GigabitEthernet0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 ======================================================================
Router config VPN 2
crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.30.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.30.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.20.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.20.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.10.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.10.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.30.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.30.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.2 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64859 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64851 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64851 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.40.1 peer-group BGP_PEER_1 neighbor 192.168.40.2 peer-group BGP_PEER_2 ! ip route 192.168.40.1 255.255.255.255 Tunnel0 ip route 192.168.40.2 255.255.255.255 Tunnel1 ip route 192.168.30.1 255.255.255.255 gi0 ip route 192.168.30.2 255.255.255.255 gi0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 ======================================================================
Encryption of your Tunnel configuration is incorrect... you need to do something about the following at both ends.
crypto ISAKMP policy 10 aes encryption sha hash preshared authentication Group 5 cisco crypto isakmp key address Crypto ipsec transform-set esp - aes 256 esp-sha-hmac RIGHT Profile of crypto ipsec MYPROFILE transformation-RIGHT game interface tunnel 10 Unnumbered IP gig0/0 tunnel source gig0/0 tunnel destination ipv4 ipsec tunnel mode Profile of tunnel MYPROFILE ipsec protection --
Please do not forget to select a correct answer and rate useful posts
Maybe you are looking for
-
Firefox does not display a pinterest
Firefox started to go wrong, but the kybosh is Pinterest. It will not show this site at all, no pictures won't load, I tried to clear the cache on firefox and deleting everything from history, but all that did is make worse it! Now I get a very basic
-
15 - g207ax: lack of drivers for HP 15 - g207AX.
-
Me looking for ways to show an indicator of the compass where the dial moves, not the needle. As in to display a real compass behavior in a vehicle where the counter is floating?
-
WAG320N very bad 5 GHz wireless signal.
Hi all Because I live in an apartment building, I decided to buy a proper router on 5 GHz. I see each of them and at least 12 wireless networks 2.4 GHz (mainly BT HomeHubs or other boxes UK ISP wireless). I am studying the CCNA and our teachers recom
-
Crash blue screen when I use the internet? Urgent need help, thesis at the end!
my laptop was pretty rubbish for a while, but now whenever I connect to the internet I get about 30 seconds before the thing of crash dump blue screen appears. The error report details are -System -Supplier [Name] Service Control Manager[Guid] {555