An interface of multipoint GRE tunnel on two physical interfaces?

Hi all

I use DMVPN double single cloud VPN network of hubs.

Our shelves (C831 SRI) are connected to the dynamic DHCP ISP and dynamic PPPoE ISP.  I want to install a temporary kit that fits anywhere.  Here is the configuration of my my ISP PPPoE tunnel:

interface Tunnel0
bandwidth 1000
IP 172.23.2.254 255.255.252.0
no ip redirection
IP mtu 1436
property intellectual PNDH authentication xxxxxx
map of PNDH 172.16.0.1 IP 230.2.2.1

map of PNDH IP multicast 230.2.2.1
map of PNDH 172.16.0.2 IP 230.2.2.2
map of PNDH IP multicast 230.2.2.1
PNDH id network IP-900001
property intellectual PNDH holdtime 300
property intellectual PNDH nhs 172.16.0.1
property intellectual PNDH nhs 172.16.0.2
delay of 1000
source of Dialer1 tunnel
multipoint gre tunnel mode
tunnel key xxxxxx
Tunnel MyIPSecProf ipsec protection profile

For my ISP DHCP, I only change the Ethernet1 tunnel source.

Is it possible to configure tunnel interfaces different related 2 on 2 physical interfaces (like: 1 Ethernet1 and 1 in Dialer1).  The challenge is that I can not change the configuration of hubs at all.  So I can't put the ip address of the tunnel in 2 different subnet.  There is only 1 tunnel on the hub interface

Someone has an idea?

Thank you very much

Yes, I see it now. Unnumbered IP will provide the interface to the MTR and tunnel interface you have is point-to-multipoint. I'm afraid that there is no good solution to your needs.

Kind regards

Lei Tian

Tags: Cisco Security

Similar Questions

  • DMVPN GRE tunnel does not connect a failed encapsulate

    Hello

    I'm trying to set up the tunnel WILL map HWIC Verizon - 3 G-CDMA per Verizons document. Does anyone have a backup on EVDO working?

    PDF schema - attached

    Verizons - plug

    The relevant commands are below

    HUB END

    interface Tunnel0
    IP 192.168.255.89 255.255.255.0
    no ip redirection
    dynamic multicast of IP PNDH map
    PNDH id network IP-100
    tunnel source 152.176.219.158
    multipoint gre tunnel mode

    interface Serial1/0
    Verizon MPLS VPN T3 description
    IP 152.176.219.158 255.255.255.252
    penetration of the IP stream
    encapsulation ppp
    DSU bandwidth 44210

    SPOKE ABOUT END

    interface Tunnel0
    description on the Hub GRE tunnel
    IP 192.168.255.29 255.255.255.0
    no ip redirection
    property intellectual PNDH card 192.168.255.89 152.176.219.158
    map of PNDH IP multicast 152.176.219.158
    PNDH id network IP-100
    property intellectual PNDH nhs 152.176.219.158
    registration of the PNDH non-unique IP
    source of tunnel Cellular0/1/0
    multipoint gre tunnel mode

    the Cellular0/1/0 interface
    Description * VzW EVDO Interface *.
    the negotiated IP address
    encapsulation ppp
    Broadband Dialer
    Dialer idle-timeout 0
    EVDO Dialer string
    Dialer-Group 1
    interactive asynchronous mode
    PPP chap password 7 120F1F00

    IP route 152.176.219.158 255.255.255.255 Cellular0/1/0

    in the radius of the command... IP PNDH nhs 152.176.219.158 is bad, you need to use the IP tunnel... .IP PNDH nhs 192.168.255.89.

    Just in case, here is an example configuration.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008014bcd7.shtml

  • How a GRE tunnel is applied to a physical interface?

    Within the tunnel configuration, we use the controls, the source and destination for the tunnel, but the physical interface does he know how to use the tunnel? The source code of the tunnel parameters replace the physical interface? If we don't configure a tunnel with the right source this interface would then send all information encapsulated in the GRE?

    If we also configure IPSec on the interface, and specify a card encryption to encrypt only the corresponding traffic this corresponding traffic would not use the GREtunnel or information without worrying if it was encrypted IPSec is also be encapsulated in the GRE?

    Also, I read here: https://supportforums.cisco.com/docs/DOC-3067

    'Bind the card crypto to Physics (outside) interface if you are using the version of Cisco IOS 12.2.15 software or later. If not, then the card encryption should be applied to the tunnel as well as the physical interface interface. »

    Why was it necessary to apply the crypto map to both physical and tunnel interfaces, and why is it not necessary with versions of IOS?

    Thanks for any help!  -Mark

    Hi Mark,

    When you set the source of the tunnel in the tunnel interface, the router adds the IP address of the specific interface (loopback or physical) to the GRE packet generated by the tunnel interface.

    This is useful when you need to deliver a tunnel through the Internet WILL, but the tunnel interface has an IP of priivate, if you use the interface external (with a public IP address) as the source of the tunnel.

    When remote endpoint WILL receive the packet, search interface tunnel there as destination of the tunnel and decaps the packets, and then he gets the GRE packet and forwards it to the specific tunnel interface.

    Since 12.4 you simply apply the crypto map to the interface defined as the' tunnel', usually the one connected to the Internet, where all VPN tunnels are landed. The reason for this is the endpoint VPN termination being the physical and not the tunnel interface interface.

    The reason why you need to add the encryption card for both is not clear for me, since I did not support older versions of code.

    Do not forget that when configuring a GRE/IPsec tunnel in ACL Cryptography you set the source and tunnel destination IPs.

    Hoping to help.

    Portu.

    Please note all useful posts

    Post edited by: Javier Portuguez

  • IGP and GRE Tunnel

    Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

    Case 1:

    We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

    • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
    • This will make the redundant paths between two routers
    • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
    • Or we can tunnel just for the exchange of traffic between two routers.

    My Question:

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

    Case 2:

    If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

    My Question:

    • I just want to know there is a valid case and also do we get this case in a review?

    What comments can you do on both cases freely, I just create these two cases to clear my mind.

    Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

    In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

    Answer to your question on my opinion are as below

    case 1

    1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
    2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

    Case 2

    • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

    Please always evaluate the useful post!

    Kind regards

    Pawan (CCIE # 52104)

  • Multicast over GRE tunnel traffic

    Hi guys,.

    I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.

    I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.

    Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?

    Hello

    There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.

    Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.

    HTH.

    Evaluate the useful ticket.

    Kind regards

    Terence

  • GRE tunnels will not come on VPN IPsec/GRE

    Hi all

    We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

    Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

    The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

    00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
    00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
       
    00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
    00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
    00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
    00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
    00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
    00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
    00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

    I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

    Assorted useful details and matching orders of show results:

    Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

    There are 2 connections of IPSEC/GRE tunnel:

    Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
    Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

    Site-382-831 #sho ip int br
    Interface IP-Address OK? Method State Protocol
    FastEthernet1 unassigned YES unset down down
    FastEthernet2 unassigned YES unset upward, upward
    FastEthernet3 unassigned YES unset upward, upward
    FastEthernet4 unassigned YES unset upward, upward
    Ethernet0 10.3.82.10 YES NVRAM up up
    Ethernet1 74.WW. XX.35 YES NVRAM up up
    Ethernet2 172.16.1.10 YES NVRAM up up
    Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
    Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
    NVI0 unassigned don't unset upward upwards

    Site-382-831 #.
    Site-382-831 #sho run int tunnel101
    Building configuration...

    Current configuration: 277 bytes
    !
    interface Tunnel101
    Description % connected to the 2nd KC BGP 2821 - PRI - B
    IP 1.3.82.46 255.255.255.252
    IP mtu 1500
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    KeepAlive 3 3
    source of tunnel Ethernet1
    destination of the 208.YY tunnel. ZZ.11
    end

    Site-382-831 #.

    Site-382-831 #show isakmp crypto his
    status of DST CBC State conn-id slot
    208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
    208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show detail of the crypto isakmp
    Code: C - IKE configuration mode, D - Dead Peer Detection
    NAT-traversal - KeepAlive, N - K
    X - IKE extended authentication
    PSK - GIPR pre-shared key - RSA signature
    renc - RSA encryption

    C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
    11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
    Connection-id: motor-id = 11:2 (hardware)
    74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
    Connection-id: motor-id = 10:2 (hardware)
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto ipsec his

    Interface: Ethernet1
    Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
    current_peer 208.YY. ZZ.11 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 21, #recv errors 0

    local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
    current outbound SPI: 0x45047D1D (1157922077)

    SAS of the esp on arrival:
    SPI: 0x15B97AEA (364477162)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4486831/1056)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x45047D1D (1157922077)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4486744/1056)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
    current_peer 208.XX. YY.11 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 21, #recv errors 0

    local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
    current outbound SPI: 0xE82A86BC (3895101116)

    SAS of the esp on arrival:
    SPI: 0x539697CA (1402378186)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4432595/1039)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xE82A86BC (3895101116)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4432508/1039)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto ipsec his | Pkts Inc. | life
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4486831/862)
    calendar of his: service life remaining (k/s) key: (4486738/862)
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4432595/846)
    calendar of his: service life remaining (k/s) key: (4432501/846)
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto isakmp policy

    World IKE policy
    Priority protection Suite 10
    encryption algorithm: three key triple a
    hash algorithm: Secure Hash Standard
    authentication method: pre-shared Key
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: - Data Encryption STANDARD (56-bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Site-382-831 #.

    Site-382-831 #show crypto card
    "IPVPN_MAP" 101-isakmp ipsec crypto map
    Description: at the 2nd KC BGP 2821 - PRI - B
    Peer = 208.YY. ZZ.11
    Extend the PRI - B IP access list
    access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
    Current counterpart: 208.YY. ZZ.11
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    IPVPN,
    }

    "IPVPN_MAP" 201-isakmp ipsec crypto map
    Description: 2nd Dallas BGP 2821 - s-B
    Peer = 208.XX. YY.11
    Expand the list of IP SEC-B access
    s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
    Current counterpart: 208.XX. YY.11
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    IPVPN,
    }
    Interfaces using crypto card IPVPN_MAP:
    Ethernet1
    Site-382-831 #.

    Tunnel between KC & the remote site configuration is:

    Distance c831 - KC

    crypto ISAKMP policy 10
    BA 3des
    preshared authentication
    !
    PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
    transport mode
    !
    IPVPN_MAP 101 ipsec-isakmp crypto map
    Description of 2nd KC BGP 2821 - PRI - B
    set of peer 208.YY. ZZ.11
    game of transformation-IPVPN
    match address PRI - B
    !
    interface Tunnel101
    Description % connected to the 2nd KC BGP 2821 - PRI - B
    IP 1.3.82.46 255.255.255.252
    IP mtu 1500
    KeepAlive 3 3
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    source of tunnel Ethernet1
    destination of the 208.YY tunnel. ZZ.11
    !
    interface Ethernet0
    private network Description
    IP 10.3.82.10 255.255.255.0
    IP mtu 1500
    no downtime
    !
    interface Ethernet1
    IP 74.WW. XX.35 255.255.255.248
    IP mtu 1500
    automatic duplex
    IP virtual-reassembly
    card crypto IPVPN_MAP
    no downtime
    !
    PRI - B extended IP access list
    allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
    !

    KC-2821 *.

    PRI-B-382 address 74.WW isakmp encryption key. XX.35
    !
    PRI-B-382 extended IP access list
    allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
    !
    IPVPN_MAP 382 ipsec-isakmp crypto map
    Description % connected to the 2nd KC BGP 2821
    set of peer 74.WW. XX.35
    game of transformation-IPVPN
    match address PRI-B-382
    !
    interface Tunnel382
    Description %.
    IP 1.3.82.45 255.255.255.252
    KeepAlive 3 3
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    IP 1400 MTU
    delay of 40000
    tunnel of 208.YY origin. ZZ.11
    destination of the 74.WW tunnel. XX.35
    !
    end

    Any help would be much appreciated!

    Mark

    Hello

    logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

    Site-382-831 #show crypto ipsec his | Pkts Inc. | life
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4486831/862)
    calendar of his: service life remaining (k/s) key: (4486738/862)
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4432595/846)
    calendar of his: service life remaining (k/s) key: (4432501/846)
    Site-382-831 #.

    Kind regards

    Averroès.

  • Significant decline in performance on the GRE tunnel after using cryptographic protection

    Hi all

    I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.

    Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.

    No idea as to why this is?

    My conclusions:
    According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
    The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
    I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
    ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.

    IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.

    My config:

    crypto ISAKMP policy 10
    BA aes 256
    sha512 hash
    preshared authentication
    Group 20
    isakmp encryption key * address *.
    !
    Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
    transport mode
    !
    Profile of crypto ipsec VPN
    game of transformation-ESP-AES256-SHA
    !
    Tunnel10
    IP 10.251.251.1 255.255.255.0
    no ip redirection
    no ip proxy-arp
    load-interval 30
    source of tunnel FastEthernet0
    tunnel destination *.
    tunnel path-mtu-discovery
    Tunnel VPN ipsec protection profile
    !

    Output:

    ISR1811 #sh crypto ipsec his
    Interface: Tunnel10
    Tag crypto map: addr Tunnel10-head-0, local *.

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
    current_peer * port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
    #pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    endpt local crypto. : *, remote Start crypto. : ***
    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
    current outbound SPI: 0x8D9A911E (2375717150)
    PFS (Y/N): N, Diffie-Hellman group: no

    SAS of the esp on arrival:
    SPI: 0xD6F42959 (3606325593)
    transform: aes-256-esp esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
    calendar of his: service life remaining (k/s) key: (4563208/1061)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:
    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x8D9A911E (2375717150)
    transform: aes-256-esp esp-sha-hmac.
    running parameters = {Transport}
    Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
    calendar of his: service life remaining (k/s) key: (4563239/1061)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:
    outgoing CFP sas:

    ISR1811 #show in detail his crypto isakmp
    Code: C - IKE configuration mode, D - Dead Peer Detection
    NAT-traversal - KeepAlive, N - K
    T - cTCP encapsulation, X - IKE Extended Authentication
    PSK - GIPR pre-shared key - RSA signature
    renc - RSA encryption
    IPv4 Crypto ISAKMP Security Association

    C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
    2015 * * ACTIVE aes sha5 psk 20 12:42:50
    Engine-id: Conn-id = SW: 15
    2016 * * ACTIVE aes sha5 psk 20 12:42:58
    Engine-id: Conn-id = SW: 16
    IPv6 Crypto ISAKMP Security Association

    Use of CPU for the transfer with crypto:

    ISR1811 #sh proc cpu its

    ISR1811 09:19:54 Tuesday Sep 2 2014 THIS

    544444555555555544444444445555544444555556666644444555555555
    355555000001111133333888884444444444333333333377777666662222
    100
    90
    80
    70
    60                                          *****     *****
    50 ****************     **********     ************************
    40 ************************************************************
    30 ************************************************************
    20 ************************************************************
    10 ************************************************************
    0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
    0 5 0 5 0 5 0 5 0 5 0
    Processor: % per second (last 60 seconds)

    ISR1812 #sh proc cpu history

    ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS

    666666666666666666666666666666666666666666655555444445555544
    777888883333344444555555555566666777770000055555777776666666
    100
    90
    80
    70 ********          ********************
    60 ************************************************     *****
    50 ************************************************************
    40 ************************************************************
    30 ************************************************************
    20 ************************************************************
    10 ************************************************************
    0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
    0 5 0 5 0 5 0 5 0 5 0
    Processor: % per second (last 60 seconds)

    I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.

    For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.

    As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.

  • The GRE Tunnel descends?

    So here's my setup:

    Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

    Internal Cluster ASA a configured PAT production internal then all the VLANS.

    The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

    The external control point is configured with NAT for the incoming and outgoing traffic.

    The branch is a DSL router with a static IP address.

    The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

    The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

    The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

    I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

    I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

    However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

    1 = to branch tunnel

    Tunnel of 100 = internal

    002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
    002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
    002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
    002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
    002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
    002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
    002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

    The IPSec tunnel, for the branch remains in place throughout.

    Can anyone help!?

    The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

    This is how the branch was to learn the route to the tunnel destination:

    Tunnel1 interface

    Tandragee Sub Station router VPN Tunnel description

    bandwidth 64

    IP 172.17.205.62 255.255.255.252

    no ip-cache cef route

    delay of 20000

    KeepAlive 10 3

    source of tunnel Loopback1

    tunnel destination 172.17.255.23

    be-idz-vpn-01 #sh ip route 172.17.255.23

    Routing for 172.17.255.23/32 entry

    Through the 'static', the metric distance 1 0 known

    Routing descriptor blocks:

    * 172.17.252.129

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/25 entry

    Known via 'connected', distance 0, metric 0 (connected, via the interface)

    Routing descriptor blocks:

    * directly connected by GigabitEthernet0/1

    Path metric is 0, number of shares of traffic 1

    be-idz-vpn-01 #.

    This is how the next hop as learned GRE Tunnel between internal and DMZ routers

    be-idz-vpn-01 #sh ip route 172.17.252.129

    Routing for 172.17.252.128/27 entry

    By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

    Redistribution via eigrp 1

    Last updated on Tunnel100 192.168.5.66, ago 00:07:25

    Routing descriptor blocks:

    * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

    Path metric is 40258816, 1/number of shares of traffic is

    Time total is 10110 microseconds, minimum bandwidth 64 Kbps

    Reliability 255/255, MTU minimum 1476 bytes

    Loading 1/255, 2 hops

    We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

    This case causes the Tunnel 1 drops.

    The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

    The solution we applied:

    Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

    Router eigrp 1

    distribute-list 1

    Network 10.10.10.0 0.0.0.3

    network 172.17.203.56 0.0.0.3

    network 172.17.203.60 0.0.0.3

    network 172.17.205.60 0.0.0.3

    network 172.19.98.18 0.0.0.0

    network 192.168.5.64 0.0.0.3

    passive-interface Loopback1

    be-idz-vpn-01 #sh access-list 1

    IP access list standard 1

    10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

    20 permit (1230 matches)

    be-idz-vpn-01 #.

    Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

  • Traffic is failed on plain IPSec tunnel between two 892 s

    Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.

    Note: I replaced the Networkid real to a mentined below.

    Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.

    Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.

    Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.

    Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.

    I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.

    So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.

    Any idea? Two routers config are below

    -------

    892_DC #show ru

    !

    crypto ISAKMP policy 10

    BA aes 256

    hash sha256

    preshared authentication

    Group 2

    isakmp encryption key * address 1.2.3.4

    ISAKMP crypto keepalive 10 periodicals

    !

    address of 1.2.3.4 crypto isakmp peers

    Description of-COIL-892

    !

    !

    Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

    Crypto ipsec df - bit clear

    !

    map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

    defined peer 1.2.3.4

    disable the kilobytes of life together - the security association

    86400 seconds, life of security association set

    the transform-set IT-IPSec-Transform-Set value

    match a lists 101

    market arriere-route

    QoS before filing

    !

    interface GigabitEthernet0

    IP 10,20,30,40 255.255.255.240

    IP 1400 MTU

    IP tcp adjust-mss 1360

    automatic duplex

    automatic speed

    card crypto IT-IPSec-Crypto-map

    !

    IP route 0.0.0.0 0.0.0.0 10.20.30.41

    !

    access list 101 ip allow any 100.100.100.0 0.0.0.255 connect

    access list 101 ip allow any 100.100.200.0 0.0.0.255 connect

    -------------------------------------------------------------------------------------

    Branch_892 #sh run

    !

    crypto ISAKMP policy 10

    BA aes 256

    hash sha256

    preshared authentication

    Group 2

    isakmp encryption key * address 10,20,30,40

    ISAKMP crypto keepalive 10 periodicals

    !

    address peer isakmp crypto 10,20,30,40

    !

    !

    Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

    Crypto ipsec df - bit clear

    !

    map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

    defined peer 10,20,30,40

    disable the kilobytes of life together - the security association

    86400 seconds, life of security association set

    the transform-set IT-IPSec-Transform-Set value

    match address 101

    market arriere-route

    QoS before filing

    !

    FastEthernet6 interface

    Description VL92

    switchport access vlan 92

    !

    interface FastEthernet7

    Description VL93

    switchport access vlan 93

    !

    interface GigabitEthernet0

    Description # to WAN #.

    no ip address

    automatic duplex

    automatic speed

    PPPoE-client dial-pool-number 1

    !

    interface Vlan1

    Description # local to #.

    IP 192.168.1.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    !

    interface Vlan92

    Description fa6-nexus e100/0/40

    IP 100.100.200.1 255.255.255.0

    !

    interface Vlan93

    Description fa7-nexus e100/0/38

    IP 100.100.100.1 255.255.255.0

    !

    interface Dialer0

    no ip address

    No cdp enable

    !

    interface Dialer1

    IP 1.2.3.4 255.255.255.248

    IP mtu 1454

    NAT outside IP

    IP virtual-reassembly in max-pumping 256

    encapsulation ppp

    IP tcp adjust-mss 1414

    Dialer pool 1

    Dialer-Group 1

    Authentication callin PPP chap Protocol

    PPP chap hostname ~ ~ ~

    PPP chap password =.

    No cdp enable

    card crypto IT-IPSec-Crypto-map

    !

    Dialer-list 1 ip protocol allow

    !

    access-list 101 permit ip 100.100.100.0 0.0.0.255 any

    access-list 101 permit ip 100.100.200.0 0.0.0.255 any

    !

    IP route 0.0.0.0 0.0.0.0 Dialer1

    Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?

  • Backup of the GRE Tunnel using the address IP of Seconadary

    Is it possible to configure a GRE Tunnel to backup using an IP of Seconadary address on the WAN interface.  The router is a

    Cisco 871.  Any help would be greatly appreciated.

    Thank you.

    Nicholas

    I'm not sure it would work for use a secondary address on the WAN interface for a GRE tunnel. Maybe if you tell us more about what you're trying to do we could be able to help find alternatives that would work.

    Two tunnels from the same interface (even though you could use a secondary address) to another router would not provide a backup, if they work at all. Work of two tunnels of the same interface of router (and two using the main address) fairly well if they go to different remote routers, and it is a common way to provide backup for the GRE tunnels.

    HTH

    Rick

  • VPN3000 as an end of GRE tunnel

    Dear all,

    Is it possible for a VPN3000 to close a GRE tunnel by its own interface (private or public)? As long as I see in the GUI, looks like there no option for config one end of GRE tunnel. You can configure a GRE filter, but it comes through a GRE traffic, I'm right?

    Best regards

    Engel

    Engel,

    You can not cancel a Grateful for lan-to-lan tunnel based on a hub (as in IOS). Protocol PPTP uses GRE as the transport protocol, which supports a concentrator of VPN3K (and therefore filters and debugs for GRE)

    Hope that answers your question

    Jean Marc

  • Questions about the Internet browsing GRE tunnel ISPec

    I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.

    Please guide what to do, I have attached a diagram of scenario

    Hello

    It is difficult to suggest, but MTU issue could be the reason for the problem.

    Do you have the command of setting-mss tcp ip on both interfaces of tunnel?

    If not, please try to add:

    Tunnel X interface

    IP tcp adjust-mss 1300

    If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)

  • GRE tunnels

    I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:

    Tunnel1 interface

    IP 10.1.1.1 255.255.255.252

    IP access-group 10 out

    IP nat inside

    IP virtual-reassembly

    KeepAlive 10 3

    source of tunnel Vlan1

    tunnel destination xxx.xxx.xxx.xxx

    card crypto IPSEC_VPN

    I have some doubts on that subnet to configure for the second tunnel.

    In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?

    When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?

    Thanks and greetings

    You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.

  • NAT &amp; GRE Tunnel

    Hello

    I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?

    Thank you

    R1

    --

    interface Tunnel0

    IP 192.168.200.2 255.255.255.0

    dissemination of IP ospf network

    KeepAlive 10 3

    source of tunnel FastEthernet0

    tunnel destination 1.1.1.1

    crypto mymap map

    interface FastEthernet0

    Outside of the Interface Description

    1.1.1.2 IP 255.255.255.0

    automatic speed

    crypto mymap map

    R2

    --

    Tunnel1 interface

    192.168.200.1 IP address 255.255.255.0

    dissemination of IP ospf network

    KeepAlive 10 3

    source of tunnel FastEthernet0

    tunnel destination 1.1.1.2

    crypto mymap map

    interface FastEthernet0

    Outside of the Interface Description

    IP 1.1.1.1 255.255.255.0

    automatic speed

    crypto mymap map

    Yes you are right.

  • Configuration of Site VPN connection to another via GRE Tunnels

    I am trying to connect VPN site to site on the internet using GRE tunnels. I am able to reach from a WAN interface to another. But I am not able to get the ISAKMP and IPSec to work. Below the configuration and a simplified below flowchart. In the scenario below, I am also running BGP between these routers. The BGP neighbor-ships are trained through the tunnels. But I want traffic between tunnels to encrypt. IPsec and ISAKMP not running BGP routes and other traffic is not encrypted.

    This is why I would like to know what could the reason for this.

    Router config VPN 1

     crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.20.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.20.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.30.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.30.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.40.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.40.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.20.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.20.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.1 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64851 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64859 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64859 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.10.1 peer-group BGP_PEER_1 neighbor 192.168.10.2 peer-group BGP_PEER_2 ! ip route 192.168.10.1 255.255.255.255 Tunnel0 ip route 192.168.10.2 255.255.255.255 Tunnel1 ip route 192.168.20.1 255.255.255.255 GigabitEthernet0 ip route 192.168.20.2 255.255.255.255 GigabitEthernet0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 ======================================================================

    Router config VPN 2

     crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 500 crypto isakmp key test_key1 address 192.168.30.1 crypto isakmp key test_key1 address 192.168.30.2 crypto isakmp keepalive 60 20 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set high esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map CRYP_MAP_IPSEC 10 ipsec-isakmp set peer 192.168.30.1 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 110 crypto map CRYP_MAP_IPSEC 20 ipsec-isakmp set peer 192.168.30.2 set security-association lifetime seconds 4000 set transform-set high set pfs group2 match address 111 ! interface Loopback0 description IPsec_Tunnel0 ip address 192.168.20.1 255.255.255.255 ! interface Loopback1 description IPsec_Tunnel1 ip address 192.168.20.2 255.255.255.255 ! interface Loopback2 description BGP_Peer1 ip address 192.168.10.1 255.255.255.255 ! interface Loopback3 description BGP_Peer2 ip address 192.168.10.2 255.255.255.255 ! interface Tunnel0 ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 192.168.30.1 crypto map CRYP_MAP_IPSEC ! interface Tunnel1 ip unnumbered Loopback1 tunnel source Loopback1 tunnel destination 192.168.30.2 crypto map CRYP_MAP_IPSEC ! interface gi0 description #### CONNECTED TO Internet #### ip address 10.1.1.2 255.255.255.252 ip access-group 100 in duplex auto speed auto ! router bgp 64859 bgp log-neighbor-changes neighbor BGP_PEER_1 peer-group neighbor BGP_PEER_1 remote-as 64851 neighbor BGP_PEER_1 ebgp-multihop 255 neighbor BGP_PEER_1 update-source Loopback2 neighbor BGP_PEER_1 version 4 neighbor BGP_PEER_1 next-hop-self neighbor BGP_PEER_2 peer-group neighbor BGP_PEER_2 remote-as 64851 neighbor BGP_PEER_2 ebgp-multihop 255 neighbor BGP_PEER_2 update-source Loopback3 neighbor BGP_PEER_2 version 4 neighbor BGP_PEER_2 next-hop-self neighbor 192.168.40.1 peer-group BGP_PEER_1 neighbor 192.168.40.2 peer-group BGP_PEER_2 ! ip route 192.168.40.1 255.255.255.255 Tunnel0 ip route 192.168.40.2 255.255.255.255 Tunnel1 ip route 192.168.30.1 255.255.255.255 gi0 ip route 192.168.30.2 255.255.255.255 gi0 ! access-list 100 permit ip any any access-list 110 permit gre host 192.168.20.1 host 192.168.30.1 access-list 110 permit gre host 192.168.30.1 host 192.168.20.1 access-list 111 permit gre host 192.168.20.2 host 192.168.30.2 access-list 111 permit gre host 192.168.30.2 host 192.168.20.2 ======================================================================

    Encryption of your Tunnel configuration is incorrect... you need to do something about the following at both ends.

    crypto ISAKMP policy 10
    aes encryption
    sha hash
    preshared authentication
    Group 5
     
    cisco crypto isakmp key address
     
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac RIGHT
     
    Profile of crypto ipsec MYPROFILE
    transformation-RIGHT game
     
    interface tunnel 10
    Unnumbered IP gig0/0
    tunnel source gig0/0
    tunnel destination
    ipv4 ipsec tunnel mode
    Profile of tunnel MYPROFILE ipsec protection
     

    --

    Please do not forget to select a correct answer and rate useful posts

Maybe you are looking for

  • Firefox does not display a pinterest

    Firefox started to go wrong, but the kybosh is Pinterest. It will not show this site at all, no pictures won't load, I tried to clear the cache on firefox and deleting everything from history, but all that did is make worse it! Now I get a very basic

  • 15 - g207ax: lack of drivers for HP 15 - g207AX.

  • True compass indicator

    Me looking for ways to show an indicator of the compass where the dial moves, not the needle.  As in to display a real compass behavior in a vehicle where the counter is floating?

  • WAG320N very bad 5 GHz wireless signal.

    Hi all Because I live in an apartment building, I decided to buy a proper router on 5 GHz. I see each of them and at least 12 wireless networks 2.4 GHz (mainly BT HomeHubs or other boxes UK ISP wireless). I am studying the CCNA and our teachers recom

  • Crash blue screen when I use the internet? Urgent need help, thesis at the end!

    my laptop was pretty rubbish for a while, but now whenever I connect to the internet I get about 30 seconds before the thing of crash dump blue screen appears. The error report details are -System -Supplier [Name]  Service Control Manager[Guid]  {555