GRE over IPSec tunnel cannot pass traffic through it

Similar Questions

• Setting KeepAlive on GRE over IPSEC tunnel

  Hello world

  Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?

  We currently have no KeepAlive on GRE tunnel.

  If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?

  Thank you

  MAhesh

  If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:

  1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic

  2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible

  I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.

• Impossible to pass traffic through the VPN tunnel

  I have an ASA 5505 9.1 running.   I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

  Here is my config

  LN-BLF-ASA5505 > en
  Password: *.
  ASA5505-BLF-LN # sho run
  : Saved
  :
  : Serial number: JMX1216Z0SM
  : Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
  :
  ASA 5,0000 Version 21
  !
  LN-BLF-ASA5505 hostname
  domain lopeznegrete.com
  activate the password
  volatile xlate deny tcp any4 any4
  volatile xlate deny tcp any4 any6
  volatile xlate deny tcp any6 any4
  volatile xlate deny tcp any6 any6
  volatile xlate deny udp any4 any4 eq field
  volatile xlate deny udp any4 any6 eq field
  volatile xlate deny udp any6 any4 eq field
  volatile xlate deny udp any6 any6 eq field
  passwd
  names of
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.116.254 255.255.255.0
  OSPF cost 10
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP 50.201.218.69 255.255.255.224
  OSPF cost 10
  !
  boot system Disk0: / asa915-21 - k8.bin
  passive FTP mode
  DNS server-group DefaultDNS
  domain lopeznegrete.com
  network obj_any object
  subnet 0.0.0.0 0.0.0.0
  the LNC_Local_TX_Nets object-group network
  Description of internal networks Negrete Lopez (Texas)
  object-network 192.168.1.0 255.255.255.0
  object-network 192.168.2.0 255.255.255.0
  object-network 192.168.3.0 255.255.255.0
  object-network 192.168.4.0 255.255.255.0
  object-network 192.168.5.0 255.255.255.0
  object-network 192.168.51.0 255.255.255.0
  object-network 192.168.55.0 255.255.255.0
  object-network 192.168.52.0 255.255.255.0
  object-network 192.168.20.0 255.255.255.0
  object-network 192.168.56.0 255.255.255.0
  object-network 192.168.59.0 255.255.255.0
  object-network 10.111.14.0 255.255.255.0
  object-network 10.111.19.0 255.255.255.0
  the LNC_Blueleaf_Nets object-group network
  object-network 192.168.116.0 255.255.255.0
  access outside the permitted scope icmp any4 any4 list
  extended outdoor access allowed icmp a whole list
  outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
  pager lines 24
  Enable logging
  asdm of logging of information
  Within 1500 MTU
  Outside 1500 MTU
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 741.bin
  don't allow no asdm history
  ARP timeout 14400
  no permit-nonconnected arp
  !
  network obj_any object
  NAT dynamic interface (indoor, outdoor)
  outside access-group in external interface
  !
  router ospf 1
  255.255.255.255 network 192.168.116.254 area 0
  Journal-adj-changes
  default-information originate always
  !
  Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
  Timeout xlate 03:00
  Pat-xlate timeout 0:00:30
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  identity of the user by default-domain LOCAL
  the ssh LOCAL console AAA authentication
  AAA authentication enable LOCAL console
  Enable http server
  http 192.168.2.0 255.255.255.0 inside
  No snmp server location
  No snmp Server contact
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
  Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
  Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
  Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
  Crypto ipsec pmtu aging infinite - the security association
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 50.201.218.93
  card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
  outside_map interface card crypto outside
  Crypto ca trustpoint _SmartCallHome_ServerCA
  no use of validation
  Configure CRL
  trustpool crypto ca policy
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
  010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
  30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
  13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
  0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
  20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
  65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
  65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
  30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
  30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
  496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
  74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
  68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
  302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
  63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
  010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
  a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
  9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
  7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
  15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
  1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
  18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
  4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
  81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
  082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
  7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
  ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
  45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
  2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
  1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
  03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
  69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
  02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
  6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
  c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
  69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
  1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
  445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
  1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
  2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
  4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
  b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
  99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
  481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
  b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
  5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
  6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
  6c2527b9 deb78458 c61f381e a4c4cb66
  quit smoking
  crypto isakmp identity address
  Crypto isakmp nat-traversal 1500
  Crypto ikev1 allow outside
  IKEv1 crypto policy 10
  preshared authentication
  aes-256 encryption
  sha hash
  Group 5
  life 86400
  IKEv1 crypto policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  Telnet timeout 5
  SSH stricthostkeycheck
  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 5
  SSH version 2
  SSH group dh-Group1-sha1 key exchange
  Console timeout 0
  management-access inside

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  attributes of Group Policy DfltGrpPolicy
  Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
  username
  username
  tunnel-group 50.201.218.93 type ipsec-l2l
  IPSec-attributes tunnel-group 50.201.218.93
  IKEv1 pre-shared-key *.
  NOCHECK Peer-id-validate
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  maximum message length automatic of customer
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the netbios
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect the tftp
  inspect the sip
  inspect xdmcp
  Review the ip options
  !
  global service-policy global_policy
  context of prompt hostname
  call-home service
  anonymous reporting remote call
  call-home
  contact-email-addr [email protected] / * /
  Profile of CiscoTAC-1
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e519f212867755f697101394f40d9ed7
  : end
  LN-BLF-ASA5505 #.

  Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:

   packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail

  (simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

• The GRE over IPSec vpn

  VAC

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml#diag

  It's lab that I did today, and offcouse, I am able to understand this laboratory bus are confusion

  1. Why do we use a card encryption on both interfaces (phiycal tunnel interface or interface)

  
  

  2. when I remove the interface tunnel encryption card I have this message

  ( R2691 #* 01:12:54.243 Mar 1: ISAKMP: (1002): purge node 2144544879 )

  Please tell me what is the meaning of this message

  3. but I do not see vpn works great. It comes to cryto his and crypto isakmp his

  R2691 #sh crypto ipsec his

  Interface: Serial0/0

  Crypto map tag: vpn, local addr 30.1.1.21

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (30.1.1.21/255.255.255.255/47/0)

  Remote ident (addr, mask, prot, port): (10.1.1.1/255.255.255.255/47/0)

  10.1.1.1 current_peer port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: 65, #pkts encrypt: 65, #pkts digest: 65

  #pkts decaps: 66, #pkts decrypt: 66, #pkts check: 66

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors in #send 2, #recv 0 errors

  local crypto endpt. : 30.1.1.21, remote Start crypto. : 10.1.1.1

  Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0

  current outbound SPI: 0xDBF65B0E (3690355470)

  SAS of the esp on arrival:

  SPI: 0x44FF512B (1157583147)

  transform: esp-3des esp-md5-hmac.

  running parameters = {Tunnel}

  Conn ID: 5, flow_id: SW:5, crypto card: vpn

  calendar of his: service life remaining (k/s) key: (4598427/3368)

  Size IV: 8 bytes

  support for replay detection: Y

  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  SPI: 0xDBF65B0E (3690355470)

  transform: esp-3des esp-md5-hmac.

  running parameters = {Tunnel}

  Conn ID: 6, flow_id: SW:6, crypto card: vpn

  calendar of his: service life remaining (k/s) key: (4598427/3368)

  Size IV: 8 bytes

  support for replay detection: Y

  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  R2691 #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association

  status of DST CBC State conn-id slot

  30.1.1.21 10.1.1.1 QM_IDLE 1002 ASSETS 0

  ISAKMP Crypto IPv6 security association.

  How can 2: I know it using GRE over IPsec.

  I also join my topology on which I made lab

  Also beyond what I remember, in the old codes he was required to have a card encryption on tunnel and physical interface, but now is not.

  Since we use GRE over IPSEC, so for the verification of the tunnel I'll do the following steps:

  (1.) to check if the tunnel interface is in place. "show ip int br".

  2.) check if the statistics of tunnel are increasing and packages are browsing through it. 'show interface '.

  3.) check if crypto ACL includes only interesting traffic listed as GRE counterparts.

  (4.) If Yes, check the IPSEC Security Association statistics. "See the crypto ipsec his."

  If all of them are correct statistical evidence with respective counters increase traffic is passing by GRE and then by wrapping in IPSEC.

  I hope this helps.

  Kind regards

  Anuj

• GRE over IPSEC

  Hi all

  I am setting up IPSEC tunnel GRE... I am able to get neighbors OSPF looked through the GRE tunnel, but when traffic is sent through the gre tunnel it does not encrypt and transmit through plaintext despite she buy from loopback interfaces

  Here is my config

  Config of R1
  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  test key crypto isakmp 192.168.1.2 address

  Crypto ipsec transform-set test aes - esp esp-sha-hmac

  test card crypto-address Ethernet0/0
  test 10 map ipsec-isakmp crypto
  defined peer 192.168.1.2
  Set transform-set test
  match address WILL

  GRE extended IP access list
  allow gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

  interface Ethernet0/0
  No switchport
  IP 192.168.1.1 255.255.255.0
  crypto map test

  interface Loopback0
  IP 10.0.10.1 255.255.255.0
  IP ospf 1 zone 0

  Tunnel1 interface
  10.0.100.2 IP address 255.255.255.0
  IP ospf 1 zone 0
  source of tunnel Ethernet0/0
  tunnel destination 192.168.1.1
  end

  -----------------------------------------------------------
  R2 config

  crypto ISAKMP policy 10
  BA aes
  preshared authentication
  Group 5
  test key crypto isakmp 192.168.1.1 address
  !
  !
  Crypto ipsec transform-set test aes - esp esp-sha-hmac
  !
  !
  !
  test card crypto-address Ethernet0/0
  test 10 map ipsec-isakmp crypto
  defined peer 192.168.1.1
  Set transform-set test
  match address GR
  !

  GR extended IP access list
  allow gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255

  interface Ethernet0/0
  No switchport
  IP 192.168.1.2 255.255.255.0
  crypto map test

  interface Loopback0
  IP 10.0.20.1 255.255.255.0
  IP ospf 1 zone 0

  Tunnel1 interface
  10.0.100.1 IP address 255.255.255.0
  IP ospf 1 zone 0
  source of tunnel Ethernet0/0
  tunnel destination 192.168.1.2
  end

  -------------------------------------------

  Hello

  With p2p GRE over IPsec solution, all traffic between sites is encapsulated in a GRE p2p package before the process of encryption.

  More info on this link:

  http://www.Cisco.com/c/en/us/TD/docs/solutions/Enterprise/WAN_and_MAN/P2...

  Kind regards

  Aditya

  Please evaluate the useful messages and mark the correct answers.

• GRE over IPsec, ASA and NAT - t.

  I want to establish WILL IPsec tunnel between four branches and headquarters. In executive offices, I have router 1841 with the advanced security software. At Headquarters, I have a 7.2 ASA5510 as frontend with a IP address public and 1841 router behind him in the private address space. Given that the ASA does not support GRE tunnels, ASA may be endpoint for GRE over IPsec? If this isn't the case, ASA may pass through this tunnel to the router 1841 behind her, 1841 would be endpoint logic tunnel? What should I watch out for? The ASA and each 1841 support NAT - T, or just ASA?

  The ASA does not support GRE.

  The router would be the GRE tunnel endpoint.  The ASA would be endpoint for IPSEC VPN.  NAT - T should not be a matter of concern if the ASA and the remote routers directly connected to the internet.

  HTH.

• To confirm the network is GRE over IPSEC

  Hello world

  We have Cisco 4500 device GRE tunnel and next hop is that ASA makes the IPSEC VPN over WAN.

  If this type of network is called free WILL on the right of IPSEC?

  Also when I do on 4500 sh int tu0

  reliability 255/255, txload 79/255, rxload 121/255

  5 minute input rate 2228000 bps, 790 packets/s

  5 minute output rate 780000 bps, 351 packets/s

  Need to understand which shows that data transmitted by tunnel LIKING which is not encrypted right?

  To verify ipsec ASA which is encrypted data that we do sh right its isakmp crypto?

  When we apply crypto map on the physical interface ASA here?

  Thank you

  Mahesh

  If your GRE tunnel protection applied to this topic, so I think that the transmitted data is encrypted. GRE over ipsec simply means the application of the protection of tunnel to tunnel will otherwise it's just a simple GRE tunnel.

  Side that Show crypto isakmp his, you can also check if the traffic from one site to another is using GRE or not by issuing crypto ipsec to show its, it will tell you the number of Protocol and it should say 47. And if you use the protection tunnel command to set the ipsec tunnel, you will not need to define cryptographic cards more.

• DMVPN & GRE over IPsec on the same physical interface

  Dear all,

  I am setting up two routers WAN, each router wan has a physical interface connecting to the branches and regional office by using the same provider.

  We will use the GRE over IPsec to connect to Office regional and DMVPN + EIGRP to branches.

  I would like to know if it is possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.

  Good answer, it's an urgent request and your response is much appreciated.

  Kind regards

  Hi Savio,

  It should work. We can configure dmvpn and gre-over-ipsec on ASA using the same physical interface.

  Kind regards

  NGO

• GRE in IPSEC tunnel

  Hello

  I have a question where I nee to close a tunnel IPSEC and GRE on my hub, is this possible?

  The GRE tunnel will be in the IPSEC tunnel.

  No. I don't think that you can terminate a GRE tunnel on a concentartor. What you can do is to put an end to a GRE tunnel on a router behind the hub. The tunnel can go through the hub. You can specify the traffic between the source/destination as interetsting and things should work fine.

• GRE over IPSec - choose a source interface

  I have a 3660 with two T1 from different suppliers running BGP. Our ASN space is on f0/0, with the two serial interfaces T1 with an address of series on the networks of their respective providers.

  I am trying to configure an IPSec tunnel and made on the part of the interfaces series (as I normally do in smaller offices with a single T1). I have then reconfigure the card encryption to be on f0/0 and any other relevant changes on both sides at the source of this traffic of f0/0. IPSec negotiates and makes its way thorugh on the 3660, I see even a peer EIGRP come with the remote. This peer eventually falls, and the review of the wristwatch that sends him away and the 3660 receives, but no package never leave the 3660 (on the its).

  Any suggestions on where start looking for it, or is there a best/recommended/example configuration of a similar setup, I could look at?

  Thanks in advance,

  Daryl

  To bind the cryptographic card for an interface use the command:

  card crypto 'name card' - address "interface."

  FOR EXAMPLE:

  Crypto map crypt-map1-address Loopback2

  -Brett

• Problem of authenticating users on L2TP over IPSec tunnel

  I have a client with an old PIX-515e firewall with firmware 7.2 (4), and due to certain circumstances, I'm trying to configure L2TP over IPSec. I'm stuck at a "Error 691: the remote connection has been deinied because the user name and password combination, you have provided is not recognized, or the selected authentication protocol is not permitted on the remote access server." I have local installation of authentication for this connection, and I tried to use ms-chap-v2, chap and pap, and give the same results. I have confirmed the username and the password, but I can't after that.

  The PIX, I don't see "AAA user authenticaton rejected: reason = invalid password: local database: user = tetstuser". I can still see the password unencrypted on the screen, so I can copy and paste the username and password in the appropriate fields, and I still have this error.

  Does anyone have an idea where the problem lies perhaps? Thank you.

  Can you please change the user as described in the doc, I shared and as indicated by the Rohan peers and share the results of the tests?

  Kind regards

  Dinesh Moudgil

  PS Please rate helpful messages.

• Problem passing traffic through the VPN tunnel

  With well over 150 VPN lan-to-lan tunnels configured, I can usually get tunnels upward. However, this one is stumping me, unless the ISP is to give false information. Using a router Cisco 871 on-site a Cisco 3005 concentrator in my data center, I have set up my tunnel. The tunnel will go up but won't traffic. I am sure that the configurations on both devices are correct because I use a lot of "cut-and - paste." So, the only question seems to be the modem/router provided by your ISP. Usually, when this happens, the problem is with NAT enabled on their equipment. According to them, that it is not enabled on their NAT router. Where can else I check? Any ideas?

  Check access lists and a static route

  Try these links: >

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1e4.html#wp999593

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml

• Isse NAT with Gre over Ipsec

  Hi guys!

  I have a little problem with my setup.

  I would like to join the Y in X host through a VPN tunnel.

  My setup works fine, until I have add this static nat entry:

  -ip nat inside source static 10.20.20.1 198.41.10.1

  In this case, the tunnel endpoints cannot reach each other (172.16.13.1 <->172.16.13.2).

  The Ext_Router made the Nat translation and the tunnel is located between Ext_Router and R7.

  What is the problem?

  The configuration files are attached.

  

  Hello

  First, I would like to say that my relationship with GRE + IPsec have been pretty slim.

  But what seems to me looking at the configurations and NAT, is that you must following configurations with respect to NAT on R5/Ext_Router

  • Configuration of PAT translation for LAN 2 networking using the IP address of Serial 0/0 as a PAT address
  • A static NAT for a single host LAN that uses ALSO address IP Serial0/0 for the translation.

  If the NAT router operation is something like the Cisco PIX or ASA. The static NAT completely replaces PAT (overload) configuration and therefore no user belonging to networks source ACL 1 wont be able to use the NAT and therefore traffic will not work for them but should probably work for the host of the 10.20.20.1 Static NAT?

  Could be the problem? Pourrait 198.41.10.x another IP, be used for the static NAT?

  -Jouni

• 1841 can route between tunnel GRE and IPSEC tunnel?

  Hello everyone!

  See the image below.

  Main office (10.0.1.0/24 LAN) and branch (10.0.2.0/24 LAN) are connected through the GRE tunnel.

  The third office (10.0.3.0/24) is attached to the second branch via IPSEC.

  Is there the way to establish the connection between the third and the main office through cisco 1841?

  Is it possible to perform routing, perhaps with NAT?

  In fact we need connection with a single server in the main office.

  Thank you

  Hello

  It is possible to build this configuration.

  the IPSEC connection between 10.0.3.x and 10.0.2.x should also encapsulate the traffic to main office.

  Steps to follow:

  Central office, to shift traffic to 10.0.3.x above the GRE tunnel.

  The second part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the third

  The third part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the second pane.

  Please rate if this helped.

  Kind regards

  Daniel

• Problem with GRE over IPsec with IOS Version 15.1 (2) T4

  Hello

  We have several sites that use of GRE Tunnels with card crypto for encryption.  To upgrade to the latest version of a UC-520 (15.1 (2) T4 or any version of this train) I get the following error: -.

  SIN-UC520(config-if) #crypto map aberdeen

  % NOTE: crypto card is configured on the tunnel interface.

  Currently, only one card encryption GDOI is supported on the tunnel interface.

  The original Tunnel config is below:-

  interface Tunnel0

  Description Tunnel to Aberdeen AC

  bandwidth of 512

  IP unnumbered Vlan1

  IP mtu 1420

  QoS before filing

  tunnel source a.b.c.d

  destination e.f.g.h tunnel

  Crypto map aberdeen

  Decommissioning of the IOS version solves the problem.   What gives?  Have Cisco dropped support for this configuration?

  I use this setup so I can choose exactly which traffic is encrypted (I do not encrypt voice for example).

  Thank you
  Peter.

  Hi Peter,.

  It looks like from the 15.1 this configuration is no longer supported. Here's what the release notes:

  Error message appears when you try to apply the tunnel interface to a card encryption.

  Old behavior: Error Message is not displayed when you try to apply tunnel interface card encryption using the command card crypto (interface IPSec).

  New behavior: an error message appears when you try to apply the tunnel interface to a crypto map using the

  crypto map command (interface IPSec).

  http://www.Cisco.com/en/us/docs/iOS/15_1/release/notes/151TNEWF.html

  The order reference has the following information about the error message:

  

  A card encryption cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a card encryption, an error message is displayed as follows: crypto card is configured on the tunnel interface. Currently, only card crypto Group domain of interpretation (GDOI) is supported on the tunnel interface.

  http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c4.html#wp1078283

  So it seems that on the new version, you can only use one (new to me) maps crypto GDOI on your tunnel interfaces.

  Here's a doc that explains the GDOI implementation, I wish that I could help with the Setup, but as I said, I had not heard of him until today.

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

  I hope this clarifies your questions.

  Raga