How a GRE tunnel is applied to a physical interface?

Similar Questions

• DMVPN & GRE over IPsec on the same physical interface

  Dear all,

  I am setting up two routers WAN, each router wan has a physical interface connecting to the branches and regional office by using the same provider.

  We will use the GRE over IPsec to connect to Office regional and DMVPN + EIGRP to branches.

  I would like to know if it is possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.

  Good answer, it's an urgent request and your response is much appreciated.

  Kind regards

  Hi Savio,

  It should work. We can configure dmvpn and gre-over-ipsec on ASA using the same physical interface.

  Kind regards

  NGO

• Move on to a different physical interface same ASA L2L tunnel

  Some may describe the process to move a tunnel L2L existing since one physical interface to another?

  Thank you!

  Sent by Cisco Support technique iPhone App

  Add the map encryption to the new interface

  card crypto IPSEC interface new_outside

  You will also need to add isakmp to the new interface

  ISAKMP crypto enable new_outside

  If you have a new public IP address, then you will need to create a new VPN Group also.

• The GRE Tunnel descends?

  So here's my setup:

  Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)

  Internal Cluster ASA a configured PAT production internal then all the VLANS.

  The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.

  The external control point is configured with NAT for the incoming and outgoing traffic.

  The branch is a DSL router with a static IP address.

  The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.

  The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.

  The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.

  I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.

  I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.

  However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:

  1 = to branch tunnel

  Tunnel of 100 = internal

  002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
  002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
  002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
  002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
  002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
  002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
  002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairs

  The IPSec tunnel, for the branch remains in place throughout.

  Can anyone help!?

  The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.

  This is how the branch was to learn the route to the tunnel destination:

  Tunnel1 interface

  Tandragee Sub Station router VPN Tunnel description

  bandwidth 64

  IP 172.17.205.62 255.255.255.252

  no ip-cache cef route

  delay of 20000

  KeepAlive 10 3

  source of tunnel Loopback1

  tunnel destination 172.17.255.23

  be-idz-vpn-01 #sh ip route 172.17.255.23

  Routing for 172.17.255.23/32 entry

  Through the 'static', the metric distance 1 0 known

  Routing descriptor blocks:

  * 172.17.252.129

  Path metric is 0, number of shares of traffic 1

  be-idz-vpn-01 #sh ip route 172.17.252.129

  Routing for 172.17.252.128/25 entry

  Known via 'connected', distance 0, metric 0 (connected, via the interface)

  Routing descriptor blocks:

  * directly connected by GigabitEthernet0/1

  Path metric is 0, number of shares of traffic 1

  be-idz-vpn-01 #.

  This is how the next hop as learned GRE Tunnel between internal and DMZ routers

  be-idz-vpn-01 #sh ip route 172.17.252.129

  Routing for 172.17.252.128/27 entry

  By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external

  Redistribution via eigrp 1

  Last updated on Tunnel100 192.168.5.66, ago 00:07:25

  Routing descriptor blocks:

  * 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25

  Path metric is 40258816, 1/number of shares of traffic is

  Time total is 10110 microseconds, minimum bandwidth 64 Kbps

  Reliability 255/255, MTU minimum 1476 bytes

  Loading 1/255, 2 hops

  We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.

  This case causes the Tunnel 1 drops.

  The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.

  The solution we applied:

  Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.

  Router eigrp 1

  distribute-list 1

  Network 10.10.10.0 0.0.0.3

  network 172.17.203.56 0.0.0.3

  network 172.17.203.60 0.0.0.3

  network 172.17.205.60 0.0.0.3

  network 172.19.98.18 0.0.0.0

  network 192.168.5.64 0.0.0.3

  passive-interface Loopback1

  be-idz-vpn-01 #sh access-list 1

  IP access list standard 1

  10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)

  20 permit (1230 matches)

  be-idz-vpn-01 #.

  Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.

• NAT & GRE Tunnel

  Hello

  I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?

  Thank you

  R1

  --

  interface Tunnel0

  IP 192.168.200.2 255.255.255.0

  dissemination of IP ospf network

  KeepAlive 10 3

  source of tunnel FastEthernet0

  tunnel destination 1.1.1.1

  crypto mymap map

  interface FastEthernet0

  Outside of the Interface Description

  1.1.1.2 IP 255.255.255.0

  automatic speed

  crypto mymap map

  R2

  --

  Tunnel1 interface

  192.168.200.1 IP address 255.255.255.0

  dissemination of IP ospf network

  KeepAlive 10 3

  source of tunnel FastEthernet0

  tunnel destination 1.1.1.2

  crypto mymap map

  interface FastEthernet0

  Outside of the Interface Description

  IP 1.1.1.1 255.255.255.0

  automatic speed

  crypto mymap map

  Yes you are right.

• GRE tunnel

  Hi - I'm trying to understand how the network described in the configuration http://pastebin.com/fM40vxcG is structured. I'm fighting for work on how I am connected to 10.144.254.1 before building a gre tunnel by using the node as a tunnel destination. Thank you very much

  concerning

  Vladimir

  Hello Vladimir,.

  I checked your link.

  I was you I wouldn't stick my Pwd VPN on a public forum, which is not really sure (unless you used a collar). If this isn't the case, you can edit your post and point to another link with pw stripped and can change the public ip addresses as well.

  Regarding your configuration, you have an encryption card configured with an ACL that match the tunnel.

  So in the end, your GRE tunnel using the private IP address is encapsulated in an IPSEC Tunnel using public IPS (see set crypto map peer): then you have a tunnel tunnel.

  I can't tell you the object of this since I do not know your topology.

  Hope this helps,

  Bastien.

• GRE tunnels and no gre

  I am doing a test vpn on a router to an ASA 18xx.

  the existing router already has 3 site-to-site vpn/s. They use GRE tunnels. I would like to add another site to site VPN but not not using gre Tunnels.

  I don't have what an output interface, which has the card crypto applied gre. If I add it to the existing encryption card, he will try to go through the gre tunnel

  Is there a way I can get this to work?

  This part of the config seems to be OK.

  You need to know why the tunnel peer X.X.X.44 is not to build.

  Check the ACL 180 and also make sure that you are not blocking that traffic to AL-FA0-IN

  I see you do NAT on fa0 - propably you have to exclude that VPN NAT traffic.

  ---

  Michal

• How to set the parameter "Apply to all folders" never works?

  Should we wait for an SP1 update or something?  It worked fine under XP!  He is broken in Vista and I was hoping that Microsoft fixed in 7 but it still does not work?

  I just want all my files in the LIST format display everytime I open a new window to the Solution Explorer, but no matter how many times I click "Apply to all folders", it does not work.

  TAGS: change, default, view, windows Explorer

  He asked how to apply a setting to all folders. You said how to define a view in a folder TYPE (which, btw, does not seem to work either). If you do not answer the question, why say anything at all? : P

  Microsoft is always disappointing me. I just bought a laptop with Windows 7 and I can't do a lot of things I did in XP (the configuration mentioned above, for example). I don't understand why they would remove operating characteristics, good. But they do... :(

  See http://en.wikipedia.org/wiki/List_of_features_removed_in_Windows_7 for a reference.

• IGP and GRE Tunnel

  GRE.png

  

  Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

  Case 1:

  We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

  • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
  • This will make the redundant paths between two routers
  • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
  • Or we can tunnel just for the exchange of traffic between two routers.

  My Question:

  1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
  2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

  Case 2:

  If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

  My Question:

  • I just want to know there is a valid case and also do we get this case in a review?

  What comments can you do on both cases freely, I just create these two cases to clear my mind.

  Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

  In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

  Answer to your question on my opinion are as below

  case 1

  1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
  2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

  Case 2

  • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

  Please always evaluate the useful post!

  Kind regards

  Pawan (CCIE # 52104)

• Multicast over GRE tunnel traffic

  Hi guys,.

  I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.

  I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.

  Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?

  Hello

  There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.

  Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.

  HTH.

  Evaluate the useful ticket.

  Kind regards

  Terence

• VPN3000 as an end of GRE tunnel

  Dear all,

  Is it possible for a VPN3000 to close a GRE tunnel by its own interface (private or public)? As long as I see in the GUI, looks like there no option for config one end of GRE tunnel. You can configure a GRE filter, but it comes through a GRE traffic, I'm right?

  Best regards

  Engel

  Engel,

  You can not cancel a Grateful for lan-to-lan tunnel based on a hub (as in IOS). Protocol PPTP uses GRE as the transport protocol, which supports a concentrator of VPN3K (and therefore filters and debugs for GRE)

  Hope that answers your question

  Jean Marc

• Questions about the Internet browsing GRE tunnel ISPec

  I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.

  Please guide what to do, I have attached a diagram of scenario

  Hello

  It is difficult to suggest, but MTU issue could be the reason for the problem.

  Do you have the command of setting-mss tcp ip on both interfaces of tunnel?

  If not, please try to add:

  Tunnel X interface

  IP tcp adjust-mss 1300

  If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)

• GRE tunnels

  I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:

  Tunnel1 interface

  IP 10.1.1.1 255.255.255.252

  IP access-group 10 out

  IP nat inside

  IP virtual-reassembly

  KeepAlive 10 3

  source of tunnel Vlan1

  tunnel destination xxx.xxx.xxx.xxx

  card crypto IPSEC_VPN

  I have some doubts on that subnet to configure for the second tunnel.

  In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?

  When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?

  Thanks and greetings

  You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• Significant decline in performance on the GRE tunnel after using cryptographic protection

  Hi all

  I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.

  Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.

  No idea as to why this is?

  My conclusions:
  According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
  The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
  I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
  ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.

  IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.

  My config:

  crypto ISAKMP policy 10
  BA aes 256
  sha512 hash
  preshared authentication
  Group 20
  isakmp encryption key * address *.
  !
  Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
  transport mode
  !
  Profile of crypto ipsec VPN
  game of transformation-ESP-AES256-SHA
  !
  Tunnel10
  IP 10.251.251.1 255.255.255.0
  no ip redirection
  no ip proxy-arp
  load-interval 30
  source of tunnel FastEthernet0
  tunnel destination *.
  tunnel path-mtu-discovery
  Tunnel VPN ipsec protection profile
  !

  Output:

  ISR1811 #sh crypto ipsec his
  Interface: Tunnel10
  Tag crypto map: addr Tunnel10-head-0, local *.

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
  current_peer * port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
  #pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  endpt local crypto. : *, remote Start crypto. : ***
  Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
  current outbound SPI: 0x8D9A911E (2375717150)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:
  SPI: 0xD6F42959 (3606325593)
  transform: aes-256-esp esp-sha-hmac.
  running parameters = {Transport}
  Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
  calendar of his: service life remaining (k/s) key: (4563208/1061)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:
  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x8D9A911E (2375717150)
  transform: aes-256-esp esp-sha-hmac.
  running parameters = {Transport}
  Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
  calendar of his: service life remaining (k/s) key: (4563239/1061)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:
  outgoing CFP sas:

  ISR1811 #show in detail his crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  T - cTCP encapsulation, X - IKE Extended Authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption
  IPv4 Crypto ISAKMP Security Association

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  2015 * * ACTIVE aes sha5 psk 20 12:42:50
  Engine-id: Conn-id = SW: 15
  2016 * * ACTIVE aes sha5 psk 20 12:42:58
  Engine-id: Conn-id = SW: 16
  IPv6 Crypto ISAKMP Security Association

  Use of CPU for the transfer with crypto:

  ISR1811 #sh proc cpu its

  ISR1811 09:19:54 Tuesday Sep 2 2014 THIS

  544444555555555544444444445555544444555556666644444555555555
  355555000001111133333888884444444444333333333377777666662222
  100
  90
  80
  70
  60                                          *****     *****
  50 ****************     **********     ************************
  40 ************************************************************
  30 ************************************************************
  20 ************************************************************
  10 ************************************************************
  0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
  0 5 0 5 0 5 0 5 0 5 0
  Processor: % per second (last 60 seconds)

  ISR1812 #sh proc cpu history

  ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS

  666666666666666666666666666666666666666666655555444445555544
  777888883333344444555555555566666777770000055555777776666666
  100
  90
  80
  70 ********          ********************
  60 ************************************************     *****
  50 ************************************************************
  40 ************************************************************
  30 ************************************************************
  20 ************************************************************
  10 ************************************************************
  0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
  0 5 0 5 0 5 0 5 0 5 0
  Processor: % per second (last 60 seconds)

  I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.

  For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.

  As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.