Setting KeepAlive on GRE over IPSEC tunnel

Hello world

Need to know if there are benefits of the KeepAlive on GRE over IPSEC implementation that goes over the Wan. ?

We currently have no KeepAlive on GRE tunnel.

If we config KeepAlive on both ends of the ACCORD it will cause any overload or the CPU load?

Thank you

MAhesh

If you use a routing on the GRE tunnel protocol you should use KeepAlive WILL not, but I would probably recommend use KeepAlive WILL anyway for the following reasons:

1. the overload caused by the GRE KeepAlive is quite small, it should not affect the ability to pass traffic

2. If you ever want to use tracking interface for roads or the static routes that you can interface WILL detect it descend as quickly as possible

I know that your IPSec device is separate, so I'd probably also enable KeepAlive on the IPSec tunnel as well.

Tags: Cisco Security

Similar Questions

  • GRE over IPSec tunnel cannot pass traffic through it

    I am trying to configure a GRE over IPSec tunnel between sites, we use the router cisco 7613 SUP720 (IOS: s72033-advipservicesk9_wan - mz.122 - 18.SXF15a.bin) and 3845 router (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), we are facing problems when we use the tunnel because traffic is not passing through it. the configuration was working when we were using two routers cisco 3845 (IOS:c3845 - advsecurityk9 - mz.124 - 25c.bin), but for some reason, it doesn't work anymore when I paste the configuration on the new 7613 router.

    Head office

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.89
    game of transformation-IPSec_PLC
    match address 100
    !
    !
    !
    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.94 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial0/1/0:0
    tunnel destination 167.134.216.89

    interface Serial0/1/0:0
    IP 167.134.216.90 255.255.255.252
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.90 host 167.134.216.8

    Router eigrp 100
    network 167.134.216.92 0.0.0.3

    Directorate-General of the

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    ISAKMP crypto key T3ST001 address 0.0.0.0 0.0.0.0
    !
    !
    Crypto ipsec transform-set IPSec_PLC aes - esp esp-sha-hmac
    transport mode
    !
    map PLC - CUM 10 ipsec-isakmp crypto
    defined by peer 167.134.216.90
    game of transformation-IPSec_PLC
    match address 100

    Tunnel1 interface
    bandwidth 1984
    IP 167.134.216.93 255.255.255.252
    Mtu 1476 IP
    load-interval 30
    source of tunnel Serial1/0/0:1
    tunnel destination 167.134.216.90

    interface Serial1/0/0:1
    bandwidth 1984
    IP 167.134.216.89 255.255.255.252
    IP access-group 101 in
    load-interval 30
    no fair queue
    card crypto PLC - CUM

    access-list 100 permit gre 167.134.216.89 host 167.134.216.90

    ER-7600 #sh crypto isakmp his
    conn-id State DST CBC slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0

    ER-3845 #sh crypto isakmp his
    status of DST CBC State conn-id slot
    167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE

    ER-3845 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial0/1/0: 167.134.216.90 0 HMAC_SHA + AES_CBC 0 0 value
    3001 Serial0/1/0: 167.134.216.90 0 set AES + SHA 0 0
    3002 Serial0/1/0: 167.134.216.90 0 set AES + SHA 61 0

    ER-7600 #sh active cryptographic engine connections

    Algorithm of address State IP Interface ID encrypt decrypt
    3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0
    2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + 0 66 AES_CBC
    2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA + AES_CBC 0 0

    I had this error on the er-3845: % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet and this one on the IPSEC (epa_des_crypt) UH-7600: decrypted packet has no control of his identity

    Please help, it's so frustrating...

    Thanks in advance

    Oscar

    Here is a document from cisco, mentioning clearly for a card encryption on the two physical as tunnel interface well.

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml

    It may be useful

    Manish

  • GRE over IPSEC

    Hi all

    I am setting up IPSEC tunnel GRE... I am able to get neighbors OSPF looked through the GRE tunnel, but when traffic is sent through the gre tunnel it does not encrypt and transmit through plaintext despite she buy from loopback interfaces

    Here is my config

    Config of R1
    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    test key crypto isakmp 192.168.1.2 address

    Crypto ipsec transform-set test aes - esp esp-sha-hmac

    test card crypto-address Ethernet0/0
    test 10 map ipsec-isakmp crypto
    defined peer 192.168.1.2
    Set transform-set test
    match address WILL

    GRE extended IP access list
    allow gre 10.0.10.0 0.0.0.255 10.0.20.0 0.0.0.255

    interface Ethernet0/0
    No switchport
    IP 192.168.1.1 255.255.255.0
    crypto map test

    interface Loopback0
    IP 10.0.10.1 255.255.255.0
    IP ospf 1 zone 0

    Tunnel1 interface
    10.0.100.2 IP address 255.255.255.0
    IP ospf 1 zone 0
    source of tunnel Ethernet0/0
    tunnel destination 192.168.1.1
    end

    -----------------------------------------------------------
    R2 config

    crypto ISAKMP policy 10
    BA aes
    preshared authentication
    Group 5
    test key crypto isakmp 192.168.1.1 address
    !
    !
    Crypto ipsec transform-set test aes - esp esp-sha-hmac
    !
    !
    !
    test card crypto-address Ethernet0/0
    test 10 map ipsec-isakmp crypto
    defined peer 192.168.1.1
    Set transform-set test
    match address GR
    !

    GR extended IP access list
    allow gre 10.0.20.0 0.0.0.255 10.0.10.0 0.0.0.255

    interface Ethernet0/0
    No switchport
    IP 192.168.1.2 255.255.255.0
    crypto map test

    interface Loopback0
    IP 10.0.20.1 255.255.255.0
    IP ospf 1 zone 0

    Tunnel1 interface
    10.0.100.1 IP address 255.255.255.0
    IP ospf 1 zone 0
    source of tunnel Ethernet0/0
    tunnel destination 192.168.1.2
    end

    -------------------------------------------

    Hello

    With p2p GRE over IPsec solution, all traffic between sites is encapsulated in a GRE p2p package before the process of encryption.

    More info on this link:

    http://www.Cisco.com/c/en/us/TD/docs/solutions/Enterprise/WAN_and_MAN/P2...

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

  • DMVPN & GRE over IPsec on the same physical interface

    Dear all,

    I am setting up two routers WAN, each router wan has a physical interface connecting to the branches and regional office by using the same provider.

    We will use the GRE over IPsec to connect to Office regional and DMVPN + EIGRP to branches.

    I would like to know if it is possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.

    Good answer, it's an urgent request and your response is much appreciated.

    Kind regards

    Hi Savio,

    It should work. We can configure dmvpn and gre-over-ipsec on ASA using the same physical interface.

    Kind regards

    NGO

  • To confirm the network is GRE over IPSEC

    Hello world

    We have Cisco 4500 device GRE tunnel and next hop is that ASA makes the IPSEC VPN over WAN.

    If this type of network is called free WILL on the right of IPSEC?

    Also when I do on 4500 sh int tu0

    reliability 255/255, txload 79/255, rxload 121/255

    5 minute input rate 2228000 bps, 790 packets/s

    5 minute output rate 780000 bps, 351 packets/s

    Need to understand which shows that data transmitted by tunnel LIKING which is not encrypted right?

    To verify ipsec ASA which is encrypted data that we do sh right its isakmp crypto?

    When we apply crypto map on the physical interface ASA here?

    Thank you

    Mahesh

    If your GRE tunnel protection applied to this topic, so I think that the transmitted data is encrypted. GRE over ipsec simply means the application of the protection of tunnel to tunnel will otherwise it's just a simple GRE tunnel.

    Side that Show crypto isakmp his, you can also check if the traffic from one site to another is using GRE or not by issuing crypto ipsec to show its, it will tell you the number of Protocol and it should say 47. And if you use the protection tunnel command to set the ipsec tunnel, you will not need to define cryptographic cards more.

  • The GRE over IPSec vpn

    VAC

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a008009438e.shtml#diag

    It's lab that I did today, and offcouse, I am able to understand this laboratory bus are confusion

    1. Why do we use a card encryption on both interfaces (phiycal tunnel interface or interface)


    2. when I remove the interface tunnel encryption card I have this message

    ( R2691 #* 01:12:54.243 Mar 1: ISAKMP: (1002): purge node 2144544879 )

    Please tell me what is the meaning of this message

    3. but I do not see vpn works great. It comes to cryto his and crypto isakmp his

    R2691 #sh crypto ipsec his

    Interface: Serial0/0

    Crypto map tag: vpn, local addr 30.1.1.21

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (30.1.1.21/255.255.255.255/47/0)

    Remote ident (addr, mask, prot, port): (10.1.1.1/255.255.255.255/47/0)

    10.1.1.1 current_peer port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: 65, #pkts encrypt: 65, #pkts digest: 65

    #pkts decaps: 66, #pkts decrypt: 66, #pkts check: 66

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors in #send 2, #recv 0 errors

    local crypto endpt. : 30.1.1.21, remote Start crypto. : 10.1.1.1

    Path mtu 1500, mtu 1500 ip, ip mtu IDB Serial0/0

    current outbound SPI: 0xDBF65B0E (3690355470)

    SAS of the esp on arrival:

    SPI: 0x44FF512B (1157583147)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 5, flow_id: SW:5, crypto card: vpn

    calendar of his: service life remaining (k/s) key: (4598427/3368)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    SPI: 0xDBF65B0E (3690355470)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 6, flow_id: SW:6, crypto card: vpn

    calendar of his: service life remaining (k/s) key: (4598427/3368)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    R2691 #sh crypto isakmp his

    IPv4 Crypto ISAKMP Security Association

    status of DST CBC State conn-id slot

    30.1.1.21 10.1.1.1 QM_IDLE 1002 ASSETS 0

    ISAKMP Crypto IPv6 security association.

    How can 2: I know it using GRE over IPsec.

    I also join my topology on which I made lab

    Also beyond what I remember, in the old codes he was required to have a card encryption on tunnel and physical interface, but now is not.

    Since we use GRE over IPSEC, so for the verification of the tunnel I'll do the following steps:

    (1.) to check if the tunnel interface is in place. "show ip int br".

    2.) check if the statistics of tunnel are increasing and packages are browsing through it. 'show interface '.

    3.) check if crypto ACL includes only interesting traffic listed as GRE counterparts.

    (4.) If Yes, check the IPSEC Security Association statistics. "See the crypto ipsec his."

    If all of them are correct statistical evidence with respective counters increase traffic is passing by GRE and then by wrapping in IPSEC.

    I hope this helps.

    Kind regards

    Anuj

  • GRE over IPsec, ASA and NAT - t.

    I want to establish WILL IPsec tunnel between four branches and headquarters. In executive offices, I have router 1841 with the advanced security software. At Headquarters, I have a 7.2 ASA5510 as frontend with a IP address public and 1841 router behind him in the private address space. Given that the ASA does not support GRE tunnels, ASA may be endpoint for GRE over IPsec? If this isn't the case, ASA may pass through this tunnel to the router 1841 behind her, 1841 would be endpoint logic tunnel? What should I watch out for? The ASA and each 1841 support NAT - T, or just ASA?

    The ASA does not support GRE.

    The router would be the GRE tunnel endpoint.  The ASA would be endpoint for IPSEC VPN.  NAT - T should not be a matter of concern if the ASA and the remote routers directly connected to the internet.

    HTH.

  • GRE in IPSEC tunnel

    Hello

    I have a question where I nee to close a tunnel IPSEC and GRE on my hub, is this possible?

    The GRE tunnel will be in the IPSEC tunnel.

    No. I don't think that you can terminate a GRE tunnel on a concentartor. What you can do is to put an end to a GRE tunnel on a router behind the hub. The tunnel can go through the hub. You can specify the traffic between the source/destination as interetsting and things should work fine.

  • Problem of authenticating users on L2TP over IPSec tunnel

    I have a client with an old PIX-515e firewall with firmware 7.2 (4), and due to certain circumstances, I'm trying to configure L2TP over IPSec. I'm stuck at a "Error 691: the remote connection has been deinied because the user name and password combination, you have provided is not recognized, or the selected authentication protocol is not permitted on the remote access server." I have local installation of authentication for this connection, and I tried to use ms-chap-v2, chap and pap, and give the same results. I have confirmed the username and the password, but I can't after that.

    The PIX, I don't see "AAA user authenticaton rejected: reason = invalid password: local database: user = tetstuser". I can still see the password unencrypted on the screen, so I can copy and paste the username and password in the appropriate fields, and I still have this error.

    Does anyone have an idea where the problem lies perhaps? Thank you.

    Can you please change the user as described in the doc, I shared and as indicated by the Rohan peers and share the results of the tests?

    Kind regards

    Dinesh Moudgil

    PS Please rate helpful messages.

  • GRE over IPSec - choose a source interface

    I have a 3660 with two T1 from different suppliers running BGP. Our ASN space is on f0/0, with the two serial interfaces T1 with an address of series on the networks of their respective providers.

    I am trying to configure an IPSec tunnel and made on the part of the interfaces series (as I normally do in smaller offices with a single T1). I have then reconfigure the card encryption to be on f0/0 and any other relevant changes on both sides at the source of this traffic of f0/0. IPSec negotiates and makes its way thorugh on the 3660, I see even a peer EIGRP come with the remote. This peer eventually falls, and the review of the wristwatch that sends him away and the 3660 receives, but no package never leave the 3660 (on the its).

    Any suggestions on where start looking for it, or is there a best/recommended/example configuration of a similar setup, I could look at?

    Thanks in advance,

    Daryl

    To bind the cryptographic card for an interface use the command:

    card crypto 'name card' - address "interface."

    FOR EXAMPLE:

    Crypto map crypt-map1-address Loopback2

    -Brett

  • Performance - GRE over IPSec or without free WILL

    Looking at the configuration of a VPN L2L tunnel between two sites for voice only traffic.  Ask yourself if the configuration of GRE to the IPSec VPN tunnel would add a charge to the performace of the vs configuration voice traffic just an IPSec VPN tunnel?

    You wanted to set up a WILL for future where we might want to add several tunnels and enable EIGRP routing.

    Please any advice would help.

    Karim,

    First GRE (oIPsec) is not the only option. You also VTI, which does not add the GRE overhead and can run on top routing protocols.

    In terms of raw processing, yes GRE encapsulation is indeed a new step on the way, but most platform today are able to handle this in CEF (or similar) or in the material (usually with some limitations) as on 6500 etc..

    Purely for the voice there should be no impact on the performance (also depends on how you measure performance) since fresh added generals will not change much for audio real, no added encapsultation will add a lot of delay.

    However, there are other things to consider (like how to install QoS is not to present the jitter).

    M.

  • 1841 can route between tunnel GRE and IPSEC tunnel?

    Hello everyone!

    See the image below.

    Main office (10.0.1.0/24 LAN) and branch (10.0.2.0/24 LAN) are connected through the GRE tunnel.

    The third office (10.0.3.0/24) is attached to the second branch via IPSEC.

    Is there the way to establish the connection between the third and the main office through cisco 1841?

    Is it possible to perform routing, perhaps with NAT?

    In fact we need connection with a single server in the main office.

    Thank you

    Hello

    It is possible to build this configuration.

    the IPSEC connection between 10.0.3.x and 10.0.2.x should also encapsulate the traffic to main office.

    Steps to follow:

    Central office, to shift traffic to 10.0.3.x above the GRE tunnel.

    The second part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the third

    The third part, add the 10.0.3.x - 10.0.1.x selection of traffic to the ACL IPSEC with the second pane.

    Please rate if this helped.

    Kind regards

    Daniel

  • Isse NAT with Gre over Ipsec

    Hi guys!

    I have a little problem with my setup.

    I would like to join the Y in X host through a VPN tunnel.

    My setup works fine, until I have add this static nat entry:

    -ip nat inside source static 10.20.20.1 198.41.10.1

    In this case, the tunnel endpoints cannot reach each other (172.16.13.1 <->172.16.13.2).

    The Ext_Router made the Nat translation and the tunnel is located between Ext_Router and R7.

    What is the problem?

    The configuration files are attached.

    Hello

    First, I would like to say that my relationship with GRE + IPsec have been pretty slim.

    But what seems to me looking at the configurations and NAT, is that you must following configurations with respect to NAT on R5/Ext_Router

    • Configuration of PAT translation for LAN 2 networking using the IP address of Serial 0/0 as a PAT address
    • A static NAT for a single host LAN that uses ALSO address IP Serial0/0 for the translation.

    If the NAT router operation is something like the Cisco PIX or ASA. The static NAT completely replaces PAT (overload) configuration and therefore no user belonging to networks source ACL 1 wont be able to use the NAT and therefore traffic will not work for them but should probably work for the host of the 10.20.20.1 Static NAT?

    Could be the problem? Pourrait 198.41.10.x another IP, be used for the static NAT?

    -Jouni

  • Problem with GRE over IPsec with IOS Version 15.1 (2) T4

    Hello

    We have several sites that use of GRE Tunnels with card crypto for encryption.  To upgrade to the latest version of a UC-520 (15.1 (2) T4 or any version of this train) I get the following error: -.

    SIN-UC520(config-if) #crypto map aberdeen

    % NOTE: crypto card is configured on the tunnel interface.

    Currently, only one card encryption GDOI is supported on the tunnel interface.

    The original Tunnel config is below:-

    interface Tunnel0

    Description Tunnel to Aberdeen AC

    bandwidth of 512

    IP unnumbered Vlan1

    IP mtu 1420

    QoS before filing

    tunnel source a.b.c.d

    destination e.f.g.h tunnel

    Crypto map aberdeen

    Decommissioning of the IOS version solves the problem.   What gives?  Have Cisco dropped support for this configuration?

    I use this setup so I can choose exactly which traffic is encrypted (I do not encrypt voice for example).

    Thank you
    Peter.

    Hi Peter,.

    It looks like from the 15.1 this configuration is no longer supported. Here's what the release notes:

    Error message appears when you try to apply the tunnel interface to a card encryption.

    Old behavior: Error Message is not displayed when you try to apply tunnel interface card encryption using the command card crypto (interface IPSec).

    New behavior: an error message appears when you try to apply the tunnel interface to a crypto map using the

    crypto map command (interface IPSec).

    http://www.Cisco.com/en/us/docs/iOS/15_1/release/notes/151TNEWF.html

    The order reference has the following information about the error message:

    A card encryption cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a card encryption, an error message is displayed as follows: crypto card is configured on the tunnel interface. Currently, only card crypto Group domain of interpretation (GDOI) is supported on the tunnel interface.

    http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c4.html#wp1078283

    So it seems that on the new version, you can only use one (new to me) maps crypto GDOI on your tunnel interfaces.

    Here's a doc that explains the GDOI implementation, I wish that I could help with the Setup, but as I said, I had not heard of him until today.

    http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

    I hope this clarifies your questions.

    Raga

  • The GRE and IPSec

    We currently have several sites with ISAKMP/IPSec tunnels between routers 2800 and we need some of them migrate to the GRE with IPSec tunnels. Are there problems with endpoint tunnels GRE and IPsec on the same router and interface?

    I didn't know all the problems - apart from the router doing the encryption/decryption & GRE encapsulation/decapsulation, just be respect for traffic through the put.

    I have noted problems with traffic GRE and MTU problems. Cisco recommends a MTU of 1440 at Discretion, I would say that set 1400.

    HTH

Maybe you are looking for

  • Qosmio G10 - how to upgrade the DMI information?

    Help, please!I have trouble with Qosmio G10. Toshiba support don't really.help me. I changed my motherboard with nVidia 6600 go and 915 PM and new BIOS. Now there are several problems: I tried to run the update tool CD, but it stops and «please use t

  • My Quick time player is not play mpeg files

    Since the week MY last, Quick time player and preview apps do not work properly... I don't know how do to resolve these issues please help me to retrieve these applications at the earliest.

  • Recently burned CD not recognized by several cd players

    Since I got my Dell computer (several years), I have burned many cd successfully.  The only problem I've had in the past was Windows Media to get the names of the titles of the albums/songs.  I tried to fix it but failed and he gave up. Everything I

  • Reception of images on incoming emails

    Have a new computer with Windows 7 and decided to use Live Mail.  Have a problem with email incoming as images/photos do not show, only text and often a link included in the message is also absent.  Have checked "download images" in Security Options,

  • HttpConnection upload image to server

    Hi all I'm new on the server to access the content and I try to send a file of image on my server using the HttpConnection class. I have searched this forum for the same thing, but could not understand my mistake. My requirement is to display an imag