The GRE Tunnel descends?

Similar Questions

• Backup of the GRE Tunnel using the address IP of Seconadary

  Is it possible to configure a GRE Tunnel to backup using an IP of Seconadary address on the WAN interface.  The router is a

  Cisco 871.  Any help would be greatly appreciated.

  Thank you.

  Nicholas

  I'm not sure it would work for use a secondary address on the WAN interface for a GRE tunnel. Maybe if you tell us more about what you're trying to do we could be able to help find alternatives that would work.

  Two tunnels from the same interface (even though you could use a secondary address) to another router would not provide a backup, if they work at all. Work of two tunnels of the same interface of router (and two using the main address) fairly well if they go to different remote routers, and it is a common way to provide backup for the GRE tunnels.

  HTH

  Rick

• Significant decline in performance on the GRE tunnel after using cryptographic protection

  Hi all

  I have two G1 RSR (1811 and 1812) who have a GRE tunnel between them.

  Without any encryption protection I received about 3.6 MB/s in regular transfers of Windows SMB. After using cryptographic protection of the tunnel I'm now only 2.7 MB/s transfers of same.

  No idea as to why this is?

  My conclusions:
  According to this http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn... the AES crypto fixed return of the 1800s is 40 MB/s.
  The increase in overhead of cryptographic protection shouldn't be the problem I tried to test the transfers on the tunnel without protection and 'ip tcp adjust-mss 800' of the tunnel. There was only a small performance drop here, not as much as with the crypto.
  I tried several sets of cryptographic transformation, they all give the same performance as long as they are made in the material.
  ISAKMP is always done in the software? I can't get it to show its is done at the hardware level, regardless of isakmp policy.

  IP MTU on both interfaces of tunnel are 1434 with cryptographic protection.

  My config:

  crypto ISAKMP policy 10
  BA aes 256
  sha512 hash
  preshared authentication
  Group 20
  isakmp encryption key * address *.
  !
  Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
  transport mode
  !
  Profile of crypto ipsec VPN
  game of transformation-ESP-AES256-SHA
  !
  Tunnel10
  IP 10.251.251.1 255.255.255.0
  no ip redirection
  no ip proxy-arp
  load-interval 30
  source of tunnel FastEthernet0
  tunnel destination *.
  tunnel path-mtu-discovery
  Tunnel VPN ipsec protection profile
  !

  Output:

  ISR1811 #sh crypto ipsec his
  Interface: Tunnel10
  Tag crypto map: addr Tunnel10-head-0, local *.

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (* / 255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (* / 255.255.255.255/47/0)
  current_peer * port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 683060, #pkts encrypt: 683060, #pkts digest: 683060
  #pkts decaps: 1227247, #pkts decrypt: 1227247, #pkts check: 1227247
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  endpt local crypto. : *, remote Start crypto. : ***
  Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0
  current outbound SPI: 0x8D9A911E (2375717150)
  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:
  SPI: 0xD6F42959 (3606325593)
  transform: aes-256-esp esp-sha-hmac.
  running parameters = {Transport}
  Conn ID: 45, flow_id: VPN on board: 45, sibling_flags 80000006, crypto card: head-Tunnel10-0
  calendar of his: service life remaining (k/s) key: (4563208/1061)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:
  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x8D9A911E (2375717150)
  transform: aes-256-esp esp-sha-hmac.
  running parameters = {Transport}
  Conn ID: 46, flow_id: VPN on board: 46, sibling_flags 80000006, crypto card: head-Tunnel10-0
  calendar of his: service life remaining (k/s) key: (4563239/1061)
  Size IV: 16 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:
  outgoing CFP sas:

  ISR1811 #show in detail his crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  T - cTCP encapsulation, X - IKE Extended Authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption
  IPv4 Crypto ISAKMP Security Association

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  2015 * * ACTIVE aes sha5 psk 20 12:42:50
  Engine-id: Conn-id = SW: 15
  2016 * * ACTIVE aes sha5 psk 20 12:42:58
  Engine-id: Conn-id = SW: 16
  IPv6 Crypto ISAKMP Security Association

  Use of CPU for the transfer with crypto:

  ISR1811 #sh proc cpu its

  ISR1811 09:19:54 Tuesday Sep 2 2014 THIS

  544444555555555544444444445555544444555556666644444555555555
  355555000001111133333888884444444444333333333377777666662222
  100
  90
  80
  70
  60                                          *****     *****
  50 ****************     **********     ************************
  40 ************************************************************
  30 ************************************************************
  20 ************************************************************
  10 ************************************************************
  0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
  0 5 0 5 0 5 0 5 0 5 0
  Processor: % per second (last 60 seconds)

  ISR1812 #sh proc cpu history

  ISR1812, Tuesday 09:19:24 Sep 2 2014 THIS

  666666666666666666666666666666666666666666655555444445555544
  777888883333344444555555555566666777770000055555777776666666
  100
  90
  80
  70 ********          ********************
  60 ************************************************     *****
  50 ************************************************************
  40 ************************************************************
  30 ************************************************************
  20 ************************************************************
  10 ************************************************************
  0... 5... 1... 1... 2... 2... 3... 3... 4... 4... 5... 5... 6
  0 5 0 5 0 5 0 5 0 5 0
  Processor: % per second (last 60 seconds)

  I think that this performance is what you should get with the legacy 18xx SRI G1. But the performance degradation is perhaps really a little too high.

  For ISAKMP, there is no problem with that. The amount of protected data is too small to have one any influence.

  As a first test, I would remove the GRE encapsulation by setting "mode ipsec ipv4 tunnel" on the tunnel interface and compare if the results improve.

• Using Gre Tunnel between devices on the same LAN

  Hello world

  When we need to use the Gre Tunnel on same side means on 2 devices to each other on the LAN?

  Whats is advantage of using GRe Tunnel on LAN?

  Thank you

  MAhesh

  In general, GRE tunnel is not on the same side/network.

  It serves to connect 2 networks and to get through the traffic.

  GRE advantage is that it can participate in routing protocols, then it becomes a little jump through the tunnel instead of several jumps across different devices. As a result, the GRE is also used for tunnel traffic that is not natively supported by these devices where the type not supported traffic cannot pass through.

• Multicast over GRE tunnel traffic

  Hi guys,.

  I have a connection via ISP connection point to point BGP on a connection of 100 Mbps between the branch and the central office.

  I set up in two cisco routers with ios security advance 2801 a tunnel WILL running the ospf Protocol so I can share the multicast traffic for streaming between the two sites, but I am only able to get 6 Mbps out of the tunnel between the sites. I have configured multicast PIM sparc-mode to transport video traffic above the tunnel.

  Is there a limit on the GRE tunnel, could it be MTU, or perhaps other issues anyone can help me solve this question guys?

  Hello

  There is a lot of discussion about the limitations of bandwidth on the tunnel interface. But most of the discussions flow seems to be linked to the limitation of the software on the device.

  Issues could be related to MTU. Have you enabled PMTUD on the tunnel interface? If this is not the case, turn it on, as it recommended on the tunnel interface.

  HTH.

  Evaluate the useful ticket.

  Kind regards

  Terence

• GRE tunnels will not come on VPN IPsec/GRE

  Hi all

  We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

  Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

  The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

  00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
     
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
  00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
  00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
  00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
  00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
  00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

  I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

  Assorted useful details and matching orders of show results:

  Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

  There are 2 connections of IPSEC/GRE tunnel:

  Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
  Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

  Site-382-831 #sho ip int br
  Interface IP-Address OK? Method State Protocol
  FastEthernet1 unassigned YES unset down down
  FastEthernet2 unassigned YES unset upward, upward
  FastEthernet3 unassigned YES unset upward, upward
  FastEthernet4 unassigned YES unset upward, upward
  Ethernet0 10.3.82.10 YES NVRAM up up
  Ethernet1 74.WW. XX.35 YES NVRAM up up
  Ethernet2 172.16.1.10 YES NVRAM up up
  Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
  Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
  NVI0 unassigned don't unset upward upwards

  Site-382-831 #.
  Site-382-831 #sho run int tunnel101
  Building configuration...

  Current configuration: 277 bytes
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  KeepAlive 3 3
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  end

  Site-382-831 #.

  Site-382-831 #show isakmp crypto his
  status of DST CBC State conn-id slot
  208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
  208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show detail of the crypto isakmp
  Code: C - IKE configuration mode, D - Dead Peer Detection
  NAT-traversal - KeepAlive, N - K
  X - IKE extended authentication
  PSK - GIPR pre-shared key - RSA signature
  renc - RSA encryption

  C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
  11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 11:2 (hardware)
  74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
  Connection-id: motor-id = 10:2 (hardware)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his

  Interface: Ethernet1
  Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
  current_peer 208.YY. ZZ.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0x45047D1D (1157922077)

  SAS of the esp on arrival:
  SPI: 0x15B97AEA (364477162)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486831/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x45047D1D (1157922077)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4486744/1056)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
  Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
  current_peer 208.XX. YY.11 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  #send 21, #recv errors 0

  local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
  Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
  current outbound SPI: 0xE82A86BC (3895101116)

  SAS of the esp on arrival:
  SPI: 0x539697CA (1402378186)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432595/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0xE82A86BC (3895101116)
  transform: esp-3des esp-sha-hmac.
  running parameters = {Tunnel}
  Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
  calendar of his: service life remaining (k/s) key: (4432508/1039)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Site-382-831 #.
  Site-382-831 #show crypto isakmp policy

  World IKE policy
  Priority protection Suite 10
  encryption algorithm: three key triple a
  hash algorithm: Secure Hash Standard
  authentication method: pre-shared Key
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Default protection suite
  encryption algorithm: - Data Encryption STANDARD (56-bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bits)
  lifetime: 86400 seconds, no volume limit
  Site-382-831 #.

  Site-382-831 #show crypto card
  "IPVPN_MAP" 101-isakmp ipsec crypto map
  Description: at the 2nd KC BGP 2821 - PRI - B
  Peer = 208.YY. ZZ.11
  Extend the PRI - B IP access list
  access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
  Current counterpart: 208.YY. ZZ.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }

  "IPVPN_MAP" 201-isakmp ipsec crypto map
  Description: 2nd Dallas BGP 2821 - s-B
  Peer = 208.XX. YY.11
  Expand the list of IP SEC-B access
  s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
  Current counterpart: 208.XX. YY.11
  Life safety association: 4608000 Kbytes / 3600 seconds
  PFS (Y/N): N
  Transform sets = {}
  IPVPN,
  }
  Interfaces using crypto card IPVPN_MAP:
  Ethernet1
  Site-382-831 #.

  Tunnel between KC & the remote site configuration is:

  Distance c831 - KC

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  !
  PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
  transport mode
  !
  IPVPN_MAP 101 ipsec-isakmp crypto map
  Description of 2nd KC BGP 2821 - PRI - B
  set of peer 208.YY. ZZ.11
  game of transformation-IPVPN
  match address PRI - B
  !
  interface Tunnel101
  Description % connected to the 2nd KC BGP 2821 - PRI - B
  IP 1.3.82.46 255.255.255.252
  IP mtu 1500
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  source of tunnel Ethernet1
  destination of the 208.YY tunnel. ZZ.11
  !
  interface Ethernet0
  private network Description
  IP 10.3.82.10 255.255.255.0
  IP mtu 1500
  no downtime
  !
  interface Ethernet1
  IP 74.WW. XX.35 255.255.255.248
  IP mtu 1500
  automatic duplex
  IP virtual-reassembly
  card crypto IPVPN_MAP
  no downtime
  !
  PRI - B extended IP access list
  allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
  !

  KC-2821 *.

  PRI-B-382 address 74.WW isakmp encryption key. XX.35
  !
  PRI-B-382 extended IP access list
  allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
  !
  IPVPN_MAP 382 ipsec-isakmp crypto map
  Description % connected to the 2nd KC BGP 2821
  set of peer 74.WW. XX.35
  game of transformation-IPVPN
  match address PRI-B-382
  !
  interface Tunnel382
  Description %.
  IP 1.3.82.45 255.255.255.252
  KeepAlive 3 3
  IP virtual-reassembly
  IP tcp adjust-mss 1360
  IP 1400 MTU
  delay of 40000
  tunnel of 208.YY origin. ZZ.11
  destination of the 74.WW tunnel. XX.35
  !
  end

  Any help would be much appreciated!

  Mark

  Hello

  logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

  Site-382-831 #show crypto ipsec his | Pkts Inc. | life
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4486831/862)
  calendar of his: service life remaining (k/s) key: (4486738/862)
  #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  calendar of his: service life remaining (k/s) key: (4432595/846)
  calendar of his: service life remaining (k/s) key: (4432501/846)
  Site-382-831 #.

  Kind regards

  Averroès.

• The GRE + IPSEC but have no encypt certain traffic?

  Hello

  I'm banging my head a little bit here. I want to encrypt all traffic between 2 sites except voice.

  On the cisco site, it would appear that the command "crypto map" should appear on the two physical (in this case Dialer) and on the Tunnel interface. Why is it necessary on the Tunnel interface?

  I have configured the following: -.

  !

  match class-map telnet

  game of telnet Protocol

  class-map correspondence citrix

  citrix Protocol game

  match class-map Telnet

  game of telnet Protocol

  Note voice-signaling class-card

  game group-access 151

  class-map correspondence-telephone traffic

  group-access 150 game

  !

  !

  Policy-map VOICE-POLICY

  class of traffic-voice

  priority 96

  voice-signaling class

  bandwidth 8

  citrix class

  bandwidth 24

  telnet class

  class class by default

  Fair/fair-queue

  !

  !

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 2

  preshared authentication

  Group 2

  ISAKMP crypto key 123456 address xxx.xxx.xxx.xxx

  !

  !

  Crypto ipsec transform-set esp - esp-sha-hmac peter-series

  Crypto ipsec transform-set esp-3des esp-md5-hmac DYNA-3DES

  !

  Crypto-map dynamic dynamap 10

  game of transformation-DYNA-3DES

  !

  !

  card crypto xxxx address-local Dialer1

  XXXXX map ipsec-isakmp crypto

  defined peer xxx.xxx.xxx.xxx

  peter-Set transform-set

  match the vpn address

  QoS before filing

  map PeterHomemap 40-isakmp ipsec crypto dynamic dynamap

  !

  !

  !

  Tunnel1 interface

  Description Tunnel to the office

  bandwidth 256

  IP 10.10.20.2 255.255.255.0

  QoS before filing

  KeepAlive 10 3

  source of Dialer1 tunnel

  tunnel destination xxx.xxx.xxx.xxx

  !

  interface Dialer1

  bandwidth 256

  the negotiated IP address

  IP access-group entering

  IP mtu 1458

  NAT outside IP

  inspect the myfw over IP

  encapsulation ppp

  load-interval 30

  Dialer pool 1

  Dialer-Group 1

  card crypto PeterHomemap

  service-policy output VOICE-POLICY

  waiting-224 in

  !

  list of IP - vpn access scope

  deny udp 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 16384 32767 rank

  deny tcp 192.168.9.0 0.0.0.255 eq 1720 everything

  deny tcp 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1720

  allow gre 10.10.20.2 host 10.10.20.1

  allow gre hote.yyy host xxx.xxx.xxx.xxx

  !

  Note access-list 150 Match all voice traffic

  access-list 150 permit udp everything any 16384 37276 Beach

  Note access-list 151 correspond to all voice traffic

  access list 151 permit tcp any eq 1720 everything

  access list 151 permit tcp any any eq 1720

  Can anyone suggest a better way to accomplish the non-voix encryption only traffic, and also if an expert out there can explain the card crypto interface Tunnel thing, that would be great!

  Thank you

  Peter.

  Let me explain the whole thing in its entirety.

  You have a public IP address or the other site and you form a GRE tunnel to route your IPs private above the GRE tunnel. This traffic includes voice and data. Then create your IPSec policy only traffic to be corresponding encryped (u know have explicitly deny the telephone traffic) and apply the crypto map on the tunnel. Who should install the IPSec VPN for you. This is the best medium for what is as iam concerned (I did in one case as well).

  Instead of carrying all the traffic thorugh one IPSec VPN and data on a GRE traffic, according to me, you can send voice traffic on free WILL and encrypt traffic IPSec over GRE.

  Hope that clarifies.

• GRE tunnels and no gre

  I am doing a test vpn on a router to an ASA 18xx.

  the existing router already has 3 site-to-site vpn/s. They use GRE tunnels. I would like to add another site to site VPN but not not using gre Tunnels.

  I don't have what an output interface, which has the card crypto applied gre. If I add it to the existing encryption card, he will try to go through the gre tunnel

  Is there a way I can get this to work?

  This part of the config seems to be OK.

  You need to know why the tunnel peer X.X.X.44 is not to build.

  Check the ACL 180 and also make sure that you are not blocking that traffic to AL-FA0-IN

  I see you do NAT on fa0 - propably you have to exclude that VPN NAT traffic.

  ---

  Michal

• IP route command in GRE tunnel

  Hello world

  I have Setup GRE laboratory between routers R1 and R3.

  R1 is connected to R2 using OSPF and R2 is connected to R3 using OSPF.

  I have config interface on R1 and R3 GRE tunnel.

  R1 has internal subnet say 100.x.x.x.x to share with R3.

  R3 has Lan internal subnet say 101.x.x.x.x to share with R1.

  Interesting traffic through the GRE tunnel is 100.x.x.x of subnets.  and 101.x.x.x.x.

  Config of tunnel of R1

  R1 # sh run tunnel int 0
  Building configuration...

  Current configuration: 168 bytes
  !
  interface Tunnel0
  IP 13.13.13.1 255.255.255.0
  KeepAlive 3
  CDP enable
  source of tunnel Loopback0
  tunnel destination 20.0.0.1
  tunnel path-mtu-discovery

  R3 config tunnel

  R3 #sh run tunnel int 0
  Building configuration...

  Current configuration: 158 bytes
  !
  interface Tunnel0
  IP 13.13.13.3 255.255.255.0
  KeepAlive 3 1
  source of tunnel Loopback0
  tunnel destination 10.0.0.1
  tunnel path-mtu-discovery

  So my question is instead of using routing protocols to advertise the subnets Lan of R1 and R3 can be used for static routes?

  for example

  If I can use static routes say on R1

  IP route 101.101.101.101 255.255.255?

  What should be the next jump IP here?

  interface of tunnel of the router R3 or physical interface of R3 which connects to R2?

  Then the same way I can use static routes on R3 right?

  Thank you

  Mahesh

  Hello Manu,

  You can use the IP address as long as addresses IP of the Tunnel on both sides are in the same subnet. So in your case, you can use

  !

  IP route 101.101.101.101 255.255.255 13.13.13.3

  !

  Or you can use the interface tunnel

  !

  IP route 101.101.101.101 255.255.255 Tunnel0

  !

  Although I saw problems in some cases when the interface name is used instead of IP tunnel.

  Please rate this post if helpful.

  Thank you

  André

• Questions about the Internet browsing GRE tunnel ISPec

  I am faced with Internet navigation problems when distened to the customer's internet traffic. mail.Yahoo.com does not open on the client, while yahoo.com works very well. Same streaming and apps from apple works does not on iphone, but distened for data center traffic works very well. If I remove the protection of IPSec of GRE tunnel then everything works fine.

  Please guide what to do, I have attached a diagram of scenario

  Hello

  It is difficult to suggest, but MTU issue could be the reason for the problem.

  Do you have the command of setting-mss tcp ip on both interfaces of tunnel?

  If not, please try to add:

  Tunnel X interface

  IP tcp adjust-mss 1300

  If it helps, you can try to increase the value of 1300 to 1360 MMS (which is recommended by Cisco)

• IGP and GRE Tunnel

  GRE.png

  

  Please see the photo above two connected sites using FA 0/1 R1 and R2 and a GRE Tunnel is formed.

  Case 1:

  We have a point-to-point connection between two routers and the IP address assigned to FA 0/1 on R1 and R2 belong to the same subnet. We then configure a GRE Tunnel on these as indicated in the topology:

  • Using such as eigrp and ospf IGP we can peer routers R1 and R2 using the tunnel and the point-to-point connections.
  • This will make the redundant paths between two routers
  • This will form the double equal relationship between the two routers (for example for EIGRP or OSPF).
  • Or we can tunnel just for the exchange of traffic between two routers.

  My Question:

  1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world?
  2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review?

  Case 2:

  If Fa 0/1 on both routers is all public IPs and in fact do not belong to the same subnet. So I think that we have to create a Tunnel between the two routers and then use the tunnel both routers for iGP peer.

  My Question:

  • I just want to know there is a valid case and also do we get this case in a review?

  What comments can you do on both cases freely, I just create these two cases to clear my mind.

  Basically the tunnel's link to Point Virtual Point between two routers. When you have two router physically connected by Point to point the link for this tunnel has no utility, but if you have two routers separate my many network jumps then GRE and IPsec tunnel is useful, and in this case tunnel gives you the ease of the logical Point to Point network.

  In the tunnel you can run any routing protocol ospf, eigrp, BGP route smiler or Sttic as interface point-to-point between two routers.

  Answer to your question on my opinion are as below

  case 1

  1. What is the standard in this topology using the two connection for iGP peering or just tunnel in the real world? -No use of the tunnel in this case in the real world so he will use any routing protocol between physical point-to-point interface.
  2. What is the standard in this topology using the two connection for iGP peering or tunnel just in a review? -Same as above point Exam are mostly due to the scenario of the real world (not sure what you're talking about what exam).

  Case 2

  • I just want to know there is a valid case and also do we get this case in a review? -Yes, this is valid in the real world, but also optical examination specially DMVPN and Ipsec tunnel in the CCIE exam.

  Please always evaluate the useful post!

  Kind regards

  Pawan (CCIE # 52104)

• VPN3000 as an end of GRE tunnel

  Dear all,

  Is it possible for a VPN3000 to close a GRE tunnel by its own interface (private or public)? As long as I see in the GUI, looks like there no option for config one end of GRE tunnel. You can configure a GRE filter, but it comes through a GRE traffic, I'm right?

  Best regards

  Engel

  Engel,

  You can not cancel a Grateful for lan-to-lan tunnel based on a hub (as in IOS). Protocol PPTP uses GRE as the transport protocol, which supports a concentrator of VPN3K (and therefore filters and debugs for GRE)

  Hope that answers your question

  Jean Marc

• GRE tunnels

  I have a router Cisco 2811 configured with a GRE tunnel, and I want to add another tunnel to another remote site. It's the first tunnel configuration:

  Tunnel1 interface

  IP 10.1.1.1 255.255.255.252

  IP access-group 10 out

  IP nat inside

  IP virtual-reassembly

  KeepAlive 10 3

  source of tunnel Vlan1

  tunnel destination xxx.xxx.xxx.xxx

  card crypto IPSEC_VPN

  I have some doubts on that subnet to configure for the second tunnel.

  In the existing tunnel, the IP address is: 10.1.1.1 and mask: 255.255.255.252 subnet so is 10.1.1.0. I guess, I have to configure another different subnet (i.e. 10.1.2.0) for the second tunnel, but what IP address and the mask, 10.1.2.1 255.255.255.0?

  When a PC from the router's local network tries to connect to the remote router using the tunnel, what IP address it use?

  Thanks and greetings

  You're wrong, your PC's need is a route of default gateway for the router, a default route is a route that defines, all unknown IP traffic must be forwarded to the next hop that is defined in the default route.

• I can weight of the IPSec Tunnels between ASAs

  Hello

  Remote site: link internet NYC 150 MB/s

  Local site: link internet Baltimore 400 MB/s

  Backup site: link internet Washington 200 Mb/s

  My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches.  Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down.  We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit.  We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

  Interesting traffic would be the same for the two tunnels

  I know that ASA cannot be a GRE endpoint.  How can I force the New York traffic through the tunnel in Baltimore as long as it works?  An IPSec tunnel can be weighted?

  Thank you

  It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

  For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

  Reference.

• NAT &amp; GRE Tunnel

  Hello

  I have a test installation routers 2 with a GRE tunnel which works very well in the test configuration. My question is if I transfer this config for direct mounting how I would exempt traffic over the tunnel WILL be natted? Everything else is the traffic destined for the internet should be tapped to the external interface. Would need a road map for this?

  Thank you

  R1

  --

  interface Tunnel0

  IP 192.168.200.2 255.255.255.0

  dissemination of IP ospf network

  KeepAlive 10 3

  source of tunnel FastEthernet0

  tunnel destination 1.1.1.1

  crypto mymap map

  interface FastEthernet0

  Outside of the Interface Description

  1.1.1.2 IP 255.255.255.0

  automatic speed

  crypto mymap map

  R2

  --

  Tunnel1 interface

  192.168.200.1 IP address 255.255.255.0

  dissemination of IP ospf network

  KeepAlive 10 3

  source of tunnel FastEthernet0

  tunnel destination 1.1.1.2

  crypto mymap map

  interface FastEthernet0

  Outside of the Interface Description

  IP 1.1.1.1 255.255.255.0

  automatic speed

  crypto mymap map

  Yes you are right.