cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

596
Views
0
Helpful
9
Replies
Highlighted
Beginner

IPSEC Routing Issue

I apologize if this is posted in the wrong location. I'm standing up an IPSEC tunnel between two sites. Eventually all sites will use the head end as a backup connection. The tunnel establishes but I'm not seeing an OSPF adjacency nor can I ping the IP of the tunnel on either side. I see that the head end is receiving packets but isn't responding. The route for the far end IP appears to be correct on the head end. I don't see anything else wrong, no errors. Any ideas?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Routing Issue

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.
9 REPLIES 9
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Routing Issue

Hi,

On the farend router you should modify the configuration as follows:-

 

interface tunnel 1

no tunnel destination

tunnel mode gre multipoint

 

You may also want to add "ip ospf hello-interval 30" on each router's tunnel interface.

 

HTH

Beginner

Re: IPSEC Routing Issue

I made the changes.....same result as before.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Routing Issue

Upload "show dmvpn" and "show ip ospf neig" from both routers.
Beginner

Re: IPSEC Routing Issue

Interesting as you can see on the head end there isn't any dmvpn information. But the far end shows peer information.

 

Headend:

headvpn.PNG

 

Farend:

farvpn.PNG

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Routing Issue

Can you post your updated configuration please
Beginner

Re: IPSEC Routing Issue

I have a duplicate thread. Made a rookie mistake posting in two different places. Here is the link to the other thread. Updated configs are attached.

 

https://community.cisco.com/t5/routing/routing-over-gre-ipsec-tunnel/m-p/3785459#M308139

Beginner

Re: IPSEC Routing Issue

Adding the headend config

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Routing Issue

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.
Beginner

Re: IPSEC Routing Issue

tunnel mode gre multipoint was already configured but I did remove the key on both ends and now I have an OSPF adjancy. Thank you very much.

Farend tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp redirect
ip policy route-map VPN-Internal
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
ip ospf mtu-ignore
delay 1000
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof


Head end tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.17 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map 10.192.0.254 111.111.111..237
ip nhrp map multicast 111.111.111.237
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.192.0.254
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof