12-11-2012 06:40 AM - edited 03-04-2019 06:22 PM
Hello,
I created a VPN tunnel between our router (2800) and the Amazon Cloud. The tunnel is fine, but when I try to enter the routing for the network in the cloud, the entry does not show up in the routing table although it shows up when I run sh run | i ip route. I heard this could happen when there is a directly connected route that overlaps the route being added, but I don't believe that is the case here. Here is the routing table:
Gateway of last resort is 108.48.76.1 to network 0.0.0.0
50.0.0.0/28 is subnetted, 1 subnets
C 50.76.16.192 is directly connected, GigabitEthernet0/0.100
169.254.0.0/30 is subnetted, 2 subnets
C 169.254.255.0 is directly connected, Tunnel1
C 169.254.255.4 is directly connected, Tunnel2
157.130.0.0/30 is subnetted, 1 subnets
C 157.130.45.232 is directly connected, MFR0.500
65.0.0.0/24 is subnetted, 1 subnets
C 65.196.96.0 is directly connected, GigabitEthernet0/0.10
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.2.0/24 is directly connected, GigabitEthernet0/1
S 10.10.5.0/24 [1/0] via 10.10.2.2
C 10.0.0.0/24 is directly connected, Loopback0
S 10.200.0.0/14 [1/0] via 10.10.2.2
108.0.0.0/24 is subnetted, 1 subnets
C 108.48.76.0 is directly connected, GigabitEthernet0/0.1000
S* 0.0.0.0/0 [1/0] via 108.48.76.1
The network I am trying to add is 10.208.0.0/16 on interface Tunnel1
12-11-2012 07:24 AM
Is the tunnel up/up?
The tunnel interface (and associated routes) will act just like any other, if the interface is down then the route will not appear in the routing table.
-Mitch
12-11-2012 07:31 AM
Yes, the tunnel is up/up, sh cry isa sa shows state QM_IDLE and status active. There have been no packets in or out.
12-11-2012 07:37 AM
Would you mind posting the rest of your config? If not all, I'd like to see the crypto map/VTI and all associated ACLs, NAT statements and IKE/IPSec info.
Sent from Cisco Technical Support iPhone App
12-11-2012 07:57 AM
here is the crypto map:
Crypto Map "Tunnel1-head-0" 65536 ipsec-isakmp
Profile name: ipsec-vpn-b5b756dc-0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
ipsec-prop-vpn-b5b756dc-0,
}
Crypto Map "Tunnel1-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 72.21.209.224
Extended IP access list
access-list permit ip any any
Current peer: 72.21.209.224
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
ipsec-prop-vpn-b5b756dc-0,
}
Always create SAs
Interfaces using crypto map Tunnel1-head-0:
Tunnel1
Crypto Map "Tunnel2-head-0" 65536 ipsec-isakmp
Profile name: ipsec-vpn-b5b756dc-1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
ipsec-prop-vpn-b5b756dc-1,
}
Crypto Map "Tunnel2-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 72.21.209.192
Extended IP access list
access-list permit ip any any
Current peer: 72.21.209.192
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
ipsec-prop-vpn-b5b756dc-1,
}
Always create SAs
Interfaces using crypto map Tunnel2-head-0:
Tunnel2
No ACLs or NAT statements associated with this. What IKE/IPSec info?
12-12-2012 06:01 AM
Nevermind, it was the track that was screwing things up
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: