Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
8
Replies

ipsec over gre

drummond.r
Level 1
Level 1

‎07-07-2008 10:33 AM - edited ‎03-03-2019 10:37 PM

I am having an issue trying to setup a site to site tunnel using ipsec over gre. i think i have everything setup, but i still can't access the private ip space on the other side of tunnel 1. can someone take a look at it. i have been beating my brains out for a while. attached is my config.

the issue is with tunnel 1. everything is fine with tunnel0, tunnel 1 is giving me the problems. i just can't access anything on the 10.118.x.x network on the other side of t1

my config is attached

Labels:
Preview file
13 KB
0 Helpful
8 Replies 8

saugato2000
Level 1
Level 1

‎07-07-2008 11:10 PM

Hi Drummond,

Can you pls reattch the config. This time just copy the sh run from cli directly to fresh notepad. pls do use tftp, it not opening up properly.

I would also request you to attach a sh ip route for the 10.118.x.x segment and also a sh cry isa sa output.

thanks.

0 Helpful

kerek
Level 4
Level 4
In response to saugato2000

‎07-07-2008 11:31 PM

Hi,

Try to open with wordpad instead of notepad.

Krisztian

0 Helpful

drummond.r
Level 1
Level 1
In response to saugato2000

‎07-08-2008 09:06 AM

here is the config again......i might have messed it up when i was trying to sanitize it....

Preview file
13 KB
0 Helpful

drummond.r
Level 1
Level 1
In response to saugato2000

‎07-08-2008 09:52 AM

shy cry is sa:

dst src state conn-id slot status

x.y.203.4 a.b.180.83 MM_KEY_EXCH 2082 0 ACTIVE

x.y.203.4 a.b.180.83 MM_NO_STATE 2081 0 ACTIVE (deleted)

sh ip route 10.118.114.0

Routing entry for 10.118.144.0/20

Known via "static", distance 1, metric 0

Redistributing via ospf 11

Routing Descriptor Blocks:

* 172.16.100.1

Route metric is 0, traffic share count is 1

0 Helpful

kerek
Level 4
Level 4

‎07-07-2008 11:24 PM

Hi,

Is the IPSec is up at all?

You are refering to ipsec profile tunnel1 but there is only tunnel1-loh configured.

Let's check whether the tunnel itself is up and after the ipsec. If both are are you can further investigate the acls, routing etc.

Hope it helps, rate if does

Krisztian

0 Helpful

saugato2000
Level 1
Level 1
In response to kerek

‎07-08-2008 01:38 AM

Hi,

Thanks Kerek. That helped.

I bilieve kerek is right you need to check if IPSEC is up at all. I do not see any match statements " vpn-dynamic " in the configurations part below.

crypto dynamic-map vpn-dynamic 10

set transform-set tr-transport-aes-sha tr-transport-3des-sha

In this config I find you are using NHSRP, if you are using NHSRP you can use " tunnel mode gre multipoint " command on the existing Tunnel 0 interface.

This will help you establish point to multipoint IPSEC over GRE.

0 Helpful

drummond.r
Level 1
Level 1
In response to saugato2000

‎07-08-2008 09:48 AM

tunnel0 isn't the one i am worried about... i can get traffic in and out of that one just fine. it's tunnel1

0 Helpful

drummond.r
Level 1
Level 1
In response to kerek

‎07-08-2008 05:15 AM

oops, i was trying to sanitize my config to remove public IPs, passwords, and etc....i will fix and repost.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card