- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021
03:09 AM
- last edited on
12-14-2021
05:41 AM
by
Translator
hello troubleshooters !
i am facing the problem while performing IPSEC OVER GRE. On both router HQ & BR tunnels are up but protocols is down. Configuration is all right from my side.
NOTE: topology is attached below.
CONFIGURATION
ISP
ISP(config)#do sh run
Building configuration...
Current configuration : 1040 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 3.3.3.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 6.6.6.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 3.3.3.2
ip route 0.0.0.0 0.0.0.0 6.6.6.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
HQ
HQ(config)#do sh run
Building configuration...
Current configuration : 1503 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 6.6.6.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SECURE
set transform-set adminset
!
!
!
!
!
!
!
interface Tunnel1
ip address 172.12.12.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 172.12.12.2
tunnel protection ipsec profile SECURE
!
interface FastEthernet0/0
ip address 3.3.3.2 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 1
network 172.12.12.0 0.0.0.255
network 192.168.10.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 6.6.6.0 255.255.255.0 3.3.3.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
BR
BR(config)#do sh run
Building configuration...
Current configuration : 1503 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname BR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 3.3.3.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SECURE
set transform-set adminset
!
!
!
!
!
!
!
interface Tunnel1
ip address 172.12.12.2 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 172.12.12.1
tunnel protection ipsec profile SECURE
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 6.6.6.2 255.255.255.0
speed auto
duplex auto
!
!
router eigrp 1
network 172.12.12.0 0.0.0.255
network 192.168.20.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 3.3.3.0 255.255.255.0 6.6.6.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 03:37 AM
Hello
Your tunnel destination should not be the tunnel interface ip the opposite rtr it should point to isp routable address of its peer.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021
03:52 AM
- last edited on
12-14-2021
05:42 AM
by
Translator
Hello,
make the changes marked in bold:
HQ
interface Tunnel1
ip address 172.12.12.1 255.255.255.0
tunnel source FastEthernet0/0
--> tunnel destination 6.6.6.2
tunnel protection ipsec profile SECURE
BR
interface Tunnel1
ip address 172.12.12.2 255.255.255.0
tunnel source FastEthernet1/1
--> tunnel destination 3.3.3.2
tunnel protection ipsec profile SECURE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021 03:37 AM
Hello
Your tunnel destination should not be the tunnel interface ip the opposite rtr it should point to isp routable address of its peer.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2021
03:52 AM
- last edited on
12-14-2021
05:42 AM
by
Translator
Hello,
make the changes marked in bold:
HQ
interface Tunnel1
ip address 172.12.12.1 255.255.255.0
tunnel source FastEthernet0/0
--> tunnel destination 6.6.6.2
tunnel protection ipsec profile SECURE
BR
interface Tunnel1
ip address 172.12.12.2 255.255.255.0
tunnel source FastEthernet1/1
--> tunnel destination 3.3.3.2
tunnel protection ipsec profile SECURE
