Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2123
Views
15
Helpful
2
Replies

tunnel is up but protocol is down, using IPSEC OVER GRE

Go to solution
prabinchand
Level 1
Level 1

‎12-14-2021 03:09 AM - last edited on ‎12-14-2021 05:41 AM by Community Manager

hello troubleshooters !

i am facing the problem while performing IPSEC OVER GRE. On both router HQ & BR tunnels are up but protocols is down. Configuration is all right from my side.

 

NOTE: topology is attached below.

CONFIGURATION

ISP

ISP(config)#do sh run
Building configuration...

Current configuration : 1040 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname ISP
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 3.3.3.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 6.6.6.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 3.3.3.2
ip route 0.0.0.0 0.0.0.0 6.6.6.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

HQ

HQ(config)#do sh run
Building configuration...

Current configuration : 1503 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 6.6.6.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SECURE
set transform-set adminset
!
!
!
!
!
!
!
interface Tunnel1
ip address 172.12.12.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 172.12.12.2
tunnel protection ipsec profile SECURE
!
interface FastEthernet0/0
ip address 3.3.3.2 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
!
router eigrp 1
network 172.12.12.0 0.0.0.255
network 192.168.10.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 6.6.6.0 255.255.255.0 3.3.3.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

BR

BR(config)#do sh run
Building configuration...

Current configuration : 1503 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname BR
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key admin address 3.3.3.2
!
!
crypto ipsec transform-set adminset esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile SECURE
set transform-set adminset
!
!
!
!
!
!
!
interface Tunnel1
ip address 172.12.12.2 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 172.12.12.1
tunnel protection ipsec profile SECURE
!
interface FastEthernet0/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 6.6.6.2 255.255.255.0
speed auto
duplex auto
!
!
router eigrp 1
network 172.12.12.0 0.0.0.255
network 192.168.20.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 3.3.3.0 255.255.255.0 6.6.6.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

 

Preview file
24 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎12-14-2021 03:37 AM

Hello
Your tunnel destination should not be the tunnel interface ip the opposite rtr it should point to isp routable address of its peer.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Go to solution
Georg Pauwen
VIP
VIP

‎12-14-2021 03:52 AM - last edited on ‎12-14-2021 05:42 AM by Community Manager

Hello,

 

make the changes marked in bold:

 

HQ

interface Tunnel1
ip address 172.12.12.1 255.255.255.0
tunnel source FastEthernet0/0
--> tunnel destination 6.6.6.2
tunnel protection ipsec profile SECURE


BR

interface Tunnel1
ip address 172.12.12.2 255.255.255.0
tunnel source FastEthernet1/1
--> tunnel destination 3.3.3.2
tunnel protection ipsec profile SECURE

 

View solution in original post

2 Replies 2

Go to solution
paul driver
VIP
VIP

‎12-14-2021 03:37 AM

Hello
Your tunnel destination should not be the tunnel interface ip the opposite rtr it should point to isp routable address of its peer.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Georg Pauwen
VIP
VIP

‎12-14-2021 03:52 AM - last edited on ‎12-14-2021 05:42 AM by Community Manager

Hello,

 

make the changes marked in bold:

 

HQ

interface Tunnel1
ip address 172.12.12.1 255.255.255.0
tunnel source FastEthernet0/0
--> tunnel destination 6.6.6.2
tunnel protection ipsec profile SECURE


BR

interface Tunnel1
ip address 172.12.12.2 255.255.255.0
tunnel source FastEthernet1/1
--> tunnel destination 3.3.3.2
tunnel protection ipsec profile SECURE

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card