cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2940
Views
0
Helpful
6
Replies

Unable to get IPSEC-over-GRE Tunnel Working

Jonathan Holt
Level 1
Level 1

Hi Guys

Looking for a little assistance here. I am setting up an IPSEC-over-GRE tunnel between a couple of CSRs and as soon as I enable IPSEC the tunnel protocol drops and won't come back up.

Here is my the relevant configuration:

Crypto Config on Both Routers

======================

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

mode tunnel

crypto ipsec profile ipsec-over-gre

set transform-set esp-aes-sha

Interface Configuration on Router 1

=========================

interface GigabitEthernet2

vrf forwarding Prod

ip address 10.0.0.1 255.255.255.0

ip nat outside

negotiation auto

Tunnel Interface Configuration on Router 1
==============================

interface Tunnel0

vrf forwarding Prod

ip address 192.168.254.1 255.255.255.0

tunnel source GigabitEthernet2

tunnel mode ipsec ipv4

tunnel destination 10.0.0.2

tunnel path-mtu-discovery

tunnel vrf Prod

tunnel protection ipsec profile ipsec-over-gre

Interface Configuration on Router 2

=========================

interface GigabitEthernet2

vrf forwarding Prod

ip address 10.0.0.2 255.255.255.0

ip nat outside

negotiation auto

Tunnel Interface Configuration on Router 2

==============================

interface Tunnel0

vrf forwarding Prod

ip address 192.168.254.2 255.255.255.0

tunnel source GigabitEthernet2

tunnel mode ipsec ipv4

tunnel destination 10.0.0.1

tunnel path-mtu-discovery

tunnel vrf Prod

tunnel protection ipsec profile ipsec-over-gre

Troubleshooting so far

================

- The two physical interfaces can ping each other successfully

- The tunnel interface works before the tunnel mode ipsec ipv4 command is added, and then it drops. Shortly after that I add the tunnel protection ipsec profile ipsec-over-gre command.

- Show interface reveals:

CSR-03#show int tun0

Tunnel0 is up, line protocol is down

  Hardware is Tunnel

  Internet address is 192.168.254.2/24

  MTU 17892 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 10.0.0.1 (GigabitEthernet2), destination 10.0.0.2

   Tunnel Subblocks:

      src-track:

         Tunnel0 source tracking subblock associated with GigabitEthernet2

          Set of tunnels with source GigabitEthernet2, 1 member (includes iterators), on interface <OK>

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Path MTU Discovery, ager 10 mins, min MTU 92

  Tunnel transport MTU 1500 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "ipsec-over-gre")

  Last input never, output never, output hang never

  Last clearing of "show interface" counters 00:00:04

  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     0 packets input, 0 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     0 packets output, 0 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

Any assistance at all is greatly appreciated. I think this should work fine as configured and I cant get my head around why it isnt.

Cheers

Jon

1 Accepted Solution

Accepted Solutions