cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
744
Views
4
Helpful
23
Replies

GRE tunnel goes down whenever I add ipsec profile

dgawaya1
Level 1
Level 1

Hi experts, 
Im trying to configure ipsec/gre tunnel but it goes down when I enable the tunnel profile. I have used the above document as a step by step guide. 

//// 
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.75.1.1
tunnel protection ipsec profile ipsec_prof 

SYD1PAXVR002#sh int tunnel10
Tunnel10 is up, line protocol is down
Hardware is Tunnel
Description: Vivienne Court GRE/IPsec tunnel
Internet address is 10.2.2.1/30

//// 
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.2 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel destination 10.75.1.2
tunnel protection ipsec profile ipsec_prof





23 Replies 23

call admin limit 1000 

MHM

I added the command "call admi limit 1000. Its still down. I also removed all ipsec related configs then added them afresh.. 


show crypto ikev2 stats <- share this 

Also what you meaning by this

"" I also removed all ipsec related configs""

MHM

OK get it 
can I see the config of IKEv2 
MHM

Here is the whole config
///


crypto ikev2 keyring ikev2_key
peer mypeer
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123

crypto ikev2 profile ikev2_prof
match identity remote address 10.75.1.1
authentication remote pre-share
authentication local pre-share
keyring local ikev2

crypto ipsec transform-set tfs esp-aes esp-sha-hmac
esn
mode tunnel

crypto ipsec profile ipsec_prof
set transform-set tfs
set ikev2-profile ikev2_prof


interface Tunnel10
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_prof
///

sorry for my late reply 
can you share 
debug crypto ikev2 error <<- both side if you can 

also the tunnel is config without tunnel source and tunnel destination or it typo  

MHM

@MHM Cisco World it actually has the source and destination. both sides. Here is one side of the config 
!
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel destination 10.75.1.1
tunnel protection ipsec profile ipsec_prof
end

NB. Both side of the logs are attached here






esp-gcm 256 <<- one side use esp-gcm 256 and other use esp-aes this mismatch is drop the tunnel

MHM 

dgawaya1
Level 1
Level 1

@MHM Cisco World that is correct. Thanks for your help again