GRE Tunnel over IPSEC not working

Kenneth Goh · ‎02-23-2014

Hi all,

Can someone help verify what is wrong with the config below for point to point vpn:

hostname B5_NP_RTR

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

!!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 uccmskey address 192.168.207.97

crypto isakmp keepalive 90

!

crypto ipsec transform-set to_PC esp-aes 256

crypto ipsec df-bit clear

!

crypto map NP_PC local-address FastEthernet0/0

crypto map NP_PC 10 ipsec-isakmp

set peer 192.168.207.97

set transform-set to_PC

match address 101

!

interface Tunnel3

ip address 172.16.0.17 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel source 192.168.207.98

tunnel destination 192.168.207.97

!

interface FastEthernet0/0

description Link to PC

ip address 192.168.207.98 255.255.255.252

duplex auto

speed auto

crypto map NP_PC

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 172.16.0.18

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip any any

!

control-plane!

!

!line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

hostname L5_PC_RTR

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

ip domain name lab.local

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 uccmskey address 192.168.207.98

crypto isakmp keepalive 90

!

crypto ipsec transform-set to_NPPK esp-aes 256

crypto ipsec df-bit clear

!

crypto map PC_NP local-address FastEthernet0/0

crypto map PC_NP 10 ipsec-isakmp

set peer 192.168.207.98

set transform-set to_NP

match address 101

!

interface Tunnel3

ip address 172.16.0.18 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel source 192.168.207.97

tunnel destination 192.168.207.98

!

interface FastEthernet0/0

description Link to NP

ip address 192.168.207.97 255.255.255.252

duplex auto

speed auto

crypto map PC_NP

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip any any

!

control-plane

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

end

ty.masse · ‎02-23-2014

Looking at what you're trying to do, I think using a VTI would be a more streamlined configuration. It's also a little bit easier to configure. We use VTI to connect to remote locations and pass routing protocols thru it. That's highly recommended by Cisco also.

Richard Burts · ‎02-24-2014

While I agree that this situation could be done with VTI and that VTI does have some advantages, that does not address the main question in the original post which is why the tunnel is not working.

I will start by observing that Cisco warns the crypto maps using access lists with permit ip any any can cause problems. So the original poster would be well advised to change that part of the configuration. In this situation all the access list needs to do is permit gre host 192.168.207.97 host 192.168.207.98

But I believe that this is not the major problem. The major problem is that for the tunnel to work there must be interesting traffic to send through the tunnel. The router has only a single physical interface that has an IP address and that has a /30 mask. So where will traffic come from that will go through the tunnel and cause the tunnel to work?

HTH

Rick

HTH

Rick