IPSEC over gre tunnel with keeplive

Carmine De Rienzo · ‎07-07-2011

Hi,

I want to know if i config a tunnel gre with ipsec and I configure the keeplive Does it works?

Examples

Side A

crypto isakmp key 6 xxxxxxx address side b

!

crypto ipsec transform-set xxxyyy esp-3des esp-md5-hmac

!

crypto map xxyy 230 ipsec-isakmp

set peer ip side b

set transform-set xxxyyy

match address xxxx

interface Tunnel1

description VPN

ip address 5.5.5.9 255.255.255.252

keepalive 10 5

tunnel source FastEthernet0/0

tunnel destination ip address side b

tunnel path-mtu-discovery

crypto map xxyy

ip access-list extended xxxx

permit ip 192.168.xxx.xxx 0.0.0.31 192.168.yyy.0 0.0.0.255

permit gre host ip side a host ip side b

deny ip any any

Side B

crypto isakmp key 6 xxxxxxx address side a

!

crypto ipsec transform-set xxxyyy esp-3des esp-md5-hmac

!

crypto map xxyy 230 ipsec-isakmp

set peer ip side a

set transform-set xxxyyy

match address xxxx

interface Tunnel1

description VPN

ip address 5.5.5.9 255.255.255.252

keepalive 10 5

tunnel source FastEthernet0/0

tunnel destination ip address side a

tunnel path-mtu-discovery

crypto map TOFCO

ip access-list extended xxxx

permit ip 192.168.yyy.000 0.0.0.31 192.xxx.yyy.0 0.0.0.255

permit gre host ip side b host ip side a

deny ip any any

Thanks a lot

Carmine

wzhang · ‎07-07-2011

Hi,

Your question says "IPSec over GRE", but it looks like you are really trying to do GRE over IPSec (ie., encapsulate GRE traffic inside of an IPSec tunnel). If that's the case, then your crypto map needs to be applied on the physical egress interface instead of the tunnel interface itself. The rest of your configuration looks fine.

Hope this helps,

Thanks,

Wen