Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
649
Views
0
Helpful
9
Replies
roharris33
roharris33 Beginner
Beginner
‎01-21-2019 09:33 AM
‎01-21-2019 09:33 AM

IPSEC Routing Issue

I apologize if this is posted in the wrong location. I'm standing up an IPSEC tunnel between two sites. Eventually all sites will use the head end as a backup connection. The tunnel establishes but I'm not seeing an OSPF adjacency nor can I ping the IP of the tunnel on either side. I see that the head end is receiving packets but isn't responding. The route for the far end IP appears to be correct on the head end. I don't see anything else wrong, no errors. Any ideas?

Everyone's tags (3)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
RJI
RJI Advisor
Advisor
‎01-23-2019 04:08 AM
‎01-23-2019 04:08 AM

Re: IPSEC Routing Issue

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.

View solution in original post

0 Helpful
Reply
9 REPLIES 9
Highlighted
RJI
RJI Advisor
Advisor
‎01-22-2019 01:35 PM
‎01-22-2019 01:35 PM

Re: IPSEC Routing Issue

Hi,

On the farend router you should modify the configuration as follows:-

 

interface tunnel 1

no tunnel destination

tunnel mode gre multipoint

 

You may also want to add "ip ospf hello-interval 30" on each router's tunnel interface.

 

HTH

0 Helpful
Reply
Highlighted
roharris33
roharris33 Beginner
Beginner
‎01-22-2019 01:49 PM
‎01-22-2019 01:49 PM

Re: IPSEC Routing Issue

I made the changes.....same result as before.

0 Helpful
Reply
Highlighted
RJI
RJI Advisor
Advisor
‎01-22-2019 01:52 PM
‎01-22-2019 01:52 PM

Re: IPSEC Routing Issue

Upload "show dmvpn" and "show ip ospf neig" from both routers.
0 Helpful
Reply
Highlighted
roharris33
roharris33 Beginner
Beginner
‎01-22-2019 04:15 PM
‎01-22-2019 04:15 PM

Re: IPSEC Routing Issue

Interesting as you can see on the head end there isn't any dmvpn information. But the far end shows peer information.

 

Headend:

headvpn.PNG

 

Farend:

farvpn.PNG

0 Helpful
Reply
Highlighted
RJI
RJI Advisor
Advisor
‎01-23-2019 03:36 AM
‎01-23-2019 03:36 AM

Re: IPSEC Routing Issue

Can you post your updated configuration please
0 Helpful
Reply
Highlighted
roharris33
roharris33 Beginner
Beginner
‎01-23-2019 04:05 AM
‎01-23-2019 04:05 AM

Re: IPSEC Routing Issue

I have a duplicate thread. Made a rookie mistake posting in two different places. Here is the link to the other thread. Updated configs are attached.

 

https://community.cisco.com/t5/routing/routing-over-gre-ipsec-tunnel/m-p/3785459#M308139

0 Helpful
Reply
Highlighted
roharris33
roharris33 Beginner
Beginner
‎01-23-2019 04:08 AM
‎01-23-2019 04:08 AM

Re: IPSEC Routing Issue

Adding the headend config

0 Helpful
Reply
Highlighted
RJI
RJI Advisor
Advisor
‎01-23-2019 04:08 AM
‎01-23-2019 04:08 AM

Re: IPSEC Routing Issue

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.

View solution in original post

0 Helpful
Reply
Highlighted
roharris33
roharris33 Beginner
Beginner
‎01-23-2019 04:19 AM
‎01-23-2019 04:19 AM

Re: IPSEC Routing Issue

tunnel mode gre multipoint was already configured but I did remove the key on both ends and now I have an OSPF adjancy. Thank you very much.

Farend tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp redirect
ip policy route-map VPN-Internal
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
ip ospf mtu-ignore
delay 1000
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof


Head end tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.17 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map 10.192.0.254 111.111.111..237
ip nhrp map multicast 111.111.111.237
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.192.0.254
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof

0 Helpful
Reply
Latest Contents
DMZ to Hyper-V Host to VM (double nic routing) issue
Created by machine23 on 03-31-2020 12:42 PM
0
0
0
0
Hello All , My end goal is to get access to a webserver from outside which is hosted on the VM on hyper-vbut the VM in my hyper-v can't ping my DMZ-ASA nor can my DMZ-ASA ping my VM but the hyper-v host can ping the ASA and back.DMZ-ASA has inside in... view more
Web Security - what capabilities does it provide and how can...
Created by ben.greenbaum on 03-30-2020 01:41 PM
0
0
0
0
Threat Response integrates with Cisco's Web Security Appliance (WSA) to provide visibility into web-bourne threats. By adding a Web Security or SMA Web module to Threat Response, investigators will be able to search for domains, URLs, and file hashes th... view more
VPN Load-Balancing
Created by Francesco Molino on 03-28-2020 04:45 PM
0
5
0
5
Hi everyone,   I was helping some friends and they were trying to solve a scalable VPN issues, specially these days with the pandemic situation. I recommended to implement ASA VPN Load-Balancing. This will allow to keep 1 FQDN for all RA-VPN users an... view more
Alcatel 8068S VPN configuration with FTD 6.4
Created by fthiel92 on 03-28-2020 03:48 PM
1
5
1
5
Purpose of this article is to share our experience during that Covid-19 period where we were able to successfully setup a VPN configuration for remote worker using Alcatel 8068S phones with FTD 2110 running 6.4.0.8.I would like to thank all of my colleagu... view more
Downloadable URL-Redirect ACL with ISE
Created by howon on 03-27-2020 02:33 PM
2
5
2
5
For additional advanced ISE related Tips, please visit Advanced ISE tips to make your deployment easier document   Downloadable URL-Redirect ACL with ISE If you have ever configured central web authentication with ISE you understand that it requires... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Spotlight Awards- February 2020

Follow our Social Media Channels