Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
834
Views
0
Helpful
9
Replies
Highlighted
roharris33
Beginner
Beginner
‎01-21-2019 09:33 AM
‎01-21-2019 09:33 AM

IPSEC Routing Issue

I apologize if this is posted in the wrong location. I'm standing up an IPSEC tunnel between two sites. Eventually all sites will use the head end as a backup connection. The tunnel establishes but I'm not seeing an OSPF adjacency nor can I ping the IP of the tunnel on either side. I see that the head end is receiving packets but isn't responding. The route for the far end IP appears to be correct on the head end. I don't see anything else wrong, no errors. Any ideas?

Labels:
Preview file
3 KB
Preview file
4 KB
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
In response to roharris33
‎01-23-2019 04:08 AM
‎01-23-2019 04:08 AM

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.

View solution in original post

0 Helpful
Reply
9 REPLIES 9
Highlighted
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
‎01-22-2019 01:35 PM
‎01-22-2019 01:35 PM

Hi,

On the farend router you should modify the configuration as follows:-

 

interface tunnel 1

no tunnel destination

tunnel mode gre multipoint

 

You may also want to add "ip ospf hello-interval 30" on each router's tunnel interface.

 

HTH

0 Helpful
Reply
Highlighted
roharris33
Beginner
Beginner
In response to Rob Ingram
‎01-22-2019 01:49 PM
‎01-22-2019 01:49 PM

I made the changes.....same result as before.

0 Helpful
Reply
Highlighted
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
In response to roharris33
‎01-22-2019 01:52 PM
‎01-22-2019 01:52 PM

Upload "show dmvpn" and "show ip ospf neig" from both routers.
0 Helpful
Reply
Highlighted
roharris33
Beginner
Beginner
In response to Rob Ingram
‎01-22-2019 04:15 PM
‎01-22-2019 04:15 PM

Interesting as you can see on the head end there isn't any dmvpn information. But the far end shows peer information.

 

Headend:

headvpn.PNG

 

Farend:

farvpn.PNG

0 Helpful
Reply
Highlighted
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
In response to roharris33
‎01-23-2019 03:36 AM
‎01-23-2019 03:36 AM

Can you post your updated configuration please
0 Helpful
Reply
Highlighted
roharris33
Beginner
Beginner
In response to Rob Ingram
‎01-23-2019 04:05 AM
‎01-23-2019 04:05 AM

I have a duplicate thread. Made a rookie mistake posting in two different places. Here is the link to the other thread. Updated configs are attached.

 

https://community.cisco.com/t5/routing/routing-over-gre-ipsec-tunnel/m-p/3785459#M308139

Preview file
3 KB
0 Helpful
Reply
Highlighted
roharris33
Beginner
Beginner
In response to roharris33
‎01-23-2019 04:08 AM
‎01-23-2019 04:08 AM

Adding the headend config

Preview file
4 KB
0 Helpful
Reply
Highlighted
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
In response to roharris33
‎01-23-2019 04:08 AM
‎01-23-2019 04:08 AM

Shutdown tunnel interface, remove tunnel destination and add "tunnel mode gre multipoint", no shut tunnel interface

You've also got different tunnel keys, remove the key you shouldn't need it in your scenario.

View solution in original post

0 Helpful
Reply
Highlighted
roharris33
Beginner
Beginner
In response to Rob Ingram
‎01-23-2019 04:19 AM
‎01-23-2019 04:19 AM

tunnel mode gre multipoint was already configured but I did remove the key on both ends and now I have an OSPF adjancy. Thank you very much.

Farend tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp redirect
ip policy route-map VPN-Internal
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
ip ospf mtu-ignore
delay 1000
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof


Head end tunnel config:
interface Tunnel1
bandwidth 20000
ip address 10.192.0.17 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication VCbh1q93
ip nhrp map 10.192.0.254 111.111.111..237
ip nhrp map multicast 111.111.111.237
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp nhs 10.192.0.254
ip ospf network broadcast
ip ospf hello-interval 30
ip ospf priority 2
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof

0 Helpful
Reply
Latest Contents
SecureX Frequently Asked Questions
Created by adisanka on 03-01-2021 08:33 AM
0
10
0
10
GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the SecureX regio... view more
Bridge the security gap with Cisco Remote Secure Worker
Created by Kelli Glass on 02-26-2021 04:37 PM
0
0
0
0
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use. Learn about Cisco Remote Secure Worker solutions that verify workers, secu... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
219
11
219
  GeneralWhich Cisco Secure products include access to SecureX?What are the SecureX data retention/privacy policies?What is SSE?How can I unlink my smart account from SSE and link it to a new account?Do I have to use the same SSE region as the Secur... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Content for Community-Ad