Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
312
Views
0
Helpful
0
Replies

NO Traffic when the VPN and GRE tunnel up

caishan-liu
Level 1
Level 1

‎10-20-2013 07:03 AM

Please help me to fix this issue, vpn tunnel is up, but no encrypt traffic on the PE site and the GRE tunnel can not ping.

PE config:

G-PE11#sh run

Building configuration...

Current configuration : 6660 bytes

!

! Last configuration change at 16:29:23 Beijing Sun Oct 20 2013 by gssnetnoc

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname PE11

!

!

redundancy

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key G-20131015-PE address 0.0.0.0       

crypto isakmp keepalive 10

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set G-PE-trans esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto dynamic-map G-PE-dmap 10

set transform-set G-PE-trans

!

!

crypto map dynamic-map local-address Loopback200

crypto map dynamic-map 10 ipsec-isakmp dynamic G-PE-dmap

!

!

!

!

interface Loopback200

ip address 22.126.229.125 255.255.255.255

crypto map dynamic-map

!

interface Tunnel201

ip address 10.0.96.5 255.255.255.252

ip mtu 1400

load-interval 30

tunnel source Loopback200

tunnel destination 10.0.99.101

tunnel key 10201

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!        

interface GigabitEthernet0/0

ip address 10.244.16.6 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 10.244.16.5

!

CPE config:

ADSL#sh run

Building configuration..

Current configuration : 2972 bytes

!

! Last configuration change at 16:39:59 BJ Sun Oct 20 2013

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ADSL

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key G-20131015-PE address 22.126.229.125

crypto isakmp keepalive 10

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set G-CPE-trans esp-3des esp-sha-hmac

mode transport

!

crypto map G1310201-Static-Map local-address Dialer0

crypto map G1310201-Static-Map 20 ipsec-isakmp

set peer 22.126.229.125

set transform-set G-CPE-trans

match address G-1310201-ACL

!

!

!

!

!

!

interface Loopback201

ip address 10.0.99.101 255.255.255.255

!

interface Tunnel1310201

ip address 10.0.96.6 255.255.255.252

ip mtu 1400

load-interval 30

tunnel source Loopback201

tunnel destination 22.126.229.125

tunnel key 10201

!

interface FastEthernet0/0

no ip address

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.0.100 255.255.255.0

duplex auto

speed auto

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username 154432 password 0 576

crypto map G1310201-Static-Map

!

ip route 0.0.0.0 0.0.0.0 10.0.96.5

ip route 22.126.229.125 255.255.255.255 Dialer0

!

ip access-list extended G-1310201-ACL

permit gre host 10.0.99.101 host 22.126.229.125

!

!

From CPE's info:

ADSL#show crypto ipsec sa

interface: Dialer0

    Crypto map tag:G1310201-Static-Map, local addr 221.221.155.96

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.99.101/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (22.126.229.125/255.255.255.255/47/0)

   current_peer 22.126.229.125 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 407, #pkts encrypt: 407, #pkts digest: 407

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 221.221.155.96, remote crypto endpt.: 22.126.229.125

     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0

     current outbound spi: 0x43D7FFCE(1138229198)

     PFS (Y/N): N, DH group: none

G-PE11#show cry ip sa

interface: Loopback200

    Crypto map tag: dynamic-map, local addr 22.126.229.125

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (22.126.229.125/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.0.99.101/255.255.255.255/47/0)

   current_peer 221.221.155.96 port 500

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 524, #pkts decrypt: 524, #pkts verify: 524

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 22.126.229.125, remote crypto endpt.: 222.128.169.253

     plaintext mtu 1462, path mtu 1514, ip mtu 1514, ip mtu idb Loopback200

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

GRE Tunnel Ping:

From PE to CE:

G-PE11#ping 10.0.96.6

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.96.6, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents