10-20-2013 07:03 AM
Please help me to fix this issue, vpn tunnel is up, but no encrypt traffic on the PE site and the GRE tunnel can not ping.
PE config:
G-PE11#sh run
Building configuration...
Current configuration : 6660 bytes
!
! Last configuration change at 16:29:23 Beijing Sun Oct 20 2013 by gssnetnoc
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PE11
!
!
redundancy
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key G-20131015-PE address 0.0.0.0
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set G-PE-trans esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map G-PE-dmap 10
set transform-set G-PE-trans
!
!
crypto map dynamic-map local-address Loopback200
crypto map dynamic-map 10 ipsec-isakmp dynamic G-PE-dmap
!
!
!
!
interface Loopback200
ip address 22.126.229.125 255.255.255.255
crypto map dynamic-map
!
interface Tunnel201
ip address 10.0.96.5 255.255.255.252
ip mtu 1400
load-interval 30
tunnel source Loopback200
tunnel destination 10.0.99.101
tunnel key 10201
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.244.16.6 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 10.244.16.5
!
CPE config:
ADSL#sh run
Building configuration..
Current configuration : 2972 bytes
!
! Last configuration change at 16:39:59 BJ Sun Oct 20 2013
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ADSL
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key G-20131015-PE address 22.126.229.125
crypto isakmp keepalive 10
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set G-CPE-trans esp-3des esp-sha-hmac
mode transport
!
crypto map G1310201-Static-Map local-address Dialer0
crypto map G1310201-Static-Map 20 ipsec-isakmp
set peer 22.126.229.125
set transform-set G-CPE-trans
match address G-1310201-ACL
!
!
!
!
!
!
interface Loopback201
ip address 10.0.99.101 255.255.255.255
!
interface Tunnel1310201
ip address 10.0.96.6 255.255.255.252
ip mtu 1400
load-interval 30
tunnel source Loopback201
tunnel destination 22.126.229.125
tunnel key 10201
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 192.168.0.100 255.255.255.0
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username 154432 password 0 576
crypto map G1310201-Static-Map
!
ip route 0.0.0.0 0.0.0.0 10.0.96.5
ip route 22.126.229.125 255.255.255.255 Dialer0
!
ip access-list extended G-1310201-ACL
permit gre host 10.0.99.101 host 22.126.229.125
!
!
From CPE's info:
ADSL#show crypto ipsec sa
interface: Dialer0
Crypto map tag:G1310201-Static-Map, local addr 221.221.155.96
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.99.101/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (22.126.229.125/255.255.255.255/47/0)
current_peer 22.126.229.125 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 407, #pkts encrypt: 407, #pkts digest: 407
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 221.221.155.96, remote crypto endpt.: 22.126.229.125
path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
current outbound spi: 0x43D7FFCE(1138229198)
PFS (Y/N): N, DH group: none
G-PE11#show cry ip sa
interface: Loopback200
Crypto map tag: dynamic-map, local addr 22.126.229.125
protected vrf: (none)
local ident (addr/mask/prot/port): (22.126.229.125/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.0.99.101/255.255.255.255/47/0)
current_peer 221.221.155.96 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 524, #pkts decrypt: 524, #pkts verify: 524
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 22.126.229.125, remote crypto endpt.: 222.128.169.253
plaintext mtu 1462, path mtu 1514, ip mtu 1514, ip mtu idb Loopback200
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
GRE Tunnel Ping:
From PE to CE:
G-PE11#ping 10.0.96.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.96.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide