Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1119
Views
5
Helpful
7
Replies

Site to Site Over GRE

Go to solution
alkabeer80
Level 1
Level 1

‎04-16-2012 11:11 PM

Hi, i am setting up site to site over gre tunnel with attached topology

For R1:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 1.1.1.2

access-list 110 permit gre host 1.1.1.1 host 1.1.1.2

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set strong

match address 110

router eigrp 1

network 2.0.0.0

network 192.168.1.0

auto-summary

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.0

interface Tunnel0

ip address 192.168.1.1 255.255.255.0

tunnel source FastEthernet0/0

tunnel destination 1.1.1.2

crypto map vpn

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

For R2:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 1.1.1.1

access-list 110 permit gre host 1.1.1.2 host 1.1.1.1

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto map vpn 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set strong

match address 110

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0

interface Tunnel0

ip address 192.168.1.2 255.255.255.0

tunnel source FastEthernet0/0

tunnel destination 1.1.1.1

crypto map vpn

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

i am getting the followinf error on both R1 and R2

R1#

*Mar  1 01:33:47.875: IPSEC(key_engine): major = 1

*Mar  1 01:33:47.875: IPSEC(key_engine): expired_timer

R1#

plz help in this issue as i want to deploy it in production

thankssssssssss

Labels:
Preview file
16 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to alkabeer80

‎04-17-2012 02:00 AM

Hi ,

As far as I know, you should put the crypto map on the physical interface. The traffic that is matched by the acl crypto map ( gre traffic ) is seen on the physical interface not on the GRE interface it self.

Dan

View solution in original post

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to Dan-Ciprian Cicioiu

‎04-18-2012 05:47 AM

That is correct Dan, Alkabeer only needs the crypto map applied to the physical interface! in old codes we used to apply the crypto map to both the physical interface and the tunnel interface but this changed long time ago.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

IOS Configuration Note:

With Cisco IOS  12.2(13)T and later codes (higher numbered T-train codes, 12.3 and later  codes) the configured IPSEC "crypto map" only needs to be applied to  the physical interface and is no longer required to be applied on the  GRE tunnel interface. Having the "crypto map" on the physical and tunnel  interface when using the 12.2.(13)T and later codes still works.  However, it is highly recommended to apply it just on the physical  interface.

Regards,

View solution in original post

0 Helpful
7 Replies 7

Go to solution
a.matahen
Level 1
Level 1

‎04-16-2012 11:47 PM

From the config attached, I cannot find eigrp configuration on R2! did you forget adding it to the post?

Please remove the cryptomap from the tunnel interface and put it on the physical interface instead, applying the cryptomap to the tunnel interface isn't recommended! please try it and see how things go!

Ahmad

Go to solution
alkabeer80
Level 1
Level 1
In response to a.matahen

‎04-17-2012 01:32 AM

Sorry i forget to add eigrp on R2

router eigrp 1

network 3.0.0.0

network 192.168.1.0

auto-summary

Connectivity is there between both routers.

I have removed the crypto from tunnel and apply it to physical. phase 1 and pase 2 established but still same log message appear

*Mar  1 03:51:07.891: IPSEC(key_engine): major = 1

*Mar  1 03:51:07.891: IPSEC(key_engine): expired_timer

My understanding is i am encrypting the tunnel not the physical interface, i did not read anything about recommandation to put on physical addresses, can u plz highlight where did u read it. i have read in some sites to enable on both the tunnel and physical there is no straight answer i read.

another question i have if i advertise the physical then show ip route will show that to reach loopback address of second router via physical can i make it through tunnel ???

thanksssssssss

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to alkabeer80

‎04-17-2012 02:00 AM

Hi ,

As far as I know, you should put the crypto map on the physical interface. The traffic that is matched by the acl crypto map ( gre traffic ) is seen on the physical interface not on the GRE interface it self.

Dan

0 Helpful

Go to solution
alkabeer80
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎04-18-2012 04:51 AM

thanks Dan

0 Helpful

Go to solution
Dan-Ciprian Cicioiu
Level 7
Level 7
In response to alkabeer80

‎04-18-2012 05:12 AM

My pleasure

Dan

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to Dan-Ciprian Cicioiu

‎04-18-2012 05:47 AM

That is correct Dan, Alkabeer only needs the crypto map applied to the physical interface! in old codes we used to apply the crypto map to both the physical interface and the tunnel interface but this changed long time ago.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

IOS Configuration Note:

With Cisco IOS  12.2(13)T and later codes (higher numbered T-train codes, 12.3 and later  codes) the configured IPSEC "crypto map" only needs to be applied to  the physical interface and is no longer required to be applied on the  GRE tunnel interface. Having the "crypto map" on the physical and tunnel  interface when using the 12.2.(13)T and later codes still works.  However, it is highly recommended to apply it just on the physical  interface.

Regards,

0 Helpful

Go to solution
alkabeer80
Level 1
Level 1
In response to Gustavo Medina

‎04-19-2012 12:19 AM

Thanks Gustavo,

I have configured it on tunnel interface, but i will change to work with physical interface as per recommandation

thankssssssssss

0 Helpful
Customers Also Viewed These Support Documents