Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
0
Replies

Stuck! IPsec & GRE tunnels

ryankulp89
Level 1
Level 1

‎04-07-2017 04:38 PM - edited ‎02-21-2020 09:14 PM

I am trying to setup an IPsec/GRE tunnel between two locations. I am configuring some test routers in a lab environment but have not be able to ping between the two local networks.

My tunnel interfaces are setup to use the loopback addresses for the source and destination.

The loopback IPs are added in the access list which is configured in the crypto map.

Default routes have been configured for corresponding LAN traffic to route through tunnels. 

-----------------------     HQ    -------------------------------------------------------

Using 2137 out of 33554432 bytes
!
! Last configuration change at 20:26:47 UTC Fri Apr 7 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!


no ip domain lookup

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FDO20301S06
license boot level securityk9
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp key TestLabKey address 172.16.113.34
crypto isakmp fragmentation
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set Test-Lab-ipsec-set esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map Test-Lab-ipsec-map 1 ipsec-isakmp
set peer 172.16.113.34
set transform-set Test-Lab-ipsec-set
set pfs group5
match address 100
!
!
!
!
!
!
!
interface Loopback0
description Source for GRE and IPsec tunnels
ip address 172.20.0.1 255.255.255.255
!
interface Tunnel0
description IPSEC GRE TUNNEL TO REMOTE
ip address 172.16.38.1 255.255.255.252
tunnel source Loopback0
tunnel destination 172.21.0.1
!
interface GigabitEthernet0/0/0
description Link to Internet
ip address 172.16.213.130 255.255.255.0
negotiation auto
crypto map Test-Lab-ipsec-map
!
interface GigabitEthernet0/0/1
description Local Connection
ip address 10.3.0.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 172.16.213.254
ip route 10.38.1.0 255.255.255.248 Tunnel0
!
!
access-list 100 permit ip host 172.20.0.1 host 172.21.0.1
access-list 100 permit ip host 172.20.0.1 172.16.113.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

----------------------- Remote -------------------------------------------------------

Using 2219 out of 33554432 bytes
!
! Last configuration change at 20:28:12 UTC Fri Apr 7 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname REMOTE
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!


no ip domain lookup

ip dhcp excluded-address 10.38.1.1
!
ip dhcp pool WANpool
network 10.38.1.0 255.255.255.248
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FDO20301S3F
license boot level securityk9
!
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
crypto isakmp key TestLabKey address 172.16.213.130
crypto isakmp fragmentation
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set Test-Lab-ipsec-set esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map Test-Lab-ipsec-map 1 ipsec-isakmp
set peer 172.16.213.130
set transform-set Test-Lab-ipsec-set
set pfs group5
match address 100
!
!
!
!
!
!
!
interface Loopback0
description Source for GRE and IPsec tunnels
ip address 172.21.0.1 255.255.255.255
!
interface Tunnel0
description IPSEC GRE TUNNEL TO HQ
ip address 172.16.38.2 255.255.255.252
tunnel source Loopback0
tunnel destination 172.20.0.1
!
interface GigabitEthernet0/0/0
description Link to Internet
ip address 172.16.113.34 255.255.255.0
negotiation auto
crypto map Test-Lab-ipsec-map
!
interface GigabitEthernet0/0/1
description Local Connection with DHCP
ip address 10.38.1.1 255.255.255.248
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 172.16.113.254
ip route 10.3.0.0 255.255.255.0 Tunnel0
!
!
access-list 100 permit ip host 172.21.0.1 host 172.20.0.1
access-list 100 permit ip host 172.21.0.1 172.16.213.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

Labels:
Preview file
33 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents