I have a configuration in place, and while the links come up, I can't get the GRE over IPSec running. Can someone please tell me what I'm missing? I tried to generate interesting traffic to the other side of the tunnel and also using the vrf option in ping, but nothing...
Here is my config on R2. R1 has a duplicate config, but the IPs are changed from .2 to .1.
ip vrf vrf1
rd 1:1
!
ip vrf vrf2
rd 2:2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ******* address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set T101-AES256 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile T101-AES256
set security-association lifetime seconds 86400
set transform-set T101-AES256
!
crypto map T101 local-address GigabitEthernet0/2
crypto map T101 101 ipsec-isakmp
set peer 172.16.101.1
set transform-set T101-AES256
match address 101
!
interface Loopback101
ip vrf forwarding vrf1
ip address 10.101.255.2 255.255.255.0
!
interface Tunnel101
bandwidth 100000
ip address 10.255.101.2 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.101.2
tunnel destination 172.16.101.1
tunnel vrf vrf1
!
interface GigabitEthernet0/2
description MetroE
ip address 172.16.101.2 255.255.255.0
duplex auto
speed auto
crypto map T101
router eigrp 100
network ***** omitted
passive-interface GigabitEthernet0/2
passive-interface Tunnel101
access-list 101 permit gre host 172.16.101.2 host 172.16.101.1
I got the base config from here:
https://networkology.net/2013/07/14/gre-over-ipsec-configured-and-explained-ccie-notes/
Tom
No comments:
Post a Comment