DMVPN & GRE over IPsec on the same physical interface
Dear All,
I'm configuring two WAN routers, each wan router has one physical interface connecting to branches and regional office using same provider.
We'll be using GRE over IPsec to connect to regional office and DMVPN + EIGRP to branches.
I would like to know if it's possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.
Kindly reply, it's an urgent request and your response is highly appreciated.
Regards,
Hi Savio,
It should work. we can configure dmvpn and gre-over-ipsec on ASA using same physical interface.
Regards,
Naresh
Similar Messages
-
DMVPN GRE over IPSEC Packet loss
I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
BrendenHave you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ? -
Two contexts sharing the same physical interface
Hi,
I have been looking for a configuration guide on how to set up one physical trunked interface to be shared between two contexts. I am sure I am just using the wrong search words but have as of yet been unable to find anything on this. Anyone able to provide a link please?
ThanksHi,
I have not linked (or have the need to) 3 Security Contexts before but I would imagine you could modify the above configuration a bit to achieve that also
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
description SC1 - OUTSIDE
vlan 100
interface GigabitEthernet0/0.200
description SC2 - OUTSIDE
vlan 200
interface GigabitEthernet0/0.10
description SC1 - INSIDE
vlan 10
interface GigabitEthernet0/0.20
description SC2 - INSIDE
vlan 20
interface GigabitEthernet0/0.12
description SC1 - TRANSIT
vlan 12
interface GigabitEthernet0/0.21
description SC2 - TRANSIT
vlan 21
context TRANSIT
description SC1 to SC2 TRANSIT SC
allocate-interface GigabitEthernet0/0.12
allocate-interface GigabitEthernet0/0.21
config-url disk0:/TRANSIT.cfg
context SC1
description SC1
allocate-interface GigabitEthernet0/0.100
allocate-interface GigabitEthernet0/0.10
allocate-interface GigabitEthernet0/0.12
config-url disk0:/SC1.cfg
context SC2
description SC2
allocate-interface GigabitEthernet0/0.200
allocate-interface GigabitEthernet0/0.20
allocate-interface GigabitEthernet0/0.21
config-url disk0:/SC2.cfg
I am not sure if this would be the way but that is how I imagined at the moment.
The setup should look something like this
Totally different matter would there be a better way to achieve the same as above
- Jouni -
Hi,
I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/10.3122 l2transport
description CUSTOMER A CORE
encapsulation dot1q 3122
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/10.3122
When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/5.22 l2transport
description CUSTOMER A WAN2
encapsulation dot1q 22
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/5.22
If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
Is this because tag rewrites are not happening since packets don't leave the physical interface?
How can I work around this and establish a L2 connection between the two subinterfaces?
Thank youa vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
that might give a hint to what the precise issue in your forwarding is.
regards
xander -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank -
ACC
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#diag
this is lab i did, today,and offcouse i am able to understand this lab bus the confusion are
1 . why we use crypto map on both interface (phiycal interface or tunnel interface)
2. when i remove crypto map from tunnel interface i recieve this message
( R2691#*Mar 1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )
please tell me what is meaning of this message
3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa
R2691#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: vpn, local addr 30.1.1.21
protected vrf: (none)
local ident (addr/mask/prot/port): (30.1.1.21/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
#pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 30.1.1.21, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xDBF65B0E(3690355470)
inbound esp sas:
spi: 0x44FF512B(1157583147)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4598427/3368)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDBF65B0E(3690355470)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4598427/3368)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2691#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
30.1.1.21 10.1.1.1 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA.
4 . how do i know it is useing GRE over IPsec.
i am also attach my topology on which i did labMR. Anuj here is my config
R7200#sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.1.1 YES NVRAM up up
Loopback1 50.1.1.1 YES NVRAM up up
Loopback2 50.1.2.1 YES NVRAM up up
Tunnel0 40.1.1.2 YES NVRAM up up
Tunnel1 40.1.2.2 YES NVRAM up up
Tunnel2 40.1.3.2 YES NVRAM up up
=========================================================
R7200#sh int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 40.1.1.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.1.1.1 (Serial1/0), destination 30.1.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2229 packets input, 213651 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2292 packets output, 220520 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
===============================================================
my cryto acl
is
access-list 101 permit gre host 10.1.1.1 host 30.1.1.1 -
High cpu consumption with GRE over IPSEC
Hi all,
After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).
Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and
Cisco CISCO2921/K9 Version 15.0(1)M3.
Config of the tunnet is as follow :
- authentication pre-share
- encryption aes 256
- hash : sha
- transform set : esp-aes esp-sha-hmac mode transport
Routing process is eigrp.
Could anyone please help me on solving this issue?Cool, good start.
Check "show ip traffic" on both sides, it would be interesting to see what's going on.
BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that). -
I am unable to connect my IPad to the internet via WiFi, when asked for a password then attempt to join I get the messag "unable to join the network" however if I use my laptop in the same physical locationand using similar procedures I am able to conect.?
What router are you using? make/model/version
What security type are you using? If it is WEP then symbolic (non hex) keys may be converted to hex in different ways by different operating systems. Is your laptop a Windows PC?
If you are using WEP then drop it and move to WPA2. WEP has been deprecated by the WiFi alliance since 2004 as insecure (it can be hacked in seconds). -
I've seen lots of discussion about how to remove duplicate copies of the same song, but my issue is different.
iTunes has duplicate entries in its database, but if I do show in finder, then both entries point to the same physical location.
If I delete one entry, then the other entry becomes unusable.
Any idea how I could clean this up? Its annoying because if I select an album to play, then each song gets played twice.@zoo_bink I too have exactly the same issue however it's not affecting all my files.
One solution, which I'm contemplating, is to backup the iTunes Media folder, delete files, uninstall/reinstall iTunes then re-import the files. The issue may have arisen during initial import. (I'm not sure at this stage if Apple allow iTunes to be uninstalled.)
iTunes music collection is showing 58.95GB versus 57.11GB in Finder so it's not a massive deal but annoying nonetheless as deleting entries isn't an option.
Any suggestions welcome.
MacBook Pro, OS X 10.9.1, iTunes 11.1.3 (8) -
I have an iPhone 3GS, and realized I do most of my SMS/MMS messaging at home, when connected to my WiFi. Then I began to think, if I'm using the messaging app over WiFi, can the SAME app (which, personally I like much better than the third party apps) be installed on the iPad 2 (which I'm still waiting from back order)?
Incorrect.
SMS/MMS is exchanged over the same network as calls.
"Dumb" phones or phones not in the smart category that don't have internet access in any shape, form, or fashion can exchange SMS/MMS.
Since SMS/MMS (a poor man's email with cell phones since it is very limited) is a cash cow for carriers and very profitable, why wouldn't cell phone carriers be interested in including SMS/MMS as an additional option (and of course at an additional expense) with a data plan only for the iPad? They certainly are interested in it but they can't since SMS/MMS is exchanged over the same network as calls.
Get me the IPAD SMS app
Take your whining someplace else. The self-entitlement displayed here by some is laughable. -
It is possible to charge an iPad3 over USB and transmit data over USB at the same time?
Hello,
it is possible to charge an iPad3 over USB and transmit data over USB at the same time?
If yes, how?
Thanks
Best regardsOK!?
That is right that the USB data oins are not connected to +5V pin.
But i found a description for a self built power supply for iPad.
http://timothyb.net/DIY_iPad_2_USB_Charger.html
and
https://www.mikrocontroller.net/topic/262610?goto=2726627#2726627
The description say: data pin D- need a voltage level of 2V and D+ 2,857V
when the data pins have this special voltage levels and VCC has +5V only then the iPad is charging.
The voltage "D+/D- coding" is the key for the iPad to charge.
OK now back to my problem.
The regular USB data pin voltage level is 0,3 - 3.,0 voltage. When the iPad is charging the data pins have this special voltage level. Now i try to transmit data over the usb data pins with the. Normaly the USB port transmit the data with a voltage level of max. 3V.
And here my problem. The higher voltage level at the data pins cares therefor that the iPad stop the charging.
Is that correct? -
Can one installation of SSIS be shared by multiple instances on the same physical box?
Hello everyone,
I hope I'm posting this question on the correct forum.
We are short on money this year and we decided to purchase one physical system to represent Development and QA.
I am designing an architecture around my systems where I would have a two SQL Server Instances (2014, Enterprise Ed), one for each environment:
DVSV-ODS01\DEV
DVSV-ODS01\QA
The only possible problem is SSIS, which I cannot have multiple installations of SSIS on the same box.
Is it possible to have the SSIS service serving the two SQL Server instances installed on the same physical box?
Thanks for your help.Not on the same physical box, but you can go with running say the QA environment on a Virtual Machine.
E.g. the very free VirtualBox should do it. And then you can install two SSIS instances.
You can even access them simultaneously this way.
Arthur
MyBlog
Twitter -
Oracle XE on multiple virtual machines on the same physical machine?
hi,
does oracle's licensing for 11g express edition prohibit running XE databases on multiple virtual machines on the same physical machine? if not, does the machine have to be "hard partitioned" per oracle specifications (link below) to make it legal?
http://www.oracle.com/us/corporate/pricing/partitioning-070609.pdf
i found a similar question regarding 10g express edition in the forum (link below), but it doesn't seem like the question was ever definitively answered.
Oracle XE on multiple virtual machines on the same physical machine?
thanksI thought until I just checked that this was a clear cut no in that it specifies 'a single server'. Now I'm not sure as 'server' is an amibuous term. I at least know that as soon as you start giving developers access to theor own XE instance for dev/testing that there are many VM environments where you can't really know what physical macine your VM is running on to actually be able to tell if you had multiple XE instances running on a single 'Physical' server. I'm not sure the question has been answered by Oracle though.
-
Two environments to the same physical location
May I open two environments (one readonly and one with write access) to the same physical location on the disk?
I think to use the one with readonly access as consumer of data but the second as manager and provider of data.
Both environments will be established by different processes (applications) or VMs.
Is there any special order (sequence) to open them or there is not any.
Thanks.Hi,
First, please see this documentation about read-only processes:
http://www.oracle.com/technology/documentation/berkeley-db/je/GettingStartedGuide/multiprocess.html
Read-only processes are very limited because changes made by the writer process are not automatically seen by the reader process, as described in the 3rd bullet of the documentation. To get around this limitation, replication can be used. Replica processes do see changes made by the writer process. For information on replication see:
http://www.oracle.com/technology/documentation/berkeley-db/je/ReplicationGuide/index.html
--mark -
Vrf lite and PBR on the same sub interface
Hi,
I have a connection point to point on subinterface between PE and CE and use EBGP as routing protocol. The CE are router Cisco7609 and on the subinterface i apply "ip vrf forwarding WAP". Inside this vpn / vrf that I defined before I want to do pbr, so to route the traffic based on the source Ip address. I cannot use the "vrf select" because it is not supported on this platform. So I would like to know if I can do pbr on this subinterface and how can I do it, just only configuring the "ip policy route-map WAP" under the same sub interface where I confgure ip vrf forwarding?
Thanks
IraUse the route map as a noraml thing.
To match the all the ip address there should not be any match statement in the route map.
Maybe you are looking for
-
Using 48KHz & 32KHz in the same FCP sequence. Some say yes, some say no?
Can anyone please, please help resolve the conflicting info I'm getting regarding using 48KHz & 32KHz material in one sequence. Forum user and generally smart-cookie Studio X says: You need convert the 32/12 audio to 48/16; otherwise it will drift ou
-
Using PS to edit in LR screws up color balance?
I'm sure I'm missing something obvious here, but I can't imagine what it might be. I start with an image as a .NEF file (Nikon Raw format). If I import the image into Lightroom (3.4) and export it as JPEG without changing anything, it looks fine: If
-
IPad 4 video camera is zoomed in, how to unzoom?
The photo feature seams to be fine but when I switch to video mode it seems that it is zoomed in. I cant figure out how to unzoom this, is it a bug or is it really how it is supposed to look? It doesn't look good... Thanks for the help
-
Go from responsive project to non-responsive, convert responsive to regular
I have a responsive design project. I want it to be regular (not in the responsive design structure).How can I convert it to a regular presentation? Thanks.
-
The "All Pages" on mobile shows 100's of pages. How do I delete some of these
"All Pages" tab on mobile shows way too many sites. How do I delete some of these pages