GRE over EasyVPN

I have a PIX 501 connecting to a VPN Concentrator via EasyVPN. That connection works fine, now I want to add a router running GRE.
I cannot get my GRE tunnels to come up. I have added the fixup pptp command and a static translation, translating the Easy VPN obtain address to the router's inside address however nothing seems to be workingâ¦ Any suggestions can any one confirm that you can run GRE over Easy VPN?

I think if you are doing NEM mode then you should be able to do GRE over Ipsec.
But when EasyVPn is "client mode" , all networks from remote site gets PAT'ed before they are sent through IPsec.Therefore it may not work.
GRE tunnel destination should be reachable for GRE tunnel to work , therefore , in client mode the PAT can hide the tunnel source address of remote site .
Check what mode of EasyVPN is ?
HTH
Saju
Pls rate helpful posts

Similar Messages

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank

DMVPN GRE over IPSEC Packet loss

I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
Brenden

Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

GRE OVER IPSec vpn

ACC
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#diag
this is lab i did, today,and offcouse i am able to understand this lab bus the confusion are
1 . why we use crypto map on both interface (phiycal interface or tunnel interface)
2. when i remove crypto map from tunnel interface i recieve this message
( R2691#*Mar 1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )
   please tell me what is meaning of this message
3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa
R2691#sh crypto ipsec sa
interface: Serial0/0
    Crypto map tag: vpn, local addr 30.1.1.21
   protected vrf: (none)
   local ident (addr/mask/prot/port): (30.1.1.21/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
   current_peer 10.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
    #pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0
     local crypto endpt.: 30.1.1.21, remote crypto endpt.: 10.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
     current outbound spi: 0xDBF65B0E(3690355470)
     inbound esp sas:
      spi: 0x44FF512B(1157583147)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4598427/3368)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xDBF65B0E(3690355470)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, crypto map: vpn
        sa timing: remaining key lifetime (k/sec): (4598427/3368)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
R2691#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
30.1.1.21       10.1.1.1        QM_IDLE           1002    0 ACTIVE
IPv6 Crypto ISAKMP SA.
4 . how do i know it is useing GRE over IPsec.
i am also attach my topology on which i did lab

MR. Anuj here is my config
R7200#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Serial1/0                  10.1.1.1        YES NVRAM up                    up
Loopback1                  50.1.1.1        YES NVRAM up                    up
Loopback2                  50.1.2.1        YES NVRAM up                    up
Tunnel0                    40.1.1.2        YES NVRAM up                    up
Tunnel1                    40.1.2.2        YES NVRAM up                    up
Tunnel2                    40.1.3.2        YES NVRAM up                    up
=========================================================
R7200#sh int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 40.1.1.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.1.1.1 (Serial1/0), destination 30.1.1.1
Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     2229 packets input, 213651 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     2292 packets output, 220520 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
===============================================================
my cryto acl
is
access-list 101 permit gre host 10.1.1.1 host 30.1.1.1

DMVPN & GRE over IPsec on the same physical interface

Dear All,
I'm configuring two WAN routers, each wan router has one physical interface connecting to branches and regional office using same provider.
We'll be using GRE over IPsec to connect to regional office and DMVPN + EIGRP to branches.
I would like to know if it's possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.
Kindly reply, it's an urgent request and your response is highly appreciated.
Regards,

Hi Savio,
It should work. we can configure dmvpn and gre-over-ipsec on ASA using same physical interface.
Regards,
Naresh

High cpu consumption with GRE over IPSEC

Hi all,
After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).
Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and
Cisco CISCO2921/K9 Version 15.0(1)M3.
Config of the tunnet is as follow :
- authentication pre-share
- encryption aes 256
- hash : sha
- transform set : esp-aes esp-sha-hmac mode transport
Routing process is eigrp.
Could anyone please help me on solving this issue?

Cool, good start.
Check "show ip traffic" on both sides, it would be interesting to see what's going on.
BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that).

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Hi josedilone19
GRE is used when you need to pass Broadcast or multicast traffic. That's the main function of GRE.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
However there are some other important aspect to consider:
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks (WANs).
-Hope this helps -

GRE over MPLS

Hello people,
im facing problem trying to establish a GRE tunnel over mpls. The topology goes as follows:
(server) ----CE1(6500)-----PE1(6500)----vrf cloud-----CE2(6500)--FW
-server needs to establish a gre tunnel with FW.
-server receives a default route from CE1 via OSPF.
-CE1 has an default static route pointing to the next hop which is an interface VLAN (in a vrf) on PE1.
- PE1 receives a default route generated by CE2 (via mpbgp).
In this situation the GRE tunnel wouldnt come up.The only way i got the GRE to work was replacing the default static route on CE1 with a more specific static route.
On both cases (default AND specific static routes) the connectivity(ping) from end to end was there.
Has anybody seen anything alike?
thanks,
Bruno

You could be looking at some recursive routing throug the GRE interface, so the second it comes up it will try to put the GRE packets through the GRE tunnel, this creating a loop. Are you using a dynamic routing protocol to get network info over the GRE tunnel or a static route if so, how is it setup ?

GRE over IP

Is there any free streams based module available which implements
GRE tunneling over IP ?

Marcus,
You can bridge non routable protocols like DECnet. My understanding is bridging isn't officially supported on GRE tunnels. What I mean by this is, that the router may accept the bridge commands on the tunnel int and may or mayn't forward bridged traffic across the tunnel but Cisco is obligated to provide a fix if it doesn't work.
HTH,
Sundar

GRE over DSL with OSPF in an MPLS network

Hi guys,
we run 2 GRE tunnels in our network. The A end is a PE router while the B end are 2 different CPE DSL sites.
Both tunnels at the A end (PE) are using as a source a gig sub inteface which is in the same VRF
interface Tunnel40 (for branch office 1)
ip vrf forwarding example
ip address x.x.x.250 255.255.255.252
ip mtu 1476
ip tcp adjust-mss 1420
ip ospf dead-interval 60
ip ospf mtu-ignore
keepalive 10 6
tunnel source Gig x/x.z
tunnel destination x.x.x.x.
tunnel vrf example
interface Tunnel60 (for branch office 2)
the frame is as above
router ospf 1 vrf example
log-adjacency-changes
capability vrf-lite
passive-interface default
no passive-interface Tunnel40
no passive-interface Tunnel60
network x.x.x.250 0.0.0.0 area x.x.x.x
.network ......
CPE example
interface Tunnel1
ip address x.x.x.249 255.255.255.252
ip flow ingress
ip flow egress
ip ospf dead-interval 60
ip ospf mtu-ignore
keepalive 10 6
tunnel source Dialer1
tunnel destination z.z.z.1 ( this is the subinterafce Gig x/x.z on the PE router)
router ospf 1
router-id x.x.x.x
log-adjacency-changes
passive-interface default
no passive-interface Tunnel1
no passive-interface Vlan1
network x.x.x.x 0.0.0.0 area x.x.x.x
network x.x.x.249 0.0.0.0 area x.x.x.x
same is the config for CPE 2 ( just the frame of the commands no the ospf areas , IP s etc)
The problem is that when the tunnel fails for cpe 1 then it fails for CPE 2 exactly the same time.
Any advice.
Thanks

Hi my friend,
I didnt know about that command and the purpose you use that but I was searching a bit. Do you use that command for
normal GRE tunnels? This is not a point to multipoint topology and every tunnel is a point to point and I run ospf for the point to point link is is differnet area than the other tunnel. Do you beleive that its still could be related to the tunnel key?
Many thanks fo ryour advice. Please reply at your erliest convenience
I know it looks like hub and spoke or point to miltipoint but does it actually dehave like that?
Thank,
Spyros

GRE over MPLS not working...

Hi
I've a GRE tunnel configured between a CE and a PE.
I guess the problem is on the PE side, this is my config:
interface Loopback99
ip vrf forwarding dar
ip address 99.99.99.99 255.255.255.255
interface Tunnel199
ip vrf forwarding dar
ip address 11.11.11.1 255.255.255.252
ip policy route-map dfbit
tunnel source Loopback99
tunnel destination 88.88.88.88
tunnel path-mtu-discovery
Everything is reachable between PE and CE, but on the tunnel interface I wasn't able to find out the "tunnel vrf dar" command...
I've a Cisco 7206VXR (164 ram and 128 flash) and on the software feature navigator I wasn't able to find out an IOS support it..
Can anybody tell me why ?
Tks
Ric

Riccardo,
This feature is available starting with 12.3(2)T.
Regards

GRE over ip nat enable

Hi, guys
recenctly I switch from ip nat inside to ip nat enable, but when I use ip nat enable my microsft vpn dosent work.
interface GigabitEthernet0/1
ip nat enable
interface GigabitEthernet0/0
ip nat enable
ip nat pool pool-vrf-blue 204.x.x.100 204.x.x.100 netmask 255.255.255.0 add-route
ip nat source list NAT-VRF-BLUE pool pool-vrf-blue vrf blue overload
ip nat source static tcp 10.0.0.2 1723 204.x.x.100 1723 vrf blue extendable
Best regard

Ok - This is what I currently have:
interface FastEthernet0/0.22
description NAT INT for VRF TEST to ERT02-BNE
encapsulation dot1Q 22
ip address 203.149.77.38 255.255.255.252
ip nat outside <-- Also tried "ip nat inside"
no snmp trap link-status
ip route 203.149.77.44 255.255.255.252 Null0
ip route vrf TEST10 0.0.0.0 0.0.0.0 FastEthernet0/0.22 203.149.77.37 global
ip nat pool NAT 203.149.77.45 203.149.77.46 netmask 255.255.255.252
ip nat source list 1 pool NAT vrf TEST10 overload
access-list 1 permit 10.0.0.0 log
access-list 1 permit 192.168.1.0 0.0.0.255 log
Attempting to get(trace/ping) to any address not within the vrf TEST10 (From device in vrf TEST10) results in timeout at 203.149.77.38 router.
Trace'ing with a source IP of 203.149.77.38 to an Internet address is successful
#sh ip route vrf TEST10
Routing Table: TEST10
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 203.149.77.37 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.0.0.2/32 is directly connected, Virtual-Access7
B 10.0.3.0/24 [200/0] via 203.149.76.248, 3w0d
C 10.0.0.0/24 is directly connected, Loopback10
B 10.0.6.0/24 [200/0] via 203.149.76.250, 1w5d
B 10.0.7.0/24 [200/0] via 203.149.76.247, 1w4d
B 10.0.5.0/24 [200/0] via 203.149.76.249, 3w6d
U 192.168.1.0/24 [1/0] via 10.0.0.2
S* 0.0.0.0/0 [1/0] via 203.149.77.37, FastEthernet0/0.22

IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================

Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides.

QOS over multiple GREs with different BW's from core perspective

We use gre over ipsec, to connect multiple sites to our core. Many of the site have different BW based on remote site carrier limitations. The BW of some are symetrical, some are DSL.
I have started deploying VOIP at some of these sites, and have begun playing with QOS. I only want to insure voice traffic, and control are passed accordingly, all other traffic can fall into default queue during times of high link usage.
For the remote sites, I have settled on the below config:
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
interface Tunnel17
bandwidth 5000
ip address 192.168.1.66 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1436
qos pre-classify
keepalive 10 3
tunnel source x.x.x.x
tunnel destination x.x.x.x
interface GigabitEthernet0/0
bandwidth 5000
ip address x.x.x.x 255.255.255.240
service-policy output AutoQoS-Policy-Trust
(only the part of the config related to QOS is included to protect the innocent!)
My question is, how do I apply a similiar config at the core end, where I have multiple GRE interfaces, with different corresponding bandwidths? I tried to apply the service-policy to the tunnel interface, but it does not accept the command because of the queuing type.
Thanks in advance.

Another update, I have applied the follwoing config to my core ipsec router, on which 2 of the 19 gre tunnels have a VOIP solution at the far end. I am not seeing matches to the associated access lists, should I only see matches when the limit hits the shaper figure in the policy map?
class-map match-all hmh-class
match access-group name hmh-qos
class-map match-all hampwellness-class
match access-group name hampwellness-qos
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map qos-shaper
class hmh-class
shape average 4000000
service-policy AutoQoS-Policy-Trust
class hampwellness-class
shape average 4000000
service-policy AutoQoS-Policy-Trust
interface GigabitEthernet0/1
service-policy output qos-shaper
ip access-list extended hampwellness-qos
permit gre host 192.168.1.69 host 192.168.1.70
ip access-list extended hmh-qos
permit gre host 192.168.1.65 host 192.168.1.66
interface Tunnel10
description GRE to Hampshire Wellness Center
bandwidth 5000
ip address 192.168.1.69 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1436
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source x.x.x.x
tunnel destination x.x.x.x
interface Tunnel17
description GRE to Hampshire Memorial
bandwidth 5000
ip address 192.168.1.65 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1436
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source x.x.x.x
tunnel destination x.x.x.x

MPLS over GRE Support (Platform)

Hello,
I am looking to run MPLS over GRE (over the Public Internet) probably with IPSec for obvious reasons. CFN seems to suggest only the Cat6k with SUP-VS-2T or the Catalyst 6800 is capable of MPLS over GRE functionality...
I currently have 2 x Cisco 7200 VXR platforms (7204 & 7206) with the NPE-G2 processing engine and was wondering if we added the VSA encryption module (C7200-VSA=) would be enough to get a reliable MPLS over GRE tunnel functionality.
The tunnel with Encryption would ideally support up to 500Mbps.
My other alternative is to upgrade/replace the VXRs with ASRs (1002 or similar) but again CFN is unclear if the ASR100x platform is capable of delivering MPLS over GRE + IPSec.
Thanks,

MPLS over GRE is not supported in Hardware for sup720. This is a PFC3 hardware limitation. Your options would be to use SPA-400 or Enhanced FlexWan.

GRE over EasyVPN

Similar Messages

Maybe you are looking for