GRE tunnel through asa no pptp, l2tp, ipsec

Hello!
can't understand how to configure GRE tunnel through ASA
i have one router with public ip, connected to internet
ASA 8.4 with public ip connected to internet
router with private ip behind ASA.
have only one public ip on ASA with /30 mask
have no crypto
have network behind ASA and PAT for internet users.
can't nat GRE? cause only TCP/UDP nated(?)
with packet-tracer i see flow already created but tunnel doesn't work

A "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Similar Messages

Cannot establish site-site vpn tunnel through ASA 9.1(2)

Hi,
We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
The site-site VPN tunnel fails to establish.
The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
Regards

>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
UDP/500
UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
IP/50
for testing ICMP/Echo
If you allowed full IP-access between these two endpoints, it is more than enough.
When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
Can the two gateways ping each other?

WCCP Redirection on a GRE Tunnel

For some of our smaller branch offices we run GRE tunnels through a secured IPSec VPN connection over the Internet. Will WCCP redirect work if configured on the GRE Tunnel interface?

Hi,
Yes, it will work.
Regards,
Erik
Sent from Cisco Technical Support iPad App

GRE Through ASA - No IPSec

I have an ASA connected to the Internet running PAT. A CME (3745) is sitting behind the ASA. I wish to create a GRE tunnel between the 3745 and a 2600 on the Internet.
Is it possible to pass GRE traffic through an ASA/PAT?
Thanks!
Tom

Yes,
You can permit gre traffic through the router if not already permitted and set up the tunnels on the routers. Does the remote rouer support VPN, or is it sitting behind a device that does? You should configure a l2l tunnel between the devices to encrypt the gre traffic as you don't want the TCP traffic between the sites to be captured and reassembled.

Considerations for an IPSEC tunnel through another IPSEC tunnel

Hi,
I am trying to ipmlement a IPSEC "tunnel through a tunnel" as follows:
ASA-1 ( inside network 10.10.10.0 /24 - outside network 1.1.1.1/30) to ASA-2 (outside network 1.1.1.2/30 - inside network 20.20.20.0/24)
This tunnel is fully functional.
Created a DMZ interface (2.2.2.1/30) on ASA-1
Created a DMZ interface (2.2.2.2/30) on ASA-2
Attached ASA-A outside interface to ASA-1 DMZ interface - inside network 30.30.30.0/24
Attached ASA-B outside interface to ASA-2 DMX interface - inside network 40.40.40.0/24
Created an ACL on ASA-1 and ASA-2 DMZ interfaces allowing ESP,IKE traffic
2nd tunnel not working!
Questions
Should I add the DMZ /30's to the crypto map of ASA-1 and ASA-2 (I did, and it did still not work)
Should there be a route statement for the /30's on ASA-1 and ASA-2, or should the default GW be sufficient?
Any and all help will be appreciated!
Dave

post config for review

Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

Hi
Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
The tunnel goes form the 881 to the Windows server (not from the client...).
Thanks
Roland

Hi Federico
Thanks for your help! Much appreciated.
In my case this should be transparent to the client - I would like not to initiate the connection from the client.
Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
Regards
Roland

Is it possible to build two different L2TP/IPSec tunnels per subnet or per user?

Dear colleagues
I wondered whether anyone could help with this one.
Is it possible to build two different L2TP/IPSec tunnels per subnet or per user on a Cisco router or any other third party manufacturer? The idea behind is to allow different access to resources to different support technicians. Your help is much appreciated.

Sure, the ASA can use LDAP/AD information to select what access list should be applied for that specific user or group of users logging into the VPN. You can use whats called DAP or just LDAP Attribute Maps.

Looking for help to set up l2tp Ipsec vpn on asa 5055

I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2,
EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,
EV_COMP_HASH
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
I am new to this so I don't know what I should do next. Thanks

Here it is. Thanks.
CL-T179-12IH# show run crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint vpn
enrollment self
subject-name CN=174.142.90.17
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate 2d181c55
308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
da0e01
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint vpn
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank

Multiple IPSEC tunnels on ASA 5505

Configuring Multiple IPSEC tunnels on ASA 5505
Hi,
I need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505. 1st one is static ipsec tunnel already configured between HO to site A and 2nd one is dynamic to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
I have following clarification
1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
kindly help me on this
Thanks in advance
Subhan Shaikh
France Telecom

Configuring Multiple IPSEC tunnels on ASA 5505
Hi,
I need to configure 2 diffrent type of IPSEC tunnels on my ASA 5505. 1st one is static ipsec tunnel already configured between HO to site A and 2nd one is dynamic to be configure between HO to site B since site B does not have static IP so I have to configure dynamic ipsec vpn.
I have following clarification
1. After configuring dynamic ipsec Is my existing static ipsec tunnel will work simultenously?
2. can I apply different crypmap on the same outside interface? if not then what setting i need to do to make this work?
3. Do i need to create 1 more Nat0 or can i add in existing ACL which i have already created for previous.
kindly help me on this
Thanks in advance
Subhan Shaikh
France Telecom

IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================

Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides.

DIscussion on GRE Tunnel IPSec VPN

I am looking for some good discussion topics on GRE Tunnel / IPSec / VPN for a beginner. I am sure there will be some good articles on Cisco Site. Can someone please point me some of these articles
Alphonse

this url should be a good one for your
https://learningnetwork.cisco.com/docs/DOC-15048#comment-30627
which helps in configuring,verifying and troubleshooting.

2911 router - Netflow V5 through GRE Tunnels

Hi All,
Does the 2911 router support the ability for Netflow V5 to pass through GRE tunnels? I can't seem to find any documentation that indicates this.
Thanks,
Gurjinder

If you are going to use a GRE tunnel as the flow export interface from the router exporting NetFlow, it will not work. Cisco bug IDs for this issue are CSCsk25481 and CSCef28662 and is applicable to both traditional and flexible NetFlow.
To allow NetFlow export from a device through an encrypted tunnel on the same device, enable Flexible NetFlow and use the command output-features when configuring your flow exporter. That will allow NetFlow export over encrypted tunnels.
Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx
NOTE: Please rate posts and close questions if you have found the answers helpful.

Windows Replication RPC Problems with IPSec GRE Tunnel

We have been having significant issue in troubleshooting random RPC errors with our directory controllers (MS AD 2008R2) and our distributed file shares. Both services will randomly stop working, throwing RPC errors as the resulting cause. We have been all over both Cisco and Microsoft forums in trying to troubleshoot this problem. I'm trying to the Cisco forums first to see if anyone has any network layer thoughts as to best practices or ways to configure the tunnel.
Our network is simple: two small branch offices connected to each other with two Cisco 2901 ISRs. An IPSec GRE tunnel exists between both offices. Interoffice bandwidth is approximately 10mbps. Pings between offices work, remote desktop works most of the time, file transfers work, and DNS lookups work across both locations. We really don't have a complicated environment, I'd think it wouldn't be too hard to set up. But this just seems to be escaping me. I can't think of anything at the network layer that would be causing problems but I was curious whether anyone else out there with knowledge of small office VPNs might be able to render some thoughts on the matter.
Please let me know if there is anything further people need to see. My next step is MS forums but I wanted to eliminate layer 3 first.
Tunnel Config:
crypto map outside_crypto 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address 102
crypto ipsec df-bit clear
interface Tunnel0
bandwidth 10240
ip address x.x.x.x x.x.x.x
no ip redirects
ip mtu 1420
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1375
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
crypto ipsec df-bit clear
end

Hi,
Based on the third-party article below, you can setup VPN connection between Windows VPN client and Cisco firewall:
Step By Step Guide To Setup Windows 7/Vista VPN Client to Remote Access Cisco ASA5500 Firewall
What is the Windows server 2008 R2 for, a RADIUS server? If yes, maybe the links below would be helpful to you:
RADIUS: Configuring Client VPN with Windows 2008 Network Policy Server (NPS) RADIUS Authentication
Configuring RADIUS Server on Windows 2008 R2 for Cisco Device Logins
RADIUS authentication for Cisco switches using w2k8R2 NPS
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best regards,
Susie

RVS4000 L2TP IPSec

Currently trying to establish L2TP IPSec VPN tunnels between Windows XP remote client and Windows 2003 RRAS Server.
Both the XP remote client and the W2003 RRAS Server are behind RVS4000 routers.
Have established that the W2003 RRAS server will accept L2TP IPSec connections from clients behind the Cisco RVS4000 router [LAN clients].
Can not establish remote L2TP IPSec connections through the RVS4000 routers. Have established that PPTP VPN through the RVS4000 routers. Both routers are running version 1.3.0.5
Both RVS 4000 routers are configured for PPTP, IPSec, & L2TP VPN passthrough with UDP port 1701 being forwarded to the RRAS server by the
RVS 4000 router. PPTP VPN connections have no problem.
Error code is 792
The problem appears to be with IPSec passthrough. UDP port 1701 is being forwarded to the RRAS server. Can not create port rules for IKE 500 or IP Protocol 50/4500 on the RVS4000 because those policies conflict with forwarding UDP1701.
Any guidance on why the IPSec fails through the RVS4000 for remote access clients but IPSec is successful in establishing a connection to the RRAS server using LAN clients.

I repeat one more time: Never ever forward port UDP 1701. You don't want to expose the L2TP server to the internet. If the server is configured correctly on your VPN server then it won't accept direct access to UDP port 1701 anyway. But still you don't want to do it.
L2TP or better L2TP over IPSec tunnels L2TP traffic on UDP 1701 inside an IPSec tunnel between the client and the server. If you run your VPN server inside your LAN behind a NAT router all you ever want to forward for that purpose is IPSec, i.e. ports UDP 500 and TCP/UDP 4500. Nothing else. For L2TP over IPSec all the router will ever see is IPSec traffic. The L2TP traffic is encrypted inside the IPSec tunnel. The router does not know about this.
If you forward UDP 1701 to your L2TP server you expose the L2TP server directly to the internet, removing the pre-shared key or certificate authentication and encryption of IPSec. All L2TP is completely unencrypted, then if someone has an L2TP (with no IPSec) client to connect.
The standard Windows L2TP/IPSec won't connect directly to L2TP without IPSec.
Even if the RVL allows you to forward UDP 1701 don't do it. If your VPN connection to your VPN server only works with this forwarding in place then you have a big problem with your whole VPN configuration because as I have mentioned before the router should never see any VPN traffic on UDP 1701 as it is supposed to be fully encrypted and hidden inside the IPSec tunnel...

GRE tunnel through asa no pptp, l2tp, ipsec

Similar Messages

Maybe you are looking for