IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

Similar Messages

• Proper routing for lan through verizon private network (GRE) to airlink gateways

  Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
  no aaa new-model
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
  ip domain name yourdomain.com
  no ipv6 cef
  multilink bundle-name authenticated
  username cisco privilege 15 one-time secret 
  redundancy
  crypto isakmp policy 1
  encr 3des
  hash md5
   authentication pre-share
   group 2
  crypto isakmp key AbCdEf01294 address 99.101.15.99  
  crypto isakmp key AbCdEf01294 address 99.100.14.88 
  crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
  mode transport
  crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
   description Verizon Wireless Tunnel
   set peer 99.101.15.99
   set peer 99.100.14.88
   set transform-set VZW_TSET 
   match address VZW_VPN
  interface Tunnel1
   description GRE Tunnel to Verizon Wireless
   ip address 172.16.200.2 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.101.15.99
  interface Tunnel2
  description GRE Tunnel 2 to Verizon Wireless
   ip address 172.16.200.6 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.100.14.88
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address 10.10.10.1 255.255.255.248
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.11.1 255.255.255.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   ip address 22.20.19.18 255.255.255.0
  duplex full
   speed 100
   crypto map VZW_VPNTUNNEL
  router bgp 65505
   bgp log-neighbor-changes
   network 0.0.0.0
   network 192.168.11.0
   neighbor 172.16.200.1 remote-as 6167
   neighbor 172.16.200.5 remote-as 6167
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 0.0.0.0 0.0.0.0 22.20.19.19
  ip access-list extended VZW_VPN
   permit gre host 99.101.15.99 host 22.20.19.18
   permit icmp host 99.101.15.99 host 22.20.19.18
   permit esp host 99.101.15.99 host 22.20.19.18
   permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
   permit gre host 22.20.19.18 host 99.101.15.99
   permit gre host 22.20.19.18 host 99.100.14.88
  access-list 23 permit 10.10.10.0 0.0.0.7
  control-plane
  end
  So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
  ip route 192.168.1.0 255.255.0.0 22.20.19.19
  That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
  Now for a couple of questions for those that are still actually hanging around.
  #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
  #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
  #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
   I actually have alot more questions, but I will keep reading for now.
  I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

  My first comment is that you have two posts in this forum and as far as I can tell they are exact duplicates, other than changing the title of the posts. It is better to figure what you want to ask and then to ask once.
  My second comment is that you have given us information about your central site. At some point we may also need some information about what is at the remote and how that is set up. But for now we will deal with what we know about your site.
  Before I deal with your specific questions I will comment that if you are able to access the remote airlinks that it is a pretty good indicator that the tunnels are probably working. But to understand the significance of this it would help if you clarify for us what address is on the local computer when you change the subnet to 255.255.0.0.
  Also what you have shown us allows us to see that BGP is configured but provides no insight into whether BGP is working or now. It would provide helpful information if you would post the output of show ip bgp sum.
  So to address your specific questions:
  You suggest that adding a static route for 192.168.1.0 might be part of the solution. But we have no information about what that network is or its significance. So we have no way to know whether the static route would help or not. But my guess (based on very scant information and therefore based mostly on assumptions) is that if BGP is working correctly that the static route is not needed.
  1) asks about an Ethernet address on the tunnel. I assume that you really meant to ask about the IP address assigned to the tunnel. The reason that the tunnel needs it own IP address is that we want a unique subnet assigned to the tunnel. If we used the address from the physical interface as you suggest then both tunnels would have the same address and that implies that they both connect to the same place, and that assumption is not correct.
  2) Yes it is correct to point the default route to the IP address that is the next hop from the Ethernet interface. You might want to have a route pointing at the tunnel address for remote subnets reached via the tunnel. But in looking at the config and trying to understand what was intended it is pretty obvious that running BGP over the tunnel is intended to learn the remote addresses over the tunnel and therefore there is no need for static routes for the remote resources.
  3) You should not need an additional permit for TCP 402. The TCP packet will be carried through the tunnel and the access list you are referring to will see the packet will modbus polling as GRE traffic and not as TCP traffic.
  HTH
  Rick

• Encrypted GRE Tunnel with RIP on a SRW527w??

  Hi All,
  Is it possible to configure an IPSEC GRE tunnel with RIP on an SRP527w? I see RIP, GRE & IPSEC are all possible.. But I'm not sure about them all together securing the GRE tunnel??
  See below. I basically want to do this with the SRW routers not native IOS. Single head end hub & spoke.
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf
  Thanks a lot
  Matt                  

  On a much smaller scale of course!

• GRE tunnel could not be used by the hosts connected to the router

  Hi,
  I am using cisco ASR1013 (RP2) and a Mikrotik Router for setting up a GRE tunnel for LAN to LAN routing over a broadband link. The tunnel works fine (able to ping tunnel end points and also all the connected interfaces on both the Mikrotik and Cisco ASR) but the hosts that are connected directly to the Cisco router interface over a layer 2 cisco switch are unable to connect (ping) the hosts or connected interfaces on the mikrotik side. I am sure its not a mikrotik issue as i dont see any traffic coming through the tunnel using the mikrotik torch utility.  There are no ACL's or firewall rules on any of the devices...... 
  Source and destination of the tunnel are public IP's and are pingable via internet (The tunnel is connected and endpoints are pingable)
  Mikrotik connected interface IP = 192.168.253.1/24
  Mikrotik tunnel end point IP = 192.168.254.1/30
  Cisco tunnel end point IP = 192.168.254.2/30
  Connected cisco subnet to reach Mikrotik = M.N.O.32/28
  Cisco interface IP for LAN = M.N.O.33
  Test host IP on the LAN subnet = M.N.O.34
  The below is my Cisco config
  ASR-1#sh run int tun 1
  Building configuration...
  Current configuration : 144 bytes
  interface Tunnel1
   ip address 192.168.254.2 255.255.255.252
   ip mtu 1400
   tunnel source A.B.C.D
   tunnel destination W.X.Y.Z
  end
  ASR-1#sh run int g0/1/7
  Building configuration...
  Current configuration : 280 bytes
  interface GigabitEthernet0/1/7
   description LAN
   ip address M.N.O.33 255.255.255.240
   ip verify unicast source reachable-via rx
   no negotiation auto
   cdp enable
  end
  ASR-1#sh ip ro 192.168.253.1
  Routing entry for 192.168.253.0/24
    Known via "static", distance 1, metric 0 (connected)
    Routing Descriptor Blocks:
    * directly connected, via Tunnel1
        Route metric is 0, traffic share count is 1
  ASR-1#ping 192.168.253.1 so M.N.O.33
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.253.1, timeout is 2 seconds:
  Packet sent with a source address of M.N.O.33 
  Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
  ASR-1#pi M.N.O.34
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to M.N.O.34, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  If i try to ping 192.168.253.1 (network connected to Mikrotik) from the host M.N.O.34 (the gateway of this host is M.N.O.33 - Int g0/1/7 of the Cisco ASR), i cannot reach detination - request timed out.... Below are the results of trace and ping from the host connected to ASR G1/0/7
  PING TO THE GATEWAY *********
  [root@localhost ~]# ping M.N.O.33
  PING M.N.O.33 (M.N.O.33) 56(84) bytes of data.
  64 bytes from M.N.O.33: icmp_seq=1 ttl=255 time=0.161 ms
  64 bytes from M.N.O.33: icmp_seq=2 ttl=255 time=0.143 ms
  ^C
  --- M.N.O.33 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1357ms
  rtt min/avg/max/mdev = 0.143/0.152/0.161/0.009 ms
  PING TO THE TUNNEL END POINT IN CISCO ASR
  [root@localhost ~]# ping 192.168.254.2
  PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
  64 bytes from 192.168.254.2: icmp_seq=1 ttl=255 time=0.141 ms
  64 bytes from 192.168.254.2: icmp_seq=2 ttl=255 time=0.141 ms
  ^C
  --- 192.168.254.2 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1739ms
  rtt min/avg/max/mdev = 0.141/0.141/0.141/0.000 ms
  PING TO THE TUNNEL ENDPOINT IN MIKROTIK
  [root@localhost ~]# ping 192.168.254.1
  PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
  ^C
  --- 192.168.254.1 ping statistics ---
  11 packets transmitted, 0 received, 100% packet loss, time 10413ms
  PING TO THE CONNECTED INTERFACE ON MIKROTIK
  [root@localhost ~]# ping 192.168.253.1
  PING 192.168.253.1 (192.168.253.1) 56(84) bytes of data.
  ^C
  --- 192.168.253.1 ping statistics ---
  4 packets transmitted, 0 received, 100% packet loss, time 3641ms
  TRACE TO THE CONNECTED INTERFACE ON MIKROTIK
  [root@localhost ~]# traceroute 192.168.253.1
  traceroute to 192.168.253.1 (192.168.253.1), 30 hops max, 60 byte packets
   1  M.N.O.33 (M.N.O.33)  0.180 ms  0.156 ms  0.145 ms
   2  * * *
   3  * * *
   4  * * *
   5  * * *
  Please help

  Hi,
  Sorry for the delayed response ....Both ends static routes are added for the connected test interfaces.....
  Regards,
  Mahesh 

• Gre tunnel over 2 mpls routers

  I have 2 sites and the voice server is in site A and Site B are the remote phones . Right now voice vlan go over the DMVPN we are facing some degraded performance and decided to move voice traffic to mpls . 
  We need to carry the multicast traffic as well which is not supported over our MPLS circuit. I have no idea why provider is not supporting multicast traffic over mpls circuit.
  So we decided to create GRE tunnels to carry multicast traffic over MPLS .We have L3 switches on both sites Site A cisco 4500 and Site B cisco 3850  . and MPLS connectivity is reachable upto L3 core switches. With 3850 we had issue to create tunnels and i have upgraded the IOS after upgrading i came to know no more tunnels are supported on 3850. So cannot have Gre tunnel between our L3 switches over the MPLS.
  My Question is can i ask the MPLS provider to setup tunnels on their routers which they are ready to help and point the static routes for voice vlan towards gre tunnels over mpls . 
  Can you advise any other solution or does this solution would work.?

  Aneesh,
  Lost of connectivity between the two PEs would indeed cause the GRE tunnel interface to go down, assuming that you configure tunnel keepalives as follow:
  int tu0
  keepalive
  Regards

• Tacacs and GRE Tunnel

  Tacacs authentication doesn't work after passing thru GRE tunnel with Crypto map.

  Hello All, [Pls Rate if HELPS]
  In addition,
  Normally in the CRYPTO Configuration the Crypto Sessions will be formed with some Private Loopback available in the Configuration.
  Since the TACACS Server will be in the same domain, so the "ip tacacs source-interface" command solved the problem of Urs.
  The Crypto Originating LOCAL Interface at SPOKE Location, should be normally used for tacacs Source Interface in a general scenario.
  Hope I am Informative.
  Pls Rate if HELPS
  Best Regards,
  Guru Prasad R

• GRE Tunnel on cisco 831

  Hi ,
  Who can tell me how to config ipsec over GRE tunnel when remote side useing dynamic ip !
  Thanks!

  Cisco has introduced a feature designed to do exactly what you are asking. You can configure an IPSec VPN over GRE tunnel where the remote has dynamic IP using the feature of Dynamic Multipoint VPN (DMVPN).
  The key concept here is that the remote side must initiate the tunnel to the central side. In the message requesting the tunnel the remote indicates what address the central should use as the tunnel destination.
  I have configured it in the lab and it worked pretty well. I have not yet used it in a production environment.
  This URL should help you get started with this:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html
  HTH
  Rick

• When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

  i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

  Jose,
  It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
  Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
  HTH,
  Frank

• IPsec tunnel without a private network

  I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic.  Is this scenario even possible?  If so, what configuration options should I consider?
  Thanks!

  I got to say I have never tried this or had any situation where I would want to use the ASA like this.
  This would be something I would have to test as I can't say for sure if its possible or not.
  For one I would atleast make sure the following things
  Make sure you have the configuration "same-security-traffic permit intra-interfaceThis will permit the traffic to enter and leave the same interface which in this case is "outside"
  That the host default route points to the ASA
  Consider configuring NAT0 for the "outside" /29 network on the "outside" interface when the destination network is the remote site network
  Use the command "packet-tracer" command to simulate a packet coming from the "outside" host towards the remote site and see what the output ispacket-tracer input outside tcp
  How do you confirm the ASA is rejecting the traffic? Do you see some log message?
  Have you seen any traffic get encapsulated/encrypted at this site OR is there only traffic incoming from the remote site?
  - Jouni

• Tacacs per vrf no supported on my router, does a gre tunnel would work?

  Hi,
  Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:
  Configuring Per VRF for TACACS+ Servers: Example
  The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:
  aaa group server tacacs+ tacacs1
  server-private 10.1.1.1 port 19 key cisco
  ip vrf forwarding cisco
  ip tacacs source-interface Loopback0
  ip vrf cisco
  rd 100:1
  interface Loopback0
  ip address 10.0.0.2 255.0.0.0
  ip vrf forwarding cisco
  Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:
  ON BRANCH ROUTER:
  int l0
  ip add 1.1.1.1 255.255.255.0
  no shut
  int tun10
  ip add 2.2.2.1 255.255.255.0
  ip vrf forwarding cisco
  tun so l0
  tun dest [ip add of router directly connected to tacacs server]
  ip tacacs source-interface l0
  tacacs-server host 10.10.10.1
  tacacs-server key 7 cisco
  ON REMOTE ROUTER:
  int l0
  ip add 3.3.3.3 255.255.255.0
  no shut
  int tun10
  ip add 2.2.2.2 255.255.255.0
  ip vrf forwarding cisco
  tunn so l0
  tunn dest [ip add of branch router]
  Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.

  Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
  My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
  I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
  Thanks and sorry if I didn't make self clear at the beginning of my first post.

• What is the correlation of Logger Private network to Router Private Network.

  What is the correlation of Logger Private network to Router Private Network.
  You have to define them in Websetup for the Router and Logger but what is communicating on the Private network path between the Logger and Router?    I thought that was over the Public network.  is it only Recovery from the Loggers talking over the Private network?

  Hi,
  you can read about the types of messages exchanged over various links in the SRND.
  G.

• How to route traffic to a static public IP address on my private network

  Here is my topology:
  ISP Modem ---------------- (gig0/0) Cisco Router (gig0/1) -----------------Cisco Switch--------------------Server
                                         60.70.80.90             172.16.0.1                     172.16.0.2                         60.70.80.91
  Gateway: 60.70.80.89
  Netmask: 255.255.255.240
  Scenario:
  My ISP has given me 5 static IP addresses in which I want to assign one of them to one of my servers that lies within my private network.  I am wondering what kind of configurations I would need to be able to access my server from outside my private network using one of the static IP addresses that was given from my ISP. Does this need some sort of static NAT on top of the inside/outside NAT I have done on my router? Thanks
  Best Regards,
  Sean

  Duplicate post. 
  Go HERE.

• Ip route command in GRE tunnel

                     Hi Everyone,
  I have setup GRE Lab between Routers R1 and R3.
  R1 is connected to R2 using OSPF  and R2  is connected to R3 using OSPF.
  I config GRE tunnel interface on R1 and R3.
  R1 has internal subnet say 100.x.x.x.x to share with R3.
  R3 has internal Lan subnet  say 101.x.x.x.x  to share with R1.
  Interesting traffic to pass through GRE tunnel is subnets 100.x.x.x.  and 101.x.x.x.x.
  R1 tunnel config
  R1#            sh run int tunnel 0
  Building configuration...
  Current configuration : 168 bytes
  interface Tunnel0
  ip address 13.13.13.1 255.255.255.0
  keepalive 3
  cdp enable
  tunnel source Loopback0
  tunnel destination 20.0.0.1
  tunnel path-mtu-discovery
  R3 Tunnel config
  R3#sh run int tunnel 0
  Building configuration...
  Current configuration : 158 bytes
  interface Tunnel0
  ip address 13.13.13.3 255.255.255.0
  keepalive 3 1
  tunnel source Loopback0
  tunnel destination 10.0.0.1
  tunnel path-mtu-discovery
  So my question is instead of using Routing protocols to advertise the Lan subnets from R1 and R3  can i use static routes?
  for example
  If i can use static routes say on R1
  ip route 101.101.101.101 255.255.255 ?
  what should be next hop IP here ?
  tunnel interface of R3 Router  or physical interface of R3 that connects to R2?
  Then same way i can use static routes on R3 right ?
  Thanks
  Mahesh

  Hello Mahesh,
  You can use IP address as long as Tunnel IP addresses on both sides are in the same subnet. So in your case you can use
  ip route 101.101.101.101 255.255.255 13.13.13.3
  Or you can use the tunnel interface
  ip route 101.101.101.101 255.255.255 Tunnel0
  Although I have seen issues in some cases when the interface name is used instead of tunnel IP.
  Please rate this post if helpful.
  THanks
  Shaml

• ICM Router & Logger Private Network connectivity

  Hi,
       Can any one give me clarification on the following
   Is there any private network connectivity betwen ICM router and Logger ?

  No, call routers (central controller) communicates between side A and B over private network for synchronization, so do PG pairs. Loggers receive data from local call router over public traffic.
  Chris 

• 2911 router - Netflow V5 through GRE Tunnels

  Hi All,
  Does the 2911 router support the ability for Netflow V5 to pass through GRE tunnels? I can't seem to find any documentation that indicates this.
  Thanks,
  Gurjinder

  If you are going to use a GRE tunnel as the flow export interface from the router exporting NetFlow, it will not work. Cisco bug IDs for this issue are CSCsk25481 and CSCef28662 and is applicable to both traditional and flexible NetFlow.
  To allow NetFlow export from a device through an encrypted tunnel on the same device, enable Flexible NetFlow and use the command output-features when configuring your flow exporter. That will allow NetFlow export over encrypted tunnels.
  Regards,
  Don Thomas Jacob
  http://www.solarwinds.com/netflow-traffic-analyzer.aspx
  NOTE: Please rate posts and close questions if you have found the answers helpful.