Mystery Tunnel Interfaces on 2921 Router

Similar Messages

• Virtual Tunnel Interface (VTI) Hub Router Configuration

  When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
  Example:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key ******** address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 10
  crypto ipsec transform-set TSET esp-3des esp-sha-hmac
  crypto ipsec profile VTI
  set transform-set TSET
  Thanks.-

  Hi,
  The IPsec profile can be shared.
  You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
  Sent from Cisco Technical Support iPhone App

• Tunnel interface to physical interface

  Hi All,
  I was wondering if it is possible to build a site to site vpn connection one side using tunnel interface and the other end using a physical interface.
  My plan is to use a 3945 router, build multiple tunnel interfaces on the router to connect 50 clients. By using tunnel interface on the router i could leverage on the vrf feature to isolate clients  but if i use tunnel interface on my end  i am not certain if the tunnel will come up if my client is using 1) ASA 2) PIX 3) vpn concentrator - which doesnt support tunnel interface.
  Thanks for your help in advance.
  Lou

  Mark Mattix wrote:I did some reading on EIGRP and is it correct that the EIGRP Header and Payload (TLV) are encapsulated in an IP packet and addressed to the address, 224.0.0.10? Is this the reason why multicast traffic must be encapsulated first in GRE to travel over the internet? Olivier Pelerin> This is correct
  When I set up a site to site VPN using GRE tunnels and an IPSec config on the interfaces would this be considered, IPSec over GRE, or GRE over IPSec? I don't understand that difference.
  Olivier Pelerin> See the diagram below - this explain GRE over IPSEC. That's a diagram I did here for a training
  On the example packet I posted above, is the public address that's routed over the internet part of the IPSec packet/suite? I guess a better question is, what portions of the packet make up IPSec and which portion is just regular IPv4 addressing?
  Olivier Pelerin> the diagram below should answer that
  I've been wrong in thinking that GRE and IPSec go hand in hand when infact it's possible to only use IPSec and no type of tunnel. If IPSec is set up on the interfaces and the tunnels are configured at both end points, what does your information first get encapsulated by, GRE or IPSec? In your example packet format Olpeleri, is looks like the IP packet is first encapsulated in GRE then encapsulated by IPSec. Is this correct? If so when information leaves our LAN and heads to the internet, does it first go through the tunnel to be encapsulated by GRE then out the physical link that adds the IPSec encapsulation?
  Olivier Pelerin> Correct. GRE first then encryption
  Sorry for all these questions, I'm just trying to learn how this works! Thanks again for the help!
  [red = encrypted]

• 'no ip route-cache' on Tunnel interfaces

  Hi,
  A quick and hopefully simple question. Is there any reason why 'no ip route-cache' and 'no ip mroute-cache' should be configured on Tunnel interfaces?
  Generally, when should 'no ip route-cache' be configured on an interface?
  Many thanks,
  Andy

  Andy, no easy question, and prety much send some of us back to basics.. one have to take a deeper look at this command to barely get a good picture. See first link thread , good discussion on your question.. generaly no ip- route-catch improves performance for router forwarding processing desitions.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfa166
  You can find more details on three types of switching methods such as ( fast switching by ip route catch command ), I believe it helps understand better the commands.
  http://www.cisco.com/en/US/tech/tk827/tk831/technologies_white_paper09186a00800a62d9.shtml
  Another instance where you would have IP route catch enable on an interface would be for the use of netflow, IP route-cacth command on an interface is requirement for implementing netflow .
  Rgds
  -Jorge

• Using Tunnel interface on Router

  Hi Everyone,
  I see hew Tunnel  interface on Router.
  Router is Running OSPF.
  It has no crypto statemets.
  tunnel configuration
  interface Tunnel1
  ip address 10.4.x.x x.x.x.x
  delay 7
  tunnel source Loopback1
  tunnel destination 10.4.x.x
  My question is when we use Tunnel interface without any crypto statemets?
  Thanks
  MAhesh

  This Tunnel is a plain GRE-Tunnel. These are typically used without crypto when:
  1) The traffic is not sent through an untrusted network and a cryptographic protection is not needed.
  2) The GRE-traffic gets encrypted on a separate device if the GRE-Endpoint is not capable of doing the needed cryptographic protection.
  Sent from Cisco Technical Support iPad App

• ASA 5505 Logging Issue - Warning: Configured logging host interface conflicts with route table entry

  I am getting this warning on my ASA 5505 when I try to set up logging from my off site FW to the central FW, which is a 5510. What I am trying to do is send the FW logs through the VPN Tunnel into the central 5510 to our logging server at 192.168.22.99, but allow all other traffic out the outside interface so customers can hit our web servers down there. Here is an example of my config with fake IP's. I get this error when trying to do "logging inside host 192.168.22.99". If I try to put in "logging Tunnel host 192.168.22.99" I get the "Warning:Security Level is 1" message
  5505
  ethe0/0
  desc To LA ISP (217.34.122.1)
  switchport access vlan2
  ethe0/1
  desc To Redwood City HQ via VPN Tunnel
  switchport access vlan1
  ethe0/2
  desc To Internal Web Server
  switchport access vlan3
  VLAN1
  desc Tunnel to HQ
  ifinterface Tunnel
  security level 1
  217.34.122.3 255.255.255.248
  VLAN3
  desc Internal Web Server
  ifinterface inside
  security level 100
  192.168.0.1 255.255.255.0
  access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0
  (No access-group is performed, as I match from the crypto map instead since I have multiple sites going out of HQ - see HQ configs)
  route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198
  crypto map TO-HQ 10 match address LosAngeles
  crypto map TO-HQ set peer ip 65.29.211.198
  5510 at HQ
  access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
  (again no access-group, since I have a couple other off sites)
  crypto map TO-LA 20 match address LA
  crypto map TO-LA 20 set peer ip 217.34.122.3

  Hi Jouni,
  I have the following configs in place with fake IPs
  5505
  1 outside interface with security level 0 (vlan1 direct connect to isp 217.33.122.2/30) - goes to ISP
  1 Tunnel interface with security level 1 (vlan 2 direct connect to isp 217.33.122.6/30) - goes to Tunnel to our 5510
  1 inside interface with security level 100 (servers connected to hub, with vlan3 ip of 192.168.0.1)
  access-list LosAngeles extended permit ip 192.168.0.0 255.255.255.0 192.168.22.0 255.255.255.0 - acl to 5510 inside network
  route outside 0.0.0.0 0.0.0.0 217.33.122.1 - route for all traffic (except for 192.168.22.0/24) to take the outside connection
  route Tunnel 192.168.22.0 255.255.255.0 65.29.211.198 - route for 192.168.22.0 destined traffic to take the Tunnel connection
  crypto map  TO-HQ 10 match address LosAngeles
  crypto map TO-HQ 10 set peer ip 65.29.211.198
  tunnel-group 65.29.211.198 type ipsec-l2l
  5510
  1 outside interface with security level 0 (vlan1 direct connect to isp 65.29.211.198) - goes to isp
  1 inside interface with security level 100 (vlan2 connection to corporate servers and SIP 192.168.22.0/24)
  access-list LA extended permit ip 192.168.22.0 255.255.255.0 192.168.0.0 255.255.255.0
  access-list OUTBOUND extended permit icmp host 217.33.122.6 host 192.168.22.99 (allows Nagios monitor to ping the DE interface
  access-group OUTBOUND in interface outside
  nat (inside,outside) static 192.168.22.99 interface destination static 217.33.122.6
  route outside 192.168.0.0 255.255.255.0 217.33.122.6
  crypto map TO-LA 20 match address LA
  crypto map TO-LA 20 set peer ip 217.33.122.6
  tunnel-group 217.33.122.6 type ipsec-l2l
  I am mistaken on the 5510 interfaces. They do not have vlans, and the IP address is directly applied to the interfaces for outside and inside.

• Looking for a better solution that tunnel interface

  Hi
  acctualy I have a Vsat connection between my remote site and central office
  on both site we have router and sat modem
  I have now a tunnel interface between my two routers,I am looking for a better idea,,

  hi...
  so you have tunnel interface between your two router so now what are you looking for...?
  secure IPsec connection or what???
  please explaine in details
  regards
  Devang

• DLSW and Tunnel Interfaces problem

  We have a pair of routers with tunnel interfaces and DLSW between them.
  Some times the tunnel interface goes down thus loosing service trough DLSW.
  Is there any problem reported between DLSW and this kind of tunel interfaces ?

  Hi,
  i assume you are using dlsw tcp peers.
  In general dlsw does not know over what infrastucture the connection really runs. Dlsw gives data to tcp and tcp is responsible for doing the actual transmission.
  I dont know of any problems with dlsw and tunnel interfaces in general.
  Some more information might help to understand the problem.
  What type of tunnel are you using? GRE?
  What version of ios are you running?
  Do you use additional encapsulation overhead like ipsec ect?
  Does tcp on this router use path mtu discovery?
  thanks...
  Matthias

• Help needed - tunnel from behind ADSL router

  I have a situation in which I require to set-up IPSec tunnel in between two 1841 routers. This is normally two minutes job, in this case however one of the routers sits on a private LAN behind ADSL router (at the moment there is no reasonable way to get around it).
  Thus:
  1841-1 <-> WAN <-> ADSL Router <-> 1841-2
  1841-1
  FE0/1 Private LAN 172.16.1.1
  FE0/0 Public IP
  |
  WAN
  |
  ADSL Router
  Public IP
  NAT
  Private LAN1 192.168.0.1
  |
  1841-2
  FE0/0 LAN1 IP 192.168.0.1
  FE0/1 LAN2 IP 172.16.0.1
  172.16.1.0-172.16.0.0 require to communicate over the IPSec tunnel.
  Could you please advice me on 1) what is the most practical way to set this up with out loosing sanity; and 2) Could you maybe point me to some documentation that deals with this specific scenario?
  Thanks.

  '1841-2' does not have public IP (it "fakes" to have one).
  IPsec tunnel is fully working now.
  In the process though I have learned that it depends on what ADSL modem you are using to get this working.
  Check out http://kb.juniper.net/KB4715 for example (this is the one I got working).
  You can thus give your Cisco router a private IP behind ADSL router and then follow the steps from the knowledge base article above on ADSL modem (if you have same type available).
  In addition then, on your Cisco router - you require to add loopback 0 interface and give it public IP of your ADSL router (yes - your adsl router WAN interface and loopback interface on your Cisco router have now the same public IP).
  As the last step, on your Cisco router, change tunnel interface: source interface loopback 0 and destination your remote gateway.
  I am going to try different modems, many models can actually do this, but the documentation is often unimpressive.
  It is possible that there are better ways to do this, if so, please let me know.
  If you wish to have more details about the set-up, let me know.
  Thanks.

• Where did these tunnel interfaces come from?!?

  Hello,
  just wondering why one of our routers creates tunnel interfaces dynamically.
  I was setting up a GRE tunnel to transport multicast traffic over network. After I was done, I found two extra tunnel interfaces with command show ip interfaces brief and those extra interfaces uses my original tunnel interface as their IP addresses. There is no any configuration regarding to these extra interfaces in running config. How did this happen? Any explanations? Is it relating somehow to my multicast solution?
  If I got two dynamically created tunnels does that mean that I have at least two concurrent multicast groups on my router in active state?
  Sorry for dummy questions but I have almost zero experience what comes for multicast and last time I studied it in school about 8 year ago...
  -JJ

  Hi,
  These are created dynamically, one to encapsulate multicast packets and the other one to decapsulate. You can see them with the command < show ip pim tunnel > . You can find the description and purpose of these tunnels here:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr-book/imc_s1.html#wp9533023710
  Hope this helps,
  Jose.

• Odd Tunnel Interface behavior - one end requires "no keepalive"

  Where's the quick version.  Tunnel between sites A & B.  This is GRE o IPSEC, but I don't think that's the issue.  Tunnel comes up and works great when:  site A has no keepalives and site B has no keepalives,  and it works when Site A has keepalives turned on and Site B does not.  The moment I turn on keepalives on site B, the tunnel goes down.
  This isn't a simple config.  Site A is an MPLS PE, meaning the Tunnel interface is configured with an fVRF and iVRF.  Site B has no VRF's - it is the CE.
  Any ideas on how to fix?  I need Site B's Tunnel interface to go down when connectivity fails.  My current workaround is to use EIGRP to update the routing tables.  I need to be able to support redundant paths with static and floating routes.

  Like this;
  Core1-r1#sh access-list ironport2
  Extended IP access list ironport2
      10 deny tcp host 10.247.254.174 any
      20 deny tcp any 192.168.0.0 0.0.255.255
      30 deny tcp any 10.0.0.0 0.255.255.255
      40 deny tcp host 10.230.3.250 any
      50 permit tcp 10.139.60.0 0.0.0.255 any (119568304 matches)
      60 permit tcp 10.230.32.0 0.0.0.255 any (9290669 matches)
      70 permit tcp host 10.230.48.12 any (141403 matches)
      80 permit tcp host 10.230.36.62 any (1456 matches)
      90 permit tcp host 10.150.18.7 any (741 matches)
  Core1-r1#
  10= P1 interface
  20= network we don't want to be sent to ironport
  30= " "
  40= M1 interface
  50->90=All testing subnets to go to ironport
  Thanks for the feedback! jc

• Dynamic virtual tunnel interface on 2821

  I tried to configure a dynamic virtual tunnel interface on a Cisco 2821 with release 12.4(9)T1 advanced ip services, aiming to terminate VPN client ipsec tunnels on it.
  The feature is supported by this software release. Documentation says:
  - enter configuration
  - configure a virtual-template interface
  - type "tunnel mode <mode>"
  but the router does not accept this command.
  Any hint?
  Thank you in advance.
  Denis

  Try:
  just have to take a look at the concentrator's configuration.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml
  and this one is an example with routers
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

• Netflow with tunnel interfaces

  Hi I have a customer who is using tunnel interfaces with IPSEC on their WAN. They are collecting Netflow stats and exporting them to a server.Under the tunnel interface I have specified the bandwidth to be 1000.When I did not specify the bandwidth the tunnel speed came up on the management software as being 9kb. This was obviously not a true reflection when observing the data. The far end remote office is terminating via dsl and my question is should I specify the bandwidth under the tunnel interface to be closer to the dsl connection they have there ie 512k? There are many other tunnels coming from the main site and I have not configured Netflow on the this particular remote end.

  Hi Justin,
  If we would define bandwidth on tunnel interface it will manipulate routing decisions also and tunnel recursiuon issue could also occur where tunnel would see that the best way to reach teh destination is via tunnel itself. Beside taht the actual bandwidth used by the tunnel is based on the physical interface associated with it.

• EEM Tracking two tunnel interfaces at the same time

  Hi Everyone,
  luckly i just got introduced to EEM lately, and i was wondering how life saver this would be in alot of enviroments..
  I am trying to write an EEM to monitor two out of three tunnel interfaces if they went down i'd like to perform an action on the third interface.
  i went through online posts and saw there was "event track" under the EEM, but when i login to  any of my routers i can't see this, i dont get the option track.
  here is what i want to do..
  monitor tunnel 100 and tunnel 200 - if the line protocol went down or there are no routing information recieved on them action is to unshut tunnel 300 and tunnel 400
  thanks guys for help in advance

  Hi,
  Here is an example that does something similar:
  track 10 interface Ethernet0/0 line-protocol
  delay up 10
  track 11 interface Ethernet0/1 line-protocol
  delay up 10
  track 12 interface Ethernet0/2 line-protocol
  delay up 10
  track 13 interface Ethernet0/3 line-protocol
  delay up 10
  track 19 list threshold percentage
  object 10
  object 11
  object 12
  object 13
  threshold percentage down 51 up 100
  event manager applet DOWN
  event track 19 state down
  action 1.0 cli command "enable"
  action 1.1 cli command "conf t"
  action 2.0 cli command "int lo100"
  action 2.1 cli command "shut"
  action 9.0 syslog priority alerts msg "SWITCHOVER TRIGGER"
  event manager applet UP
  event track 19 state up
  action 1.0 cli command "enable"
  action 1.1 cli command "conf t"
  action 2.0 cli command "int lo100"
  action 2.1 cli command "no shut"
  action 9.0 syslog priority alerts msg "PREEMPT TRIGGER“

• Dual stack on tunnel interface

  Is it possible to run dual stack IP schemes over an ipsec-protected tunnel interface on IOS? I am able to assign the IPv6 addresses like a normal interface on both ends however when i try to ping across the tunnel with IPv6 there is no response. Here is an example of my config:
  R1
  interface Tunnel0
   description Tunnel to R2
   ip address 172.30.1.237 255.255.255.252
   ip mtu 1400
   ip nat inside
   ip virtual-reassembly
   load-interval 30
   ipv6 address FE80::172:30:1:1 link-local
   ipv6 address 2001:1::172:30:1:1/126
   keepalive 5 4
   tunnel source GigabitEthernet0/1
   tunnel mode ipsec ipv4
   tunnel destination 1.2.3.4
   tunnel protection ipsec profile protect-gre
  R2
  interface Tunnel0
   description Tunnel to R1
   ip address 172.30.1.238 255.255.255.252
   ip mtu 1400
   ip nat inside
   ip virtual-reassembly
   load-interval 30
   ipv6 address 2001:1::172:30:1:2/126
   ipv6 address FE80::172:30:1:2 link-local
   keepalive 5 4
   tunnel source FastEthernet0/1
   tunnel destination 1.2.3.5
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile protect-gre
  The only solution i can clearly see is running a separate tunnel, which i would like to avoid. Any assistance is greatly appreciated!

  Hello,
  In my System preferences the IPv6 settings are set to "automatic", my DSL router (Cisco 787) supports IPv6. When visiting sites like www.sixxs.net and www.apnic.org (which are reachable by both IPv6 and IPv4), some pages are reached by IPv6 and some by IP4. Even the same page may load in IPv6 first, but a second time via IPv4. This behaviour has changed since my upgrade to Leopard, under Tiger the behaviour was much more stable.
  Gerard