When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Hi josedilone19
GRE is used when you need to pass Broadcast or multicast traffic. That's the main function of GRE.
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks
However there are some other important aspect to consider:
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks
GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs across wide area networks (WANs).
-Hope this helps -
Similar Messages
-
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank -
High cpu consumption with GRE over IPSEC
Hi all,
After applying a gre over ipsec tunnel on one of our branch office, we get high cpu consumption (average 90%).
Tunnel is applied between Cisco 2851 (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T2, (fc2) and
Cisco CISCO2921/K9 Version 15.0(1)M3.
Config of the tunnet is as follow :
- authentication pre-share
- encryption aes 256
- hash : sha
- transform set : esp-aes esp-sha-hmac mode transport
Routing process is eigrp.
Could anyone please help me on solving this issue?Cool, good start.
Check "show ip traffic" on both sides, it would be interesting to see what's going on.
BTW the CPU usage of top process doesn't add up to 90%, there's a possibility it's traffic rate/pattern + features (IP input and pool manager would suggest that). -
Okay so when I try to download apps on my phone a totally different Apple ID that I've never used before popped up. I've already tried settings under apps/iTunes and signed into my own apple account. But even doing so my apple Id won't show up
Try this:
Open the iTunes app, select the Music tab, then scroll all the way down to the bottom. Here you can sign out of any current Apple ID and sign into a new one. Good luck!
And just in case there is another Apple ID linked to your account you can check at http://appleid.apple.com. -
Hello I have a problem with my ipod touch 1G the problem is that see me key to the floor! And when recogi not prendia after 5 minutes prendio but it gave to me the surprise of which the battery had finished completely! What I did was to set it to load with the USB but do not load the battery me the icon of the battery appear and below of her the beam that indicates that this being loaded but this way I have left it the whole yesterday and what goes of today and continues without loading anything! They can help me porfavor I am grateful for them to him very much! And my PC does not detect it not itunes
Try the not-charging topic of:
iPod touch: Hardware troubleshooting
It could be that the battery is dead. -
I ve just bought a gift card from Belgium but I m living in Netherlands and I have an Iphone 4S subscription in Netherlands. What can I do to use the gift card? It is telling me that I can't use it because it's from Belgium. i find it really stupid not to be able to use it?!
please give me a hand over here
plus i ve bought the gift card from a supermarket so its kind of hard to get my money back now :|Gift cards are country specific. You cannot use them in another country.
-
i have downloaded the latest version of safari only to be told that i can not use it on my version of os x (10.7.5). Is there any way to to revert back to the old safari.
Safari is part of OS X and isn't available as a separate download. How did you get a newer version than the one that comes with Lion?
-
i have purchased iphone 4 8gb in india. i have heard that when the company stops manufacturing the current phone, they replace it with 4s. is it true? can i get it replaced with iphone 4s 16gb or can i get it upgraded with iphone 16gb because 8gb is very less memory for me coz it hangs up all the time and apps dont work properly. any scheme where i can pay a bit and get it exchanged with any of them?
Probably not. If you want to purchase a new phone, then you'll have to sell your old one to fund your purchase of a new phone.
As for iPhones, the phone that they will stop making is the iPhone 5. This will not be made or sold any longer, because it has been replaced by the iPhone 5c and 5s. You should still be able to get and iPhone 4 and 4s, although the iPhone 4 is old now in technology standards.
To get a new phone though, you will likely have to sell your old phone to fund the purchase of a new one. This is what most folks do. -
I've heard that when you update the new software to your iphone you are then able to view every photo and text message you have ever created, is this true.
Um, no.
-
DMVPN GRE over IPSEC Packet loss
I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
BrendenHave you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ? -
ACC
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#diag
this is lab i did, today,and offcouse i am able to understand this lab bus the confusion are
1 . why we use crypto map on both interface (phiycal interface or tunnel interface)
2. when i remove crypto map from tunnel interface i recieve this message
( R2691#*Mar 1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )
please tell me what is meaning of this message
3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa
R2691#sh crypto ipsec sa
interface: Serial0/0
Crypto map tag: vpn, local addr 30.1.1.21
protected vrf: (none)
local ident (addr/mask/prot/port): (30.1.1.21/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)
current_peer 10.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
#pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 30.1.1.21, remote crypto endpt.: 10.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xDBF65B0E(3690355470)
inbound esp sas:
spi: 0x44FF512B(1157583147)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4598427/3368)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDBF65B0E(3690355470)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4598427/3368)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R2691#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
30.1.1.21 10.1.1.1 QM_IDLE 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA.
4 . how do i know it is useing GRE over IPsec.
i am also attach my topology on which i did labMR. Anuj here is my config
R7200#sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.1.1 YES NVRAM up up
Loopback1 50.1.1.1 YES NVRAM up up
Loopback2 50.1.2.1 YES NVRAM up up
Tunnel0 40.1.1.2 YES NVRAM up up
Tunnel1 40.1.2.2 YES NVRAM up up
Tunnel2 40.1.3.2 YES NVRAM up up
=========================================================
R7200#sh int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 40.1.1.2/24
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.1.1.1 (Serial1/0), destination 30.1.1.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:04, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2229 packets input, 213651 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2292 packets output, 220520 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
===============================================================
my cryto acl
is
access-list 101 permit gre host 10.1.1.1 host 30.1.1.1 -
I am writing datas into a FIFO in FPGA Target side ,i am reading datas from fifo in windows host side .but when i am writing datas like a a(0),a(1),a(2 like that.when i am reading dating datas a(0)comes to a(3 ) rd place, a(1) comes to a a(0) .what is the reason ?
Please use a shorter title in your subject line and not post the entire question in therre. (See the subject line I created.) There is also no such word as "datas". Data is already plural.
Please read http://stackoverflow.com/help/how-to-ask. Your question is hard to read because you aren't using proper punctuation and capitalization of your sentences. It looks like one run-on sentence.
Beyond that, it is impossible to help you solve our problem with just your question. Please provide some more information. Perhaps even attach code we can look at. Show us what the data you are sending is supposed to look like, and what it actually looks like. -
When I was ready to place the order for my iPhoto book, I realized that it was for a soft cover book and I wanted hard cover. How can I change this without losing my prepared book?
Duplicate your book and try to change the theme in the copy. Chnaging the theme may change the layout of your text fileds. That is why you need the copy to be able to compare the pages before and after.
Ctrl-click the book in the Source list and select "Duplicate".
Click the "Change Theme" button in the upper right corner of the Book pane, make sure, you have the same theme selected and the same size. Click Hardcover. -
DMVPN & GRE over IPsec on the same physical interface
Dear All,
I'm configuring two WAN routers, each wan router has one physical interface connecting to branches and regional office using same provider.
We'll be using GRE over IPsec to connect to regional office and DMVPN + EIGRP to branches.
I would like to know if it's possible to configure tunnels for GRE over IPsec and DMVPN + EIGRP using the same source physical interface.
Kindly reply, it's an urgent request and your response is highly appreciated.
Regards,Hi Savio,
It should work. we can configure dmvpn and gre-over-ipsec on ASA using same physical interface.
Regards,
Naresh -
when i put my sim in the phone i.e iphone 4s it said that your phone will be activated in minutes and then it gave a message related to sim so what does it mean is my phone locked i got it from uk
Probably , but what is the message
Maybe you are looking for
-
Additional Data in Header Level for ME51N / ME52N / ME53N
Dear Gurus, I have one requirement related to apply enhancement for additional fields in purchase requisition header level. After searching a lot , I dint found any solution for this. Does anybody have any solution for this. Regards, Shibashis.
-
Iphone 6 64gb 2yr contract pricing $899
I recently bought a new iPhone, upgrading after a previous 2yr contract to a new one at AT&T. The phone was bought at an Apple Store and when asked I was told that my contract remain the same, all the discounts are not affected and it would be a same
-
How do I add to the list of servers in 'Date & Time' System Preferences?
Earlier versions of the Mac OS (9 and below, I believe) allowed a user to add to the list of time servers in what was then the Date and Time Control Panel. Now, under OS X (Tiger), I am able to select from the three servers that Apple provides, but I
-
the time i run icloud on my phone,camera doesnt work any more,when i push on camera to take photo after a second it goes to home page .i turn off photo stream,rest my phone,even restore again still camera doesnt work,what shall i do?
-
BURN MP3 TRACKS WITHOUT FOLDERS
HOW DO I BURN AN MP3 DISC WITH JUST TRACKS? MY PLAYLISTS BURN WITH MULTIPLE FOLDERS WITH TRACKS INSIDE THE FOLDERS. THANKS IN ADVANCE FOR ANY HELP!!!