IPSec added to GRE Tunnel = Interface protocol down
-
Hi ITPRO Cisco Team,
I have configured GRE site-to-site VPN from site A to site B and it was working fine with EIGRP routing but whenever I added IPSec to both tunnels, the tunnel protocol went to downstate and routing is losing its neighborship.
Please provide any tips on rectifying this issue.
-
So, can you ping across the IPsec tunnel?
If you're losing your EIGRP neighborship, it means it cannot see the other end.
Usually this is a IPsec configuration issue. You're missing the peering check your configuration again. verify they are matching, verify you have defined interesting traffic in an ACL that is referred to in your tunnel.
You can provide more information here. Show your eigrp configurations between your routers,...and also your IPsec configuration on each end to match and compare.
-
Thank you for replying.
Yes, I can ping across the tunnel without IPsec but when added IPSec to the GRE Tunnel, the tunnel protocol changes its state to down.
I'm creating a site-to-site over the internet. Site-to-site VPN without IPsec, everything works fine but when adding the IPsec for tunnel protection then both tunnel protocols on both routers change their state to down.
Below is the IPsec/EIGRP/Tunnel configuration for both routers.
HQ Router
IPSec Configs
crypto isakmp policy 15
encryption aes 256
hash sha512
authentication pre-share
group 14crypto isakmp key 6 cisco address 10.200.100.214
crypto ipsec transform-set VPNSET esp-aes 256 esp-sha-hmac
mode tunnelcrypto ipsec profile VPNPROFILE
set transform-set VPNSETTunnel Configs
interface Tunnel0
ip address 130.32.1.1 255.255.255.252
tunnel source 220.98.16.51
tunnel destination 10.200.100.214
tunnel protection ipsec profile VPNPROFILEEIGRP Routing Configs
router eigrp 1
network 130.32.1.0 0.0.0.255
no passive-interface Tunnel0Remote Router
IPSec Configs
crypto isakmp policy 15
encryption aes 256
hash sha512
authentication pre-share
group 14crypto isakmp key 6 cisco address 220.98.16.51
crypto ipsec transform-set VPNSET esp-aes 256 esp-sha-hmac
mode tunnelcrypto ipsec profile VPNPROFILE
set transform-set VPNSETTunnel Configs
interface Tunnel0
ip address 130.32.1.2 255.255.255.252
tunnel source 10.200.100.214
tunnel destination 220.98.16.51
tunnel protection ipsec profile VPNPROFILEEIGRP Routing Configs
router eigrp 1
network 130.32.1.0 0.0.0.255
no passive-interface Tunnel0Note: IP address and Crypto Key have been changed here but that's the existing configurations.
Is there any possibility that I can resolve the IPsec issue?
-
"crypto isakmp key 6 cisco address 10.200.100.214"
"crypto isakmp key 6 cisco address 220.98.16.51"Are these IP addresses on virtual interfaces or physical interfaces?
Routing is processed before Encryption...
-
On our HQ end, the IP address is on a Dialer interface while the remote site is on a physical interface.
-
Can you add the routes to eigrp configuration:
on HQ, a network statement to 10.200.100.214 network
on Remote, a network to the 220.98.16.51 networkI think the EIGRP is down because it doesn't know where to find the remote router.
It's a start.
-
Thank you for the information.
After adding this into the EIGRP Routing, the tunnel came up but then goes offline again. The error messages are below.
*********Sep 28 23:20:03.086: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 - looped chain attempting to stack
*Sep 28 23:20:08.094: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
*Sep 28 23:20:09.093: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Sep 28 23:20:09.096: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 130.32.1.1 (Tunnel0) is down: interface down
Sep 28 23:21:10.110: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up*******
The link goes online than offline repeatedly.
-
This post is deleted!
