From: Brown, Patrick (NSOC-OCF} (PBrown4@chartercom.com)
Date: Tue Aug 12 2003 - 17:58:32 GMT-3
Oliver,
Add the "timers active-time 5" on your hub if you have many remote
locations. Change the hello and hold time to 60 180 respectively, or 20/60
if you are worried about faster convergance. I have 120 of these GRE/IPSEC
tunnels and this worked for me. Why do you say the IPSEC is not recovering
fast? The GRE and EIGRP neighbor adjacencies will not come up unless IPsec
encryption is working. Look also at your hub routers(2600)utilization.
Because if it does not have an VAM and is runing 3des with minimal traffic,
it will alway be at 100% percent.
HTH
Patrick B
-----Original Message-----
From: Oliver Ziltener
To: ccielab@groupstudy.com
Sent: 8/12/2003 2:54 PM
Subject: Slight offtopic: IPsec with GRE and EIGRP
Hallo
In a Hub and Spoke (a few) with IPsec design with GRE tunnels between
the
spokes and hubs.
We run EIGRP to the spokes. The Spoke is a cisco 1721 router and central
we
use C2651XM router.
The problem is, that a few times during the day, the GRE and the EIGRP
Neighborship goes down but came up a few seconds later.
(I see now problem with it, because we cross the internet form europe to
japan) But then starts the problem with IPSEC. The spokes router start
to say
that non IPsec pakete (GRE 47) are arriving on the outside interface and
it
is clear that the GRE is up and exchange eigrp hellos but IPsec does not
encrypt the GRE tunnel! After about half hour or more everything include
IPsec works well again or of couse after a reload of the router! Why
recover
GRE and the eigrp neighborship really fast and the encryption process
for the
GRE tunnel need so much more time to recover!
Perhaps anybody saw this also in the past and could give me a few
advices,
what may I can do and whats the reason between the recovery time for GRE
and
ipsec is so different!
Thanks very much in advance
Oliver
Here is the spoke config (some stuff is not included):
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
ip domain name XXX
!
ip inspect name FIREWALL cuseeme alert on audit-trail off
ip inspect name FIREWALL ftp alert on audit-trail off
ip inspect name FIREWALL h323 alert on audit-trail off
ip inspect name FIREWALL fragment maximum 256 timeout 1
ip inspect name FIREWALL netshow alert on audit-trail off
ip inspect name FIREWALL rcmd alert on audit-trail off
ip inspect name FIREWALL rtsp alert on audit-trail off
ip inspect name FIREWALL realaudio alert on audit-trail off
ip inspect name FIREWALL sqlnet alert on audit-trail off
ip inspect name FIREWALL tcp alert on audit-trail off
ip inspect name FIREWALL udp alert on audit-trail off
ip inspect name FIREWALL tftp alert on audit-trail off
ip inspect name FIREWALL http java-list 1 alert on audit-trail off
ip inspect name FIREWALL streamworks alert on audit-trail off
ip inspect name FIREWALL vdolive alert on audit-trail off
ip inspect name FIREWALL smtp alert on audit-trail off
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group PPPoE
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 300
!
crypto isakmp key MYKEY address 195.XXX.YYY.98
crypto isakmp key akjrbdxy13i address 68.20.225.130
crypto isakmp keepalive 20
!
crypto ipsec security-association lifetime seconds 300
!
crypto ipsec transform-set vpn_transform_set esp-3des esp-sha-hmac
!
crypto map static-map 10 ipsec-isakmp
set peer 195.XXX.YYY.98
set transform-set vpn_transform_set
match address vpn1
!
interface Tunnel1
ip address 10.255.64.234 255.255.255.252
tunnel source Dialer1
tunnel destination 195.134.135.98
crypto map static-map
!
interface Ethernet0
description --- External ---
no ip address
ip tcp adjust-mss 1414
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0
description --- Internal ---
ip address 10.161.10.252 255.255.255.0
ip mtu 1300
ip nat inside
ip tcp adjust-mss 1200
speed auto
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip access-group 120 in
no ip redirects
no ip unreachables
ip mtu 1454
ip nat outside
ip inspect FIREWALL out
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname nrg38639@biglobe.ne.jp
ppp chap password 7 123456789
ppp ipcp dns request
crypto map static-map
!
router eigrp 1
network 10.161.0.0 0.0.31.255
network 10.255.64.232 0.0.0.3
no auto-summary
!
ip nat inside source list do_nat interface Dialer1 overload
ip nat inside source static tcp 210.AAA.BBB.202 22 210.AAA.BBB.202 22
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.192.0.0 Dialer1
ip route 10.254.64.233 255.255.255.255 Dialer1
no ip http server
no ip http secure-server
!
!
ip access-list extended do_nat
deny ip 10.161.0.0 0.0.31.255 10.0.0.0 0.255.255.255
permit icmp any any
permit ip any any
ip access-list extended vpn1
permit gre host 210.AAA.BBB.202 host 195.XXX.YYY.98
permit ip 10.161.0.0 0.0.31.255 10.64.0.0 0.0.31.255
access-list 120 permit udp host 195.XXX.YYY.98 eq isakmp host
210.AAA.BBB.202
eq isakmp
access-list 120 permit gre host 195.XXX.YYY.98 host 210.AAA.BBB.202
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.161.0.0 0.0.31.255
access-list 120 permit icmp any any
access-list 120 permit esp host 195.XXX.YYY.98 host 210.AAA.BBB.202
access-list 120 permit tcp any any eq 22
access-list 120 permit udp host 68.20.225.130 eq isakmp host
210.147.170.202
eq isakmp
access-list 120 permit esp host 68.20.225.130 host 210.147.170.202
dialer-list 1 protocol ip permit
!
^C
!
line con 0
password XXXXXX
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:58 GMT-3