Hi,
I’ve setup a simulated core SP network with CSR1KVs, and at the customer edge I want to have an encrypted GRE tunnel end to end, from CE1-Richmond to CE1-Maine for example.
I have the gre tunnel up and active, I source the same loopback interface I use for ebgp peering with my PE routers as the source for the tunnel. I can ping end to end no issue, but I’m not seeing any encrypted packets in the crypto show command output.
I’m patently missing something here
Configs and outputs are below from CE1 and CE2:
CE1-Richmond#show crypto ipsec sa
interface: Loopback0
Crypto map tag: MYMAP, local addr 7.7.7.7
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 11.11.11.11 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 7.7.7.7, remote crypto endpt.: 11.11.11.11
plaintext mtu 1514, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
CE1-Richmond#show running-config | section ipsec
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
mode tunnel
crypto map MYMAP 10 ipsec-isakmp
set peer 11.11.11.11
set transform-set TRANS
match address 100
CE1-Richmond#show running-config interface lo0
Building configuration...
Current configuration : 81 bytes
!
interface Loopback0
ip address 7.7.7.7 255.255.255.255
crypto map MYMAP
end
CE1-Richmond#show ip access-lists
Extended IP access list 100
10 permit gre any any
CE1-Maine:
CE1-Maine#show crypto ipsec sa
interface: Loopback0
Crypto map tag: MYMAP, local addr 11.11.11.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 7.7.7.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.11.11.11, remote crypto endpt.: 7.7.7.7
plaintext mtu 1514, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
CE1-Maine#show running-config | section ipsec
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
mode tunnel
crypto map MYMAP 10 ipsec-isakmp
set peer 7.7.7.7
set transform-set TRANS
match address 100
CE1-Maine#
interface Loopback0
ip address 11.11.11.11 255.255.255.255
crypto map MYMAP
end
CE1-Maine#debug crypto ipsec shows nothing, and I can ping end to end
CE1-Maine#show running-config | section bgp
router bgp 1
bgp log-neighbor-changes
network 11.11.11.11 mask 255.255.255.255
neighbor 60.60.60.1 remote-as 234
Thanks
-Shane