We are transitioning from Controller / CAP based networks to IAP / Controller based networks.
This works as designed and expected:
We have 205s in IAP mode with 6.5.3.1.
We have 314s in IAP mode with 6.5.3.1.
We are tunneling our employee network to a 7010.
Now we have additional controllers running 6.4.4.11.
I need to have the older controllers use the same GRE if possible so the user experience is consistent across the campus.
7010
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
10.120.30.51 10.110.30.1 71d11200/e724fc00 UT2 Aug 11 07:11:00 192.168.110.6
10.160.30.199 10.110.30.1 db09b400/e2256700 UT2 Aug 11 07:50:12 192.168.110.5
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
Total IPSEC SAs: 2IAP
a8:bd:27:c0:62:5a# show vpn config
Concentrator
------------
Type Value
---- -----
VPN Primary Server 10.110.30.1
VPN Backup Server
VPN Preemption disable
VPN Fast Failover disable
VPN Hold Time 600
VPN Monitor Pkt Send Freq 5
VPN Monitor Pkt Lost Cnt 6
VPN Ikepsk fa0973ddfa43e00cf4ea7d2fb695485c
VPN Username
VPN Password e5daa2a8fb17d0d1f94e5e82a87f87c1
GRE outside vpn enable
GRE Server
GRE IP Address 0.0.0.0
GRE Type 1
GRE Per AP Tunnel enable
Reconnect User On Failover disable
Reconnect Time On Failover 60
Routing Table
-------------
Destination Netmask Gateway Metric Type Flag
----------- ------- ------- ------ ---- ----
Number of Route Entries :0
a8:bd:27:c0:62:5a# show vpn status
profile name:default
--------------------------------------------------
current using tunnel :primary tunnel
current tunnel using time :7 days 22 hours 21 minutes 19 seconds
ipsec is preempt status :disable
ipsec is fast failover status :disable
ipsec hold on period :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6
ipsec primary tunnel crypto type :Cert
ipsec primary tunnel peer address :10.110.30.1
ipsec primary tunnel peer tunnel ip :10.110.30.1
ipsec primary tunnel ap tunnel ip :192.168.110.6
ipsec primary tunnel using interface :tun0
ipsec primary tunnel using MTU :1230
ipsec primary tunnel current sm status :Up
ipsec primary tunnel tunnel status :Up
ipsec primary tunnel tunnel retry times :5
ipsec primary tunnel tunnel uptime :7 days 22 hours 21 minutes 19 seconds
ipsec backup tunnel crypto type :Cert
ipsec backup tunnel peer address :N/A
ipsec backup tunnel peer tunnel ip :N/A
ipsec backup tunnel ap tunnel ip :N/A
ipsec backup tunnel using interface :N/A
ipsec backup tunnel using MTU :N/A
ipsec backup tunnel current sm status :Init
ipsec backup tunnel tunnel status :Down
ipsec backup tunnel tunnel retry times :0
ipsec backup tunnel tunnel uptime :0
a8:bd:27:c0:62:5a# show vpn tunnels
Tunnel Flags: M = Master IAP; S = Slave IAP; Primary = Primary Tunnel
B = Backup Tunnel; R = Registered
Tunnel Info for peer address 10.110.30.1
------------------------------------------
Type Value
---- -----
Source IP 192.168.110.6
Destination IP 10.110.30.1
End IP 10.110.30.1
Default GW 0.0.0.0
Use count 0
Ifindex 22
Ifname tun0
Flags MPR
Retry count for Register Request 0
For DHCP Profile OSD-User
Retry count for Vlan Add Request 0
Old Subnet Status Normal
Existing Subnet Status Registered
a8:bd:27:c0:62:5a#This was configured using the simple GUI on the IAPs. Now how can I get the other controllers to work the same way? I have tried various GRE tunnel combinations but have not found one that works.
Thanks for pointing me in the right direction,
David.