I have 3 Tunnels and I am unable to get all 3 up at the same time. If I try to use Tunnel source loopback on any of them the tunnel will not come up. It will only come up as tunnel source physical interface like Gi0/0. Additionally I tried connecting all 3 to same physical interface or loopback and it doesn't like it either. The Tunnel Protection for IPSEC also doesn't like it for tunnel mode gre ip or tunnel mode ipsec ipv4 with the "shared" keyword at the end. example tunnel protection ipsec profile Our-IPsec-Profile shared. I am confused why Tunnel source isn't working. The only difference is the 3 different tunnels are in different VRF's as well. The tunnel source is before the VRF or Tunnel I believe as the tunnel protection can see them all on same interfaces but doesn't like it. Even without the tunnel protection and without VRF it still won't come up. What am I doing wrong? Or is this a labism?
I found out the issue. Tunnel source loopback ONLY works if the destination is also a loopback ip address and all loopbacks are routed. I advertised 3 loopbacks on each router and mapped source and destination and dest said loopback example 4.4.4.4. All tunnels came up and ipsec tunnel protection doesn’t complain either and all are up with SA’s
Here is the Tunnel config and output. If you need entire topology and config for all devices for the transit and end to end, I would need to sanitize some of the node names. changed VRF name for demo sake. Again Tunnel source doesn't work at all without or without the tunnel protection. The loopback0 is 1.1.1.1 255.255.255.0 on RTR1 endpoint and loopback0 is 2.2.2.2 255.255.255.0 on RTR 2 where other end of tunnel is located. I am advertising the loopback across the transit network for trial and error. It ONLY works the Physical Interface but only with the name like Gi0/0 not with tunnel source 10.10.10.1 which isn't allowed for tunnel protection for IPSEC and think it doesn't work without the tunnel protection as well. I am not sure if I need multiple ipsec profiles or multiple ipsec policies and profiles to get all tunnels up at the same time. This config focuses on tunnel 11. If you need all of it I can send it would it will be in a day or so.
A set up with a Tunnel with a VRF and then using a tunnel source as a loopback is about as general issue as I can get without all the other fluff later on like tunnel protection ipsec stuff. A basic tunnel will not work if in a VRF if I am sourcing it from a Loopback in the CML lab within the DEVLAB space. It is like it is a glitch or something. This should easily work VRF or no VRF for the Tunnel or VRF or NO VRF for the loopback. I have Tried VRF Tunnel only with no VRF loopback and VRF loopback and routed and not routed the loopack over the tunnel VRF and main global.
I found out the issue. Tunnel source loopback ONLY works if the destination is also a loopback ip address and all loopbacks are routed. I advertised 3 loopbacks on each router and mapped source and destination and dest said loopback example 4.4.4.4. All tunnels came up and ipsec tunnel protection doesn’t complain either and all are up with SA’s
Everything I read on keyring with vrf is related to using vrf for more of a mpls network and using the endpoints in the vrf itself. I was mainly focused on vrf lite with vpn. I suppose vrf e2e inside as a souce would be better. I also see crypt map config on all the vrf aware type config but I am using VTI. It would be interesting to know the other way. If I get some time I will reach out.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
