EoMPLS and L2TPv3

rickwhittington · ‎12-22-2011

Good morning everyone.... I was wondering if someone could help me out with this?

I have setup a dev lab setup to test some stuff out before I go forward and move to production but I have hit a brick wall...

Here is a general setup Diagram.

HQ_SW-CE

|

HQ_RTR-PE

/\

/ \

branch2_rtr branch3_rtr

| |

BR2_SW-CE BR3_SW-CE

Here is the hardware

HQ-2811 with HWIC-4ESW ios adventerprisek9-mz.151-3.T1.bin

Branch2-2811 ios adventerprisek9-mz.151-3.T1.bin

Branch3-1841 ios advipservicesk9-mz.151-4.M.bin

Switches are 3560G but in production will probably be 2960s and 2950s

I started out with L2TPv3 which worked and did not work. If I went to the HQ_SW and show cdp and STP for VLAN 42 which is a MGMT vlan.

HQ_SW>show cdp ne

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID

HQ_RTR Gig 0/2 178 R S I 2811 Fas 0/2/2

HQ_RTR Gig 0/1 157 R S I 2811 Fas 0/2/1

BRANCH3_SW Gig 0/2 129 R S I WS-C3560G Gig 0/14

BRANCH2_SW Gig 0/1 130 R S I WS-C3560G Gig 0/11

HQ_SW>show spanning-tree vlan 42

VLAN0042

Spanning tree enabled protocol ieee

Root ID Priority 32810

Address 001e.79d1.c880

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32810 (priority 32768 sys-id-ext 42)

Address 001e.79d1.c880

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/1 Desg FWD 19 128.1 P2p

Gi0/2 Desg FWD 19 128.2 P2p

Now if if I try and ping 172.42.1.2 (BRANCH 2 INT VLAN 42) I get no where...

HQ_SW>ping 172.42.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.42.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

HQ_SW>ping 172.42.1.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.42.1.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Also I Have a mac address table but the l2 MACs for the remote switches do not show up, arps for those ip addresses show up as incomplete as well.

I switched to EoMPLS and had the same issue.

What we are trying to do is setup a backup link for a server should a main link fail. the HQ Router should be able to terminate MANY L2 tunnels. Basically I see that the HQ_PE router almost like a switch and interface 1 will go to NY, int 2 will go to Chicago, int 3 will go to Dallas, etc. Since this is a backup connection we are trying to deploy it as cheaply as possible. We did this with a 4esw/9esw on the HQ router because it will support up to 15 or so sites that we want to do. The issue is that even when the xconnect line is added to the hwic it does not want to pass traffic. EoMPLS is the same thing.... Can anyone help me out? Also does anyone know if I went to a older ME-sw for the HQ if it would support the MPLS commands from the HQ router?

Also the l2tun and mpls all show up see below

BRANCH2#show l2tun

L2TP Tunnel and Session Information Total tunnels 1 sessions 1

LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/

Count VPDN Group

1543017164 4034467245 HQ_RTR est 10.0.0.1 1 l2tp_default_cl

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

908667366 3759587721 1543017164 104, Fa0/1 est 00:58:18 4

Kishore Chennupati · ‎12-27-2011

Hi Rick,

I can see you are trying to run IPsec over the pseudowire.

AFAIK ,If you are trying to run IPsec over EoMPLS it wont work as the resulting packet would be a labeled packet and there is no ip involved. Hence IPsec will not work as for IPsec to work you would need IP Transport.

However, in your L2TPv3 which is IP based, it will work because the resulting packet is a IP packet. Is your IPsec vpn working fine? Did you run any debugs to collect some more information? do you see packets been encrypted and decrypted when you execute the command "sh ipsec sa peer "

Edit: Can you ping the loopbacks between the 10.0.0.1, 10.0.0.2, 10.0.0.3 between the routers first?

HTH

Regards,

Kishore

Message was edited by: Kishore Chennupati

rickwhittington · ‎12-27-2011

In response to can I ping the loopbacks yes, I can ping all loopbacks.

In response to the IPsec I think I may need to clarify...... I am first running IPsec between routers. Then on loop0 I am terminating GRE tunnels. The IPsec tunnels are used to run gre throught he loopbacks hence the access list for interesting traffic. Once the GRE tunnels are established I am then running the pseudo-wire through the GRE to setup either L2TPv3 or EoMPLS. The mpls neighbors are done via the Loop1 IP addresses. Everything comes up as intended, however it seems traffic just does not pass through the pseudo-wire.

To confirm, L2TPv3 does not work, EoMPLS does not work, both do not work as intended. I can only see the CDP neighbor information but traffic does not pass.

Kishore Chennupati · ‎12-27-2011

When you send the pings do you see the encrypted/decreypted packets increment when you exexute the "sh ipsec sa peer 192.168.1.2". IPsec is your base here if that doesnt work well then nothing will work well. The control plane might be fine i.e exchaning polices etc and all as your config looks fine. But, if the forwarding is not working then there might be something wrong with ground work. I will take the following steps to fix this

1 Troubleshoot IPsec. check if IPsec is all good

2. Check GRE

3. Check L2tpv3

I will try and LAB this once I can get some time.

HTH

Kishore

rickwhittington · ‎12-27-2011

I am positive the ipsec tunnel is good to go as I have set them up before tons of times, same with the GRE. Here is the requested information however.

HQ_RTR#show crypto ipsec sa peer 192.168.2.2. The reason you will see two is because of the ACLs i have

Extended IP access list 102

10 permit ip host 10.0.0.1 host 10.0.0.2 (19462 matches)

20 permit ip host 10.0.0.2 host 10.0.0.1

Extended IP access list 103

10 permit ip host 10.0.0.1 host 10.0.0.3 (17404 matches)

20 permit ip host 10.0.0.3 host 10.0.0.1

HQ_RTR#

You should look at only the ACLs witht he matchs so no the first SA but the second for the same peer see below

interface: FastEthernet0/0

Crypto map tag: VPN, local addr 192.168.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

current_peer 192.168.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)

current_peer 192.168.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4548, #pkts encrypt: 4548, #pkts digest: 4548

#pkts decaps: 5004, #pkts decrypt: 5004, #pkts verify: 5004

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xD5EFC998(3589261720)

PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0x692F80B1(1764720817)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4390208/1595)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD5EFC998(3589261720)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4390276/1595)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

HQ_RTR#ping 10.0.0.2 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:

Packet sent with a source address of 10.0.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

HQ_RTR#show crypto ipsec sa peer 192.168.2.2

interface: FastEthernet0/0

Crypto map tag: VPN, local addr 192.168.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

current_peer 192.168.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)

current_peer 192.168.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4583, #pkts encrypt: 4583, #pkts digest: 4583

#pkts decaps: 5042, #pkts decrypt: 5042, #pkts verify: 5042

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xD5EFC998(3589261720)

PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0x692F80B1(1764720817)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4390204/1582)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD5EFC998(3589261720)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4390272/1582)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

HQ_RTR#

Also right now with the L2TPv3 setup I am not using the GRE I had it setup for when I was using EoMPLS. I know the two work as I can see the multicast of the cdp but nothing beyond that..

Kishore Chennupati · ‎12-27-2011

Rick,

I have labbed your config and it seems to be working as expected. I just labbed L2TPv3o IPsec. I took the configs from your attachments. Please see the configs and also the result.

HQ Router

LPE1#sh run

Building configuration...

Current configuration : 1571 bytes

!

upgrade fpd auto

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname LPE1

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

ip source-route

ip cef

!

no ip domain lookup

no ipv6 cef

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key branch2 address 192.168.2.1

!

crypto ipsec transform-set VPN esp-aes esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer 192.168.2.1

set transform-set VPN

set pfs group2

match address 102

!

pseudowire-class L2

encapsulation l2tpv3

sequencing both

ip local interface Loopback0

!

interface Loopback0

ip address 10.0.0.2 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex half

!

interface GigabitEthernet1/0

ip address 192.168.2.2 255.255.255.0

negotiation auto

crypto map VPN

!

interface GigabitEthernet2/0

no ip address

negotiation auto

xconnect 10.0.0.1 104 pw-class L2

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.2.1

no ip http server

no ip http secure-server

!

logging alarm informational

access-list 102 permit ip host 10.0.0.1 host 10.0.0.2

access-list 102 permit ip host 10.0.0.2 host 10.0.0.1

!

control-plane

!

gatekeeper

shutdown

!

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end

LPE2#

Test results:

LPE1#sh l2tun session

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

14681 44855 16488 104, Gi1/0 est 00:01:36 1

LPE1#sh ip access-lists

Extended IP access list 102

10 permit ip host 10.0.0.1 host 10.0.0.2 (546 matches)

20 permit ip host 10.0.0.2 host 10.0.0.1

LHQ#ping 172.16.42.2 <<< This is from the switch at the HQ

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.42.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 56/86/112 ms

LHQ#sh ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 172.16.42.1 - ca05.01ac.001c ARPA GigabitEthernet1/0

Internet 172.16.42.2 0 ca06.1464.001c ARPA GigabitEthernet1/0

LHQ#

LHQ#sh cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

LBR Gig 1/0 150 R 7206VXR Gig 1/0 << Branch Switch

LPE1 Gig 1/0 150 R 7206VXR Gig 1/0

BR Router

LPE2#sh crypto ipsec sa peer 192.168.2.1 | i pkts

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 << Before I ping from the HQ CE

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

LPE2#sh crypto ipsec sa peer 192.168.2.1 | i pkts

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9 <<< After I ping from the HQ CE 5 packets increment

#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

#pkts compressed: 0, #pkts decompressed: 0

rickwhittington · ‎12-28-2011

The hwics you used are a HWIC-1GIG, the cards I am using are HWIC-4ESW. The l2tpv3 tunnel comes up as previously mentioned and CDP comes across but traffic does not flow. If you change the gig cards out to a 4esw or 9esw you should see what I am talking about. The gig hwics are full routed ports which is why they work. PM me and we can chat via email if you would like.

Kishore Chennupati · ‎12-28-2011

Rick,

sorry i missed that part from your original post. AFAIK HWIC-ESW's dont support port based L2TPV3 . This is one of the limitations of ESW's. However, there is a workaround for this. That is to create an an SVI and use the x-connect on the SVI. I have labbed it for you. I used a 16ESW on a 3600 image. But this should apply for the 9ESW or 4ESW on the ISR as well.

TempPE1#sh l2tun session

%No active L2F tunnels

L2TP Session Information Total tunnels 1 sessions 1

LocID RemID TunID Username, Intf/ State Last Chg Uniq ID

Vcid, Circuit

17826 52340 40198 104, Vl104 est 00:01:08 3

%No active PPTP tunnels

TempPE1#sh run int vlan 104

Building configuration...

Current configuration : 75 bytes

!

interface Vlan104

no ip address

xconnect 10.0.0.2 104 pw-class L2

end

TempPE1#sh run int fa0/1

Building configuration...

Current configuration : 76 bytes

!

interface FastEthernet0/1

switchport access vlan 104

no cdp enable

end

TempPE1#

TempCE1#ping 172.16.42.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.42.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

TempCE1#ping 172.16.42.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.42.2, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 156/213/288 ms

TempCE1#

The other solution would be to go for Full routed HWIC-2FE etc.

HTH

Regards,

Kishore

rickwhittington · ‎01-03-2012

Xconnect is not supported on SVI on 15.1 3t code it is supported on physical interfaces.