Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1767
Views
0
Helpful
4
Replies

Site to Site IPSec between SRP and IOS.

Go to solution
Trent Renshaw
Level 1
Level 1

‎10-13-2012 10:02 PM

Hi there,

I am actually hoping Andrew Hickman, author of DOC-16927 and DOC-23028 can help with this.

I have established a Site to Site IPSec VPN between our SRP527W-U and CISCO881-K9 (ISR), running IOS 15.0(1)M3.

This is the first branch to use an SRP. I am using a dynamic crypto map (as we have more than one branch, and the SRP has a dynamic public IP).

Our other branch (also running an ISR) is a GRE over IPSec VPN, traffic between subnets is routed over the GRE tunnel. This works fine. The end goal here is really to achieve the same (GRE over IPSec) between the SRP and ISR. Similar to our other branch.

The ISAKMP and IPSec config on the ISR:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SECRET-KEY address 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map DynMap1 10

set transform-set ESP-3DES-SHA

set pfs group2

match address VPN

qos pre-classify

crypto map Vpn1 10 ipsec-isakmp dynamic DynMap1

ip access-list extended VPN

permit gre host <Wan_A ip> host <Wan_C ip>

permit ip 172.16.0.0 0.0.0.255 172.16.2.0 0.0.0.255

interface FastEthernet4

ip address <Wan_A ip> 255.255.255.252

crypto map Vpn1

Router A - CISCO881-K9 (hub)Router B - SRP527W-U (spoke)
Network: 172.16.0.0/24Network: 172.16.2.0/24
LAN IP: 172.16.0.1LAN IP: 172.16.2.1
WAN IP: 203.174.188.58WAN: <public dynamic IP>

From a host on the 172.16.2.0/24 subnet, I can ping the ISR (172.16.0.1) and hosts on the 172.16.0.0/24, but not from the SRP (172.16.2.1), under Diagnostics -> Ping Test.

From a host on the 172.16.0.0/24 subnet, I can ping a host on the 172.16.2.0/24 network, but not the SRP (172.16.2.1). I can confirm SPI Firewall Protection is Off and Filter Anonymous Internet Requests checkbox is unchecked.

Whereas from the ISR (172.16.0.1), I can neither ping the SRP (172.16.2.1) or any hosts on the 172.16.2.0/24 subnet.

Summary of Ping Results

Host on Subnet A <--> Host on Subnet B : Yes

Host on Subnet A <--> Router B : No

Router A -> Host on Subnet B : No

Router A <--> Router B : No

Host on Subnet B -> Router A : Yes

ISR Routing Table

*    0.0.0.0/0 [1/0] via <Wan_A ip>

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.0.0.0/24 is directly connected, Tunnel0

L        10.0.0.1/32 is directly connected, Tunnel0

      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

C        172.16.0.0/24 is directly connected, Vlan1

L        172.16.0.1/32 is directly connected, Vlan1

S        172.16.1.0/24 [1/0] via 10.0.0.2

SRP Routing Table

10.64.64.74255.255.255.255--ppp10
10.64.64.74255.255.255.255--ipsec0
172.16.2.0255.255.255.0--VLAN.1
172.16.0.0255.255.255.010.64.64.74ipsec0
0.0.0.00.0.0.010.64.64.74ppp10

I suspect this is an ACL / route issue. I would gladly appreciate some help from anyone. I feel I am so close, just not quite there.

Many thanks,

Trent Renshaw

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to Trent Renshaw

‎10-17-2012 06:03 AM

Hi Trent,

My apologies, I misread your first post - I thought you were just referring to the issue of accessing and SRP IP address via IPSec (that part is fixed).

To your real question, I'm afraid there is no answer.  The SRP500 does not support GRE over IPSec (just one or the other).

Regards,

Andy

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee

‎10-15-2012 08:22 AM

Hi Trent,

This was a known issue with the current release.  We have now fixed this for our next maintenance release.

I just created a VPN between two SRPs running the latest code and was again to use the diagnostics page from each to ping the SRP LAN address at the other end of the tunnel.

Regards,

Andy

0 Helpful

Go to solution
Trent Renshaw
Level 1
Level 1
In response to Andrew Hickman

‎10-15-2012 03:01 PM

Hi Andy,

I am not sure I follow; there is nothing wrong with my config, routes or ACLs? The behaviour I described is expected on the current firmware between SRP and IOS?

IPSec is only half the solution here, I wanted to focus on getting this right before proceeding with a GRE tunnel.

With GRE between two IOS devices, I assign an IP address to the tunnel endpoints e.g. 10.0.0.1 on the hub and 10.0.0.2 on the first spoke. However, I cannot assign an IP address to the SRP tunnel endpoint?

Can you please detail how-to achieve GRE over IPSec between an SRP (spoke) and IOS (hub) device. The IOS device in this case is an 881 ISR, the SRP is the second spoke in this configuration. The first spoke is between an 887 ISR.

I have tried creating a GRE tunnel on the SRP and turned debug tunnel on (IOS end) but I get no output. Am at a loss as to how the SRP establishes GRE tunnels.

I have looked at your reply to https://supportforums.cisco.com/message/3575383

The config used is as follows;

interface Tunnel0

  ip unnumbered FastEthernet0/1

  tunnel source FastEthernet0/1

  tunnel destination

!

interface FastEthernet0/1

  ip address dhcp

  duplex auto

  speed auto

!

! Route to SRP remote subnet.

ip route 192.168.150.0 255.255.255.0 Tu0

!

Given our SRP has a dynamic public IP, what are my options for establishing a GRE tunnel?

Many thanks,

Trent Renshaw.

0 Helpful

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to Trent Renshaw

‎10-17-2012 06:03 AM

Hi Trent,

My apologies, I misread your first post - I thought you were just referring to the issue of accessing and SRP IP address via IPSec (that part is fixed).

To your real question, I'm afraid there is no answer.  The SRP500 does not support GRE over IPSec (just one or the other).

Regards,

Andy

0 Helpful

Go to solution
Trent Renshaw
Level 1
Level 1
In response to Andrew Hickman

‎10-18-2012 05:44 PM

Hi Andy,

That's a real shame. As I would imagine an unencrypted GRE tunnel would be an unsuitable deployment for most organisations, and obviously IPSec does not address all VPN needs.

Is there any way to bridge the SRP with an IOS device to do routing and VPN? I am thinking of uplinking an 881 ISR to the SRP527W-U. I note Ethernet port 4 on the device is a selectable LAN/WAN port? But I can't find any documentation on how-to use this for WAN?

I would prefer the ISR do NAT, VPN, PAT etc. for the branch subnet, the only reason for keeping the SRP in the picture is 4G LTE is the only available WAN option (using Sierra Wireless 320U on USB interface).

I could not find any 800 series ISRs that support a USB WAN with the Sierra Wireless 320U? Correct me if I am wrong.

Regards,

Trent.

0 Helpful
Customers Also Viewed These Support Documents