Solved: Re: Can't send and receive encrypted multicast traffic over tunnel over internet on two Cisco 861 se...

FayezIllariyeh · ‎05-30-2019

Hello,
I have two Cisco 861 in different places connected to internet with fixed public IP, i wanna to make an encrypted tunnel between two routers to send and receive multicast traffic, knowing there's ping succeeded between 192.168.3.0 and 192.168.1.0, but can't send or receive multicast traffic! and can't apply 'ip multicast-routing' command. Below the configuration on routers :
#show ver
Cisco IOS Software, C860 Software (C860-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
---------------------------------------------------------------------------------------------------
hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 10

!

ip source-route

!

ip cef

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key secretkey address y.y.y.2

!

crypto ipsec transform-set R1-R2 esp-aes 256 esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

set peer y.y.y.2

set security-association lifetime seconds 86400

set transform-set R1-R2

set pfs group5

match address 100

!

interface FastEthernet0

switchport access vlan 300

!

interface FastEthernet1

switchport access vlan 300

!

interface FastEthernet2

switchport access vlan 300

!

interface FastEthernet3

switchport access vlan 300

!

interface FastEthernet4

ip address x.x.x.2 255.255.255.252

duplex auto

speed auto

crypto map IPSEC-MAP

!

interface Vlan1

no ip address

!

interface Vlan300

ip address 192.168.1.1 255.255.255.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 x.x.x.1

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end
--------------------------------------------------------------------------------------------------

hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
!
!
license accept end user agreement
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretkey address x.x.x.2
!
!
crypto ipsec transform-set R2-R1 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer x.x.x.2
set security-association lifetime seconds 86400
set transform-set R2-R1
set pfs group5
match address 100
!
!
!
!
!
interface FastEthernet0
switchport access vlan 301
no ip address
!
interface FastEthernet1
switchport access vlan 301
no ip address
!
interface FastEthernet2
switchport access vlan 301
no ip address
!
interface FastEthernet3
switchport access vlan 301
no ip address
!
interface FastEthernet4
ip address y.y.y.2 255.255.255.252
duplex auto
speed auto
crypto map IPSEC-MAP
!
interface Vlan1
no ip address
!
interface Vlan301
ip address 192.168.3.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 y.y.y.1
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end

Giuseppe Larosa · ‎05-30-2019

Hello,

the Cisco 861 may be not so new I'm afraid.

Likely you need more modern routers that support multicast.

see Cisco 890 series datasheet

● IPv4 and IPv6 Multicast

https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

Hope to help

Giuseppe

View solution in original post

guibarati · ‎05-30-2019

I don't think you'll be able to send multicast traffic across the cryptomap VPN. You're better off using a tunnel interface with an IPSec profile, then you can establish multicast routing - if your router supports multicast.

Giuseppe Larosa · ‎05-30-2019

Hello ,

this is a known limitation of IPSec

to carry multicast traffic you need to use a GRE point to point tunnel that provides a way to transport any type of traffic.

You can still use the crypto map but you are going to encrypt the GRE tunnel packets

access-list 111 remark GRE packets

access-list 111 permit gre host <local-address> host <remote-address>

interface tunnel 1

tunnel source interface

tunnel destination <remote-ip-address>

ip address 10.10.12.1 255.255.255.252

ip pim sparse-dense mode

no shut

You may need on the receiving side an ip mroute static to pass the RPF check

ip mroute 0.0.0.0. 0.0.0.0 tunnel1

Hope to help

Giuseppe

FayezIllariyeh · ‎05-30-2019

Thanks for your reply,

I can't do ip pim sparse-dense mode command inside tunnel!, and if i do show ip multicast, the status is disabled, how can i enable multicast routing ? Are this routers and their versions together support multicast routing and PIM protocol?

Thanks in advance,

Giuseppe Larosa · ‎05-30-2019

Hello,

you need to enable at global level with

config t

ip multicast-routing

after that you should be able to use the PIM commands if your router supports multicast routing

NOTE:

you will need to enable PIM also on the internal LAN interface

do not enable PIM on the WAN interface (the one used as tunnel source in GRE tunnel).

You need also some unicast routing for the subnets

like

ip route 192.168.100.0 255.255.255.0 tunnel0

to route ove the tunnel the traffic of internal LAN subnets.

Hope to help

Giuseppe

FayezIllariyeh · ‎05-30-2019

Hello,
It seems that doesn't support multicast routing! Do you have an advice to pass this issue? like upgrade the IOS or need another series router?

Thanks,

Giuseppe Larosa · ‎05-30-2019

Hello,

the Cisco 861 may be not so new I'm afraid.

Likely you need more modern routers that support multicast.

see Cisco 890 series datasheet

● IPv4 and IPv6 Multicast

https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

Hope to help

Giuseppe

Can't send and receive encrypted multicast traffic over tunnel over internet on two Cisco 861 series!