cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
6
Replies

Can't send and receive encrypted multicast traffic over tunnel over internet on two Cisco 861 series!

FayezIllariyeh
Level 1
Level 1

Hello,
I have two Cisco 861 in different places connected to internet with fixed public IP, i wanna to make an encrypted tunnel between two routers to send and receive multicast traffic, knowing there's ping succeeded between 192.168.3.0 and 192.168.1.0, but can't send or receive multicast traffic! and can't apply 'ip multicast-routing' command. Below the configuration on routers :
#show ver
Cisco IOS Software, C860 Software (C860-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
---------------------------------------------------------------------------------------------------
hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 10

!

!

ip source-route

!

!

ip cef

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

crypto isakmp key secretkey address y.y.y.2

!

!

crypto ipsec transform-set R1-R2 esp-aes 256 esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

 set peer y.y.y.2

 set security-association lifetime seconds 86400

 set transform-set R1-R2

 set pfs group5

 match address 100

!

!

!

!

!

interface FastEthernet0

 switchport access vlan 300

!

interface FastEthernet1

 switchport access vlan 300

!

interface FastEthernet2

 switchport access vlan 300

!

interface FastEthernet3

 switchport access vlan 300

!

interface FastEthernet4

 ip address x.x.x.2 255.255.255.252

 duplex auto

 speed auto

 crypto map IPSEC-MAP

!

interface Vlan1

 no ip address

!

interface Vlan300

 ip address 192.168.1.1 255.255.255.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 x.x.x.1

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 login

!

scheduler max-task-time 5000

end
--------------------------------------------------------------------------------------------------

hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
!
!
license accept end user agreement
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretkey address x.x.x.2
!
!
crypto ipsec transform-set R2-R1 esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer x.x.x.2
set security-association lifetime seconds 86400
set transform-set R2-R1
set pfs group5
match address 100
!
!
!
!
!
interface FastEthernet0
switchport access vlan 301
no ip address
!
interface FastEthernet1
switchport access vlan 301
no ip address
!
interface FastEthernet2
switchport access vlan 301
no ip address
!
interface FastEthernet3
switchport access vlan 301
no ip address
!
interface FastEthernet4
ip address y.y.y.2 255.255.255.252
duplex auto
speed auto
crypto map IPSEC-MAP
!
interface Vlan1
no ip address
!
interface Vlan301
ip address 192.168.3.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 y.y.y.1
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end

1 Accepted Solution

Accepted Solutions

Hello,

the Cisco 861 may be not so new I'm afraid.

Likely you need more modern routers that support multicast.

 

see Cisco 890 series datasheet

  IPv4 and IPv6 Multicast

https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

 

Hope to help

Giuseppe

 

View solution in original post

6 Replies 6

guibarati
Level 4
Level 4

I don't think you'll be able to send multicast traffic across the cryptomap VPN. You're better off using a tunnel interface with an IPSec profile, then you can establish multicast routing - if your router supports multicast.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello ,

this is a known limitation of IPSec

 

to carry multicast traffic you need to use a GRE point to point tunnel that provides a way to transport any type of traffic.

You can still use the crypto map but you are going to encrypt the GRE tunnel packets

access-list 111 remark GRE packets

access-list 111 permit gre host <local-address> host <remote-address>

 

interface tunnel 1

tunnel source interface

tunnel destination <remote-ip-address>

ip address 10.10.12.1 255.255.255.252

ip pim sparse-dense mode

no shut

 

You may need on the receiving side an ip mroute static to pass the RPF check

 

ip mroute 0.0.0.0. 0.0.0.0 tunnel1

 

Hope to help

Giuseppe

 

Thanks for your reply,

I can't do ip pim sparse-dense mode command inside tunnel!, and if i do show ip multicast, the status is disabled, how can i enable multicast routing ? Are this routers and their versions together support multicast routing and PIM protocol?
Capture.PNG

 

Thanks in advance,

 

Hello,

you need to enable at global level with

config t

ip multicast-routing

 

after that you should be able to use the PIM commands if your router supports multicast routing

 

NOTE:

you will need to enable PIM also on the internal LAN interface

do not enable PIM on the WAN interface (the one used as tunnel source in GRE tunnel).

You need also some unicast routing for the subnets

like

ip route 192.168.100.0 255.255.255.0 tunnel0

to route ove the tunnel the traffic of internal LAN subnets.

 

Hope to help

Giuseppe

 

Hello,
It seems that doesn't support multicast routing! Do you have an advice to pass this issue? like upgrade the IOS or need another series router?
Capture1.PNG
Thanks,

Hello,

the Cisco 861 may be not so new I'm afraid.

Likely you need more modern routers that support multicast.

 

see Cisco 890 series datasheet

  IPv4 and IPv6 Multicast

https://www.cisco.com/c/en/us/products/collateral/routers/800-series-routers/data_sheet_c78-519930.html

 

Hope to help

Giuseppe

 

Review Cisco Networking for a $25 gift card