08-10-2009 01:34 AM - edited 03-04-2019 05:41 AM
Hello!
I have Cisco1801 connected to 2 ISPs. Each ISP connected with real IP address. Each WAN interface have associated VTI. Main role of Cisco1801 is IPSec hub for many ipsec clients to make secure link between subnets. Each ipsec client creates 2 IPSec tunnels: first via ISP1 and second via ISP2.
For example.
Cicso VTI1 device
192.168.1.0/24<------->192.168.40.0/24
Cisco VTI2 device
192.168.2.0/24<------->192.168.140.0/24
After ipsec is established we have two new interfaces Virtual-Access1 and Virtual-Access2 Also we have two new routes for subnets 192.168.40.0/24 and 192.168.140.0/24.
192.168.1.1 and 192.168.2.1 are addresses of Vlan2 interface.
If default gateway is set up all works perfectly. If default gateway is removed intercommunications between subnets are lost.
Could I use ipsec without default gateway?
08-10-2009 06:19 AM
Hi,
If your remote sites are not learning the other sites subnets or a default route through the tunnel, it's expected that they can't communicate.
Also I'm not sure what 192.168.1.0 and 192.168.2.0 represent.
HTH
Laurent.
08-10-2009 11:36 AM
08-10-2009 03:19 PM
Why do you have two subnets per LAN interface ?
Could you provide the config of both routers ?
Thanks
Laurent.
08-10-2009 08:12 PM
Client software on computer establishes two socket connections to server software(source:192.168.40.2 <--> dest:192.168.1.2 and source:192.168.140.2 <--> dest:192.168.2.2 ) and if one of providers go down the intercommunications will continue via second one. Router on the client side is GPRS/EDGE router ER75i with ucLinux onboard.
I could provide the config of Cisco 1801:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service sequence-numbers
aaa new-model
ip cef
interface Null0
no ip unreachables
interface FastEthernet0
ip address 62.165.xx.yy 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
zone-member security WAN
ip policy route-map FastEthernet0
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
ip mtu 1300
zone-member security MAU
tunnel mode ipsec ipv4
tunnel protection ipsec profile MAU_Profile
interface FastEthernet2
switchport access vlan 3
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/35
pppoe-client dial-pool-number 1
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip virtual-reassembly
encapsulation ppp
ip policy route-map Dialer0
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname name
ppp chap password 7 000090E0624
ppp pap sent-username name password 7 00000D2342
interface Virtual-Template2 type tunnel
ip unnumbered Dialer0
zone-member security MAU
tunnel mode ipsec ipv4
tunnel protection ipsec profile MAU_Profile2
interface Vlan2
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
zone-member security CAU
route-map Dialer0 permit 10
match ip address Dialer0
set interface Dialer0
ip access-list extended Dialer0
permit ip host 77.233.xx.yy any
permit esp host 77.233.xx.yy any
permit ahp host 77.233.xx.yy any
deny ip any any
deny esp any any
deny ahp any any
route-map FastEthernet0 permit 10
match ip address FastEthernet0
set ip next-hop 62.165.xx.zz
ip access-list extended FastEthernet0
permit ip host 62.165.xx.yy any
permit esp host 62.165.xx.yy any
permit ahp host 62.165.xx.yy any
deny ip any any
deny esp any any
deny ahp any any
ip local policy route-map LOCAL
ip forward-protocol nd
route-map LOCAL permit 10
match ip address 150
set interface Dialer0
route-map LOCAL permit 20
match ip address 151
set ip next-hop 62.165.xx.zz
route-map LOCAL permit 30
match ip address 152
set global
access-list 150 permit ip host 77.233.xx.yy any
access-list 151 permit ip host 62.165.xx.yy any
access-list 152 permit ip any any
08-11-2009 10:23 AM
Hi,
I think I lost what was your original question ;-) Could you clarify it ?
From the configuration you provided, How do you route your traffic inside the tunnels ?
Also what the point of the PBR configured on the Dialer0 and FastEthernet0 ? PBR applies to incoming traffic so I don't see why you want to send back on the same interface the received IPSec traffic.
Laurent.
08-11-2009 09:02 PM
I'm using VTI. After ipsec tunnels are established we have two new interfaces Virtual-Access1 and Virtual-Access2. Also we have two new routes for subnets:
S 192.168.40.0/24 [1/0] via 83.220.xx.xx, Virtual-Access2
S 192.168.140.0/24 [1/0] via 83.220.xx.xx, Virtual-Access1
Cisco IOS automatically add this routes to general route table.
About PBR. You are right. PBR for Dialer0 and Fa0 is meaningless. Only "ip local policy route-map LOCAL" is needed for establish IPSec without default gateway.
If default gateway is set up all works perfectly. If default gateway is removed intercommunications between subnets are lost.
Main question. What should I do to make all working without default gateway?
08-12-2009 06:08 AM
Hi,
Could you post the working configuration with the default route configured ?
When you say "intercommunications between subnets are lost. ", you mean 192.168.40.2 <--> 192.168.1.2 and 192.168.140.2 <--> 192.168.2.2
Also is it working without the FW zones configured ?
Thanks
Laurent.
08-12-2009 09:15 PM
Hello Laurent,
I sent you an email with the working configuration.
>When you say "intercommunications between subnets are lost. ", you mean 192.168.40.2 <--> 192.168.1.2 and 192.168.140.2 <--> 192.168.2.2
Yes. Without default gateway I cant ping 192.168.40.2 from 192.168.1.2 and 192.168.140.2 from 192.168.2.2.
Regards
Aleksei.
08-13-2009 11:37 AM
Hi Aleksei,
I see some overlapping in your ISAKMP profile definition and also there is no tunnel source specified in yout DVTI interface.
I assume the ER75i is configured to open a tunnel with 1800 dialer 0 interface to reach 192.168.2.0 and to open a tunnel with 62.165.xx.yy to reach 192.168.1.0
To avoid any ambiguity I would add the following configuration:
crypto isakmp profile MAU_ISAKMP_Profile
local-address fast0
!
int virtual-template 1 tunnel
tunnel source fast0
!
crypto isakmp profile MAU_ISAKMP_Profile2
local-address dialer0
!
int virtual-template 2 tunnel
tunnel source dialer 0
!
HTH
Laurent.
08-17-2009 12:14 AM
Hello Laurent,
I have added above mentioned configuration but it have not helped me.
08-17-2009 05:30 AM
Hi,
I don't have access to any lab to try reproducing your issue.
What I would do is to track the packets received on the LAN side, see in which tunnel they are sent and on which interface the resulting IPSEC packet is forwarded.
Also you could try without any Zone configured to be sure there is no bad interaction.
HTH
Laurent.
08-17-2009 08:17 PM
Hello Laurent,
Could you look at
(http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_virt_tunnl_external_docbase_0900e4b1805b0504_4container_external_docbase_0900e4b1807b3707.html#wp1083215) and explain which interfaces on Figure 3 will use PBR if PBR is configured on it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide