Solved: GRE Tunnel w/IPSEC over Internet as backup link to PTP - Every other ping fails. - Page 2

tkhan · ‎07-20-2010

Hello

We have two offices connected via a T1 point to point. We have had the link fail, and now would like a backup link over the internet using GRE/IPSEC tunnel.

The tunnel is in place, but every other packet fails. With a ping, 50% packet loss. Ideally we want a backup route if the PTP fails. He are the configs for RTR1 and RTR2 as well as the output on the ping. I get a icmp port destitnation unreachable (something close to that).

Is it possible to have a backup route, that when the ptp fails, traffic automatically routes over the tunnel?

rtr2

!
! Last configuration change at 13:32:43 EDT Tue Jul 20 2010 by admin
! NVRAM config last updated at 11:06:30 EDT Tue Jul 20 2010 by admin
!
version 12.3
no service pad
service timestamps debug datetime msec show-timezone year
service timestamps log datetime msec show-timezone year
service password-encryption
!
hostname RTR2
!

<snip>
!

ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip flow-cache timeout active 1
ip cef
!
<snip>

crypto isakmp policy 1
authentication pre-share
crypto isakmp key <snip> address 1.1.1.1
!
!
crypto ipsec transform-set TRANSFORMS_CRYPTO_192.168.2.0_192.168.3.0 esp-aes esp-md5-hmac
mode transport
!
crypto map CRYPTO_MAP_PTPVPN_<snip> 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TRANSFORMS_CRYPTO_192.168.2.0_192.168.3.0
match address ACL_CRYPTO_192.168.2.0_192.168.3.0
!
!
<snip>

interface Tunnel0
ip address 172.16.1.1 255.255.255.252
ip tcp adjust-mss 1402
tunnel source FastEthernet0/0
tunnel destination 1.1.1.1
!
interface FastEthernet0/0
description <snip> --> Firewall
ip address 192.168.4.254 255.255.255.0
ip nat outside
ip policy route-map RMAP_1
speed 100
full-duplex
crypto map CRYPTO_MAP_PTPVPN_<snip>
!
interface Serial0/0
bandwidth 1536
ip address 172.16.2.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat inside
encapsulation ppp
ip ospf network point-to-point
logging event subif-link-status
down-when-looped
fair-queue
service-module t1 timeslots 1-24
!
<snip>

!
router ospf 100
log-adjacency-changes
passive-interface Loopback0
<snip>
network 172.16.2.0 0.0.0.255 area 0.0.0.0
network 192.168.3.0 0.0.0.255 area 0.0.0.0
<snip>
!
<snip>

ip route 0.0.0.0 0.0.0.0 192.168.4.1 10
ip route 192.168.2.0 255.255.255.0 Tunnel0 200
<snip>
!
!
!
ip access-list extended ACL_CRYPTO_192.168.2.0_192.168.3.0
remark #######################################################
remark Permit backup VPN traffic 192.168.3.0 and 192.168.2.0
remark #######################################################
remark
permit gre host 172.16.1.1 host 172.16.1.2
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
remark
remark #######################################################
remark Deny All
remark #######################################################
deny ip any any
remark

==========

rtr1

!
! Last configuration change at 13:32:49 EDT Tue Jul 20 2010 by admin
! NVRAM config last updated at 11:06:28 EDT Tue Jul 20 2010 by admin
!
version 12.3
service timestamps debug datetime msec show-timezone year
service timestamps log datetime msec show-timezone year
service password-encryption
!
hostname RTR1
!
boot-start-marker
boot-end-marker

!
memory-size iomem 15

!
!
<snip>
no ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip flow-cache timeout active 5
!
!
ip cef
<snip>
!
<snip>
controller T1 0/0
framing esf
linecode ami
!
controller T1 0/1
framing sf
linecode ami
!
ip ssh time-out 60
ip ssh source-interface FastEthernet0/0
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key <snip>address 2.2.2.2
!
!
crypto ipsec transform-set TRANSFORMS_CRYPTO_192.168.2.0_192.168.3.0 esp-aes esp-md5-hmac
mode transport
!
crypto map CRYPTO_MAP_PTPVPN_<snip> 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TRANSFORMS_CRYPTO_192.168.2.0_192.168.3.0
match address ACL_CRYPTO_192.168.2.0_192.168.3.0
!
!
!
!
interface Loopback0
ip address 2.2.16.172 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.252
ip tcp adjust-mss 1402
tunnel source FastEthernet0/1
tunnel destination 2.2.2.2
!
<snip>
!
interface FastEthernet0/1
<snip>
ip address 192.168.0.254 255.255.255.0
ip nat outside
ip flow ingress
ip route-cache flow
speed 100
full-duplex
crypto map CRYPTO_MAP_PTPVPN_<snip>
!
interface Serial0/2
<snip>
bandwidth 1536
ip address 172.16.2.2 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat inside
ip flow ingress
encapsulation ppp
ip route-cache flow
ip ospf network point-to-point
logging event subif-link-status
fair-queue
!
<snip>
router ospf 100
log-adjacency-changes
network 172.16.2.0 0.0.0.255 area 0.0.0.0
network 192.168.0.0 0.0.0.255 area 0.0.0.0
network 192.168.2.0 0.0.0.255 area 0.0.0.0

!
<snip>
!
<snip>
ip route 0.0.0.0 0.0.0.0 192.168.0.1 20
ip route 0.0.0.0 0.0.0.0 192.168.3.1 100
ip route 192.168.3.0 255.255.255.0 Tunnel0 200
ip route 192.168.32.0 255.255.255.0 192.168.3.1
!
!
!
ip access-list extended ACL_CRYPTO_192.168.2.0_192.168.3.0
remark #######################################################
remark Permit backup VPN traffic 192.168.3.0 and 192.168.2.0
remark #######################################################
remark
permit gre host 172.16.1.2 host 172.16.1.1
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
remark
remark #######################################################
remark Deny All
remark #######################################################
deny ip any any
remark

Output of Ping

Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=21ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=18ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=19ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254
Request timed out.
Reply from 172.16.1.2: bytes=32 time=17ms TTL=254

tkhan · ‎07-26-2010

All,

Thanks for all your help. It ended up working. Oddly enough, after you guys straightened out the config it didn't work. It ended up being a firewall issue, the firewall had NAT rules for each router, but then were installed on both firewalls. It ended up dropping certain packets do to spoofing. Once I fixed that, everything worked.

Thanks again.

Richard Burts · ‎07-28-2010

Thanks for posting back to the forum indicating that the problem was solved and what the solution was and thanks for using the marking to show that this one was solved. It makes the forum more useful when people can read about a problem and can know from the marking that there was a solution. I think that this one may be especially helpful since it reminds us that sometimes the problem is not in the configuration of the device that we are working on but is somewhere else in the network.

HTH

Rick

HTH

Rick