10-02-2017 09:28 PM - edited 03-05-2019 09:13 AM
Scenario:
Build a backup path over an IPSec tunnel across a 4G card.
Both, primary and the 4G links are on the same router and they both terminate on the same firewall(fortigate) on the other end.
My initial plan was to use a front door VRF to build the underlay network and then on top
create a tunnel(gre/vti) interface in the global which will be used to send the traffic across while beeing encrypted with an IPSec profile.
Few things important to be mentioned here
1. 4G card is behind a NAT and the outbound public IP is not static.
2. For the firewall I have a fortigate building an on-demand IPSec tunnel.
This type of tunnel is similar to a tunnel built from a phone to a firewall where your source is also behind a NAT.
==============================================================================
Following config ensure Internet access over the 4G card
==============================================================================
!
interface Cellular0/1/0
vrf forwarding INET
ip address negotiated
ip nat outside
dialer in-band
dialer-group 1
!
interface Loopback10
vrf forwarding INET
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip route vrf INET 0.0.0.0 0.0.0.0 Cellular0/1/0
!
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
!
ip nat inside source list NAT interface Cellular0/1/0 vrf INET overload
!
==============================================================================
Internet access testing over the 4G
==============================================================================
#ping vrf INET 8.8.8.8 so lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/59/97 ms
#show cellular 0/1/0 profile
Profile password Encryption level: 7
Profile 1 = ACTIVE* **
--------
PDP Type = IPv4
PDP address = 10.109.112.58
Access Point Name (APN) = telstra.internet
Authentication = None
Primary DNS address = 10.5.209.36
Secondary DNS address = 10.5.80.241
Primary DNS IPV6 address = 0
Secondary DNS IPV6 address = 0
==============================================================================
Now with the 4G card up and running i start building the IPSec tunnel across.
==============================================================================
!
crypto keyring Ipsec-KEY vrf INET
pre-shared-key address 1.2.3.4 key cisco
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile Ipsec-PROFILE
set transform-set ESP-AES-256-SHA
!
interface Tunnel100
ip address 192.168.100.254 255.255.255.0
tunnel source Cellular0/1/0
tunnel mode ipsec ipv4
tunnel destination 1.2.3.4
tunnel vrf INET
tunnel protection ipsec profile Ipsec-PROFILE
!
==============================================================================
At this stage i can see the IPSec tunnel built on both ends(router and the firewall) however, the tunnel interface is still line protocol down.
==============================================================================
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.2.3.4 10.109.112.58 QM_IDLE 16152 ACTIVE
#show int tun100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.100.254/24
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate protection reg down
Tunnel source 10.109.112.58 (Cellular0/1/0), destination 1.2.3.4
Tunnel Subblocks:
src-track:
Tunnel100 source tracking subblock associated with Cellular0/1/0
Set of tunnels with source Cellular0/1/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
<output omitted>
==============================================================================
CONCLUSION:
Based on the current status on this scenario, the only missing part on this to work is the Tunnel interface which still has the line protocol down. Once this done, i can add routes for the backup traffic across the tunnel.
10-03-2017 04:30 AM
you need an ISAKMP profile for the VRF-Aware IKEv1 to work:
crypto isakmp profile IKEv1-INET-PROF
vrf INET
keyring Ipsec-KEY vrf INET
match identity address 1.2.3.4 255.255.255.255 INET
isakmp authorization list default
!
crypto ipsec profile Ipsec-PROFILE
set isakmp-profile IKEv1-INET-PROF
set transform-set ESP-AES-256-SHA
10-03-2017 04:17 PM
I attached an isakmp profile as advised however nothing changed in terms of my tunnel interface, is still with the line protocol down.
Again, i'm not sure why an isakmp profile will change this state, my ipsec tunnel was up and running already, before the isakmp profile.
crypto isakmp profile IKEv1-INET-PROF
vrf INET
keyring Ipsec-KEY
match identity address 1.2.3.4 255.255.255.255 INET
!
crypto ipsec profile Ipsec-PROFILE
set transform-set ESP-AES-256-SHA
set isakmp-profile IKEv1-INET-PROF
!
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.2.3.4 10.109.112.58 QM_IDLE 17265 ACTIVE IKEv1-INET-PROF
!
# show interface tunnel100
Tunnel100 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.100.254/24
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate protection reg down
Tunnel source 10.109.112.58 (Cellular0/1/0), destination 1.2.3.4
Tunnel Subblocks:
src-track:
Tunnel100 source tracking subblock associated with Cellular0/1/0
Set of tunnels with source Cellular0/1/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide