Solved: IPSEC tunnel and GRE - Page 2

ajike ola · ‎09-09-2011

I need your help understanding this configuration:

I was trying out GRE over IPSEC in my home lab, using the following configuration:

R1==>R3==>R2

My GRE and IPSEC originate at R1 and terminate on R2, and I verified that the tunnel is up and running on both R1 and R2. I also verified the packets are being encapsulated and encrypted, using "show crypto ipsec sa".

However, when I connected a PC to R3, I was able to ping both R1 and R2.

I didn't think I should be able to do this, given this is supposed to be a secured tunnel.

Someone please help me understand

Thanks

ajike ola · ‎09-13-2011

Thank you very much. This really helped me see what I was missing in my configuration.I added routing protocol (OSPF), and was able to ping network on the other side of R1 and R2, however I do not see the pings packet counts. I modified the access-list to include those networks, but that didn't help.

Thanks.

Edison Ortiz · ‎09-14-2011

If you are able to ping and the packets do not show as encrypted, then we have a problem with the ACL.

Can you post your config just like I did? It will definitely help.

ajike ola · ‎09-16-2011

First, I am sorry for not being able to get this to work, and the trouble you have gone through to help me. Thank you.

Since you have basically spoon-fed me up to this point, I wanted to give it a shot, and I have for the last couple of days, and still don't know what I am doing wrong. I have incorporated your config into mine, and back and forth, nothing seems to work. If I ping from the Internet router to either R2 or R3 interfaces, I could see the packets go through the tunnels, however if I ping from the internet router to either Server 2 or Server 3, I get failure. Also, if I ping from the NMS-PC to either server 2 or server 3 (with OSPF configured), I was successful, however the packets don't go through the tunnels.

NMS-PC

|

V

Server 2 ==> R2 ==> Internet Router ==> R3 ==> Server 3

The objective is as follows:

All packets originating from Internet Router should go through the tunnel to server2 and server3
All packets from NMS-PC to go through the tunnel; that is NMS-PC to be able to see server2 and server3 through the tunnels; I tried verifying this by pinging, but I couldn't see any packet counts in the tunnels.
And, all packets from server2 and server3 to go through the tunnel to NMS-PC

Here is my config:

sh run
Building configuration...

Current configuration : 2038 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Internet
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key adupa address 172.16.2.2
crypto isakmp key adupa address 172.16.3.2
!
!
crypto ipsec transform-set transet esp-aes 256 esp-sha-hmac
!
crypto map gre_ipsec 10 ipsec-isakmp
set peer 172.16.2.2
set transform-set transet
match address gre-ipsec2
crypto map gre_ipsec 20 ipsec-isakmp
set peer 172.16.3.2
set transform-set transet
match address gre-ipsec3
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 172.168.16.1 255.255.255.0
tunnel source 172.16.2.1
tunnel destination 172.16.2.2
!
interface Tunnel2
ip address 172.168.17.1 255.255.255.0
tunnel source 172.16.3.1
tunnel destination 172.16.3.2
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 172.16.2.1 255.255.255.0
crypto map gre_ipsec
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip address 172.16.3.1 255.255.255.0
crypto map gre_ipsec
!
!
interface FastEthernet0/1
ip address 172.168.2.254 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 2.2.2.2 255.255.255.255 Tunnel1
ip route 3.3.3.3 255.255.255.255 Tunnel2
ip route 172.168.3.0 255.255.255.0 Tunnel1
ip route 172.168.4.0 255.255.255.0 Tunnel2
!
no ip http server
no ip http secure-server
!
ip access-list extended gre-ipsec2
permit gre host 172.16.2.1 host 172.16.2.2
permit gre host 192.168.2.253 host 172.16.2.2
permit gre host 192.168.2.254 host 172.16.2.2
ip access-list extended gre-ipsec3
permit gre host 172.16.3.1 host 172.16.3.2
permit gre host 192.168.2.253 host 172.16.2.2
permit gre host 192.168.2.254 host 172.16.2.2
!!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end

=========================================R2 Config================================

sh run
Building configuration...

Current configuration : 1223 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
!
!
ip cef
!
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key adupa address 172.16.2.1
!
!
crypto ipsec transform-set transet esp-aes 256 esp-sha-hmac
!
crypto map gre_ipsec 10 ipsec-isakmp
set peer 172.16.2.1
set transform-set transet
match address gre-ipsec1
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel1
ip address 172.168.16.2 255.255.255.0
tunnel source 172.16.2.2
tunnel destination 172.16.2.1
!
interface f0/0
ip address 172.16.2.2 255.255.255.0
full-duplex
crypto map gre_ipsec
!
interface f0/1
ip address 172.168.3.154 255.255.255.0
full-duplex
no keepalive
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel1
!
ip access-list extended gre-ipsec1
permit gre host 172.16.2.2 host 172.16.2.1
permit gre host 172.16.3.153 host 172.16.2.1
permit gre host 172.16.3.154 host 172.16.2.1
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end

R2#

=====================================R3 Config===============================

sh run
Building configuration...

Current configuration : 1336 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key adupa address 172.16.3.1
!
!
crypto ipsec transform-set transet esp-aes 256 esp-sha-hmac
!
crypto map gre_ipsec 10 ipsec-isakmp
set peer 172.16.3.1
set transform-set transet
match address gre-ipsec1
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Tunnel1
ip address 172.168.17.2 255.255.255.0
tunnel source 172.16.3.2
tunnel destination 172.16.3.1
!
interface FastEthernet0/0
ip address 172.16.3.2 255.255.255.0
duplex auto
speed auto
crypto map gre_ipsec
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 172.168.4.154 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel1
!
ip http server
no ip http secure-server
!
ip access-list extended gre-ipsec1
permit gre host 172.16.3.2 host 172.16.3.1
permit gre host 172.168.4.153 host 172.16.3.1
permit gre host 172.168.4.154 host 172.16.3.1
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end

R3#

Edison Ortiz · ‎09-16-2011

Let's cleanup your ACL:

ip access-list extended gre-ipsec2

permit gre host 172.16.2.1 host 172.16.2.2

permit gre host 192.168.2.253 host 172.16.2.2

permit gre host 192.168.2.254 host 172.16.2.2

ip access-list extended gre-ipsec3

permit gre host 172.16.3.1 host 172.16.3.2

permit gre host 192.168.2.253 host 172.16.2.2

permit gre host 192.168.2.254 host 172.16.2.2

ip access-list extended gre-ipsec1

permit gre host 172.16.2.2 host 172.16.2.1

permit gre host 172.16.3.153 host 172.16.2.1

permit gre host 172.16.3.154 host 172.16.2.1

ip access-list extended gre-ipsec1

permit gre host 172.16.3.2 host 172.16.3.1

permit gre host 172.168.4.153 host 172.16.3.1

permit gre host 172.168.4.154 host 172.16.3.1

!

You should be able to ping 1.1.1.1 from 3.3.3.3 by using the following command:

ping 1.1.1.1 source lo0

traffic should show encrypted and ping should be successful.

I didn't see the OSPF configuration on your post but all you need to do is enable OSPF in the tunnels and LAN interfaces, for instance:

router ospf 1

network 172.168.16.1 0.0.0.0 area 0

network 172.168.17.1 0.0.0.0 area 0

network 1.1.1.1 0.0.0.0 area 0

network 172.168.2.254 0.0.0.0 area 0

default-information originate always

router ospf 1

network 172.168.16.2 0.0.0.0 area 0

network 172.168.3.154 0.0.0.0 area 0

network 2.2.2.2 0.0.0.0 area 0

router ospf 1

network 172.168.17.2 0.0.0.0 area 0

network 3.3.3.3 0.0.0.0 area 0

network 172.168.4.154 0.0.0.0 area 0

ajike ola · ‎09-16-2011

Sorry, I did configure OSPF, but must have taken them out in frustration. Anyway, I think I had too many things going wrong in the config anyway.

Finally, with the clean up above, everything works just fine.

I can't thank you enough

Edison Ortiz · ‎09-16-2011

Excellent!

Edison Ortiz · ‎09-17-2011

BTW, you will encounter fragmentation issues with GRE which you need resolve with PMTUD.

Please refer to this link for more info:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

Regards,

Edison

ajike ola · ‎09-18-2011

Thanks again, I will keep that in mind.