cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
902
Views
0
Helpful
3
Replies

IPSEC VTI over MPLS


We are currently using IPsec VTI on our WAN links with our current service provider. However, we have to chnage service providers due to some reasons. The first test we did with the new service provider who uses MPLS was not successful. Could it be that IPsec VTI does not work with MPLS? We will appreciate your assistance, please have a look at sample config below

...........................
ROUTER - HO
...............................
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key .... address 10.1.1.10
crypto ipsec security-association replay window-size
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TO_Branch
set transform-set ESP-3DES-SHA
!
crypto map MainWAN 12 ipsec-isakmp
description VPN_TO_Branch
set peer 10.1.1.10
set transform-set ESP-3DES-SHA
match address 104
!
interface Tunnel0
description Link to Branch
ip address 192.168.1.9 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.10
tunnel protection ipsec profile VPN_TO_Branch
!
!
interface GigabitEthernet0/0/0
description Service Provider Facing Interface
ip address 10.1.1.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
!
.............................
ROUTER - Branch
...............................
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key .... address 10.1.1.9
!
crypto ipsec security-association replay window-size
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TO_HO
set transform-set ESP-3DES-SHA
!
crypto map MainWAN 10 ipsec-isakmp
description VPN_TO_HO
set peer 10.1.1.9
set security-association lifetime seconds 10800
set transform-set ESP-3DES-SHA
match address SDM_3
!
interface Tunnel0
description Service Provider Link to HO
ip address 192.168.1.10 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.9
tunnel protection ipsec profile VPN_TO_HO
!
interface GigabitEthernet0/0/0
description Service Provider Facing Interface
ip address 10.1.1.10 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!

3 Replies 3

Hello,

 

what does your OSPF configuration look like ? Make sure you announce the tunnel as well as the LAN. I have made some changes to your configuration; with the configuration below, do your OSPF routers form an adjacency ? 

 


...............................
ROUTER - HO
...............................
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key .... address 10.1.1.10
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TO_Branch
set transform-set ESP-3DES-SHA
!
interface Tunnel0
description Link to Branch
ip address 192.168.1.9 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.10
tunnel protection ipsec profile VPN_TO_Branch
!
interface GigabitEthernet0/0/0
description Service Provider Facing Interface
ip address 10.1.1.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN Facing Interface
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
router ospf 1
network 192.168.1.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0


.............................
ROUTER - Branch
...............................
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key .... address 10.1.1.9
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TO_HO
set transform-set ESP-3DES-SHA
!
interface Tunnel0
description Service Provider Link to HO
ip address 192.168.1.10 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.1.1.9
tunnel protection ipsec profile VPN_TO_HO
!
interface GigabitEthernet0/0/0
description Service Provider Facing Interface
ip address 10.1.1.10 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN Facing Interface
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
router ospf 1
network 192.168.1.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0

Hello Georg,

Thank you for your reply. OSPF configs are as shown below and adjacency is formed when using our current service provider (non-MPLS, just Ethernet over SDH). However, no adjacency is formed when we switch links to new MPLS provider.

!

HO Router

router ospf 10

router-id 1.1.1.1

redistribute static metric-type 1 subnets

network 10.1.0.0 0.0.0.255 area 1

network 192.168.1.8 0.0.0.3 area 0

network 192.168.1.20 0.0.0.3 area 0

distribute-list route-map FILTER-DEFAULT in

!

Branch Router

router ospf 10

router-id 2.2.2.2

redistribute static metric-type 1 subnets

network 10.2.0.0 0.0.0.255 area 2

network 10.1.1.8 0.0.0.3 area 0

network 192.168.1.8 0.0.0.3 area 0

network 192.168.1.24 0.0.0.3 area 0

distribute-list route-map FILTER-DEFAULT in

!


Hello,

 

try and configure 'ip ospf mtu-ignore' on both tunnels. Maybe the provider changes the default MTU size somewhere in the MPLS path...

 

That said, do you have basic connectivity end to end at all ? Can you ping the respective remote IP address ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: