Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Routing
- ISIS over VTI-based IPSec
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
1037
Views
0
Helpful
4
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2022
01:26 PM
- last edited on
06-24-2022
02:19 AM
by
Translator
I'm having trouble pinning up ISIS over GRE over VTI-based IPsec. If anyone has insight on ISIS over VTI-based IPSec directly (ie without the intermediate GRE), that would be awesome too. I've seen a lot of guides should how to do ISIS over GRE over cryto-map IPsec, but I'm not getting ISIS to work over VTI-based IPsec.
One router's configuration below; other router is identical except the local/remote IP address are swapped and it's an ASR1k with adventerprise. The physical interfaces are connected to the same switch on the same VLAN, and as you can see in the config the IPs are on the same subnet.
Symptoms:
- both tunnel interfaces are up/up, IKEv2 states are "UP-ACTIVE"
- ping across ipsec tunnel succeeds
- ping across gre tunnel fails
-
debug isis adj-packets
shows IIH sent, but not recieved - if I make the tu1 destination the same as the tu0 destination, it works (ping succeeds and ISIS routing starts), I'm ultimately trying to figure out how to IPSec-encrypt the ISIS session with route-based VPN and not policy-based VPN
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted but it works on GRE-only]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel destination 128.197.255.172
tunnel vrf internet
clns mtu 512
isis authentication mode md5
isis authentication key-chain isis-password
no isis hello padding
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
Solved! Go to Solution.
Labels:
- Labels:
-
Routing Protocols
1 Accepted Solution
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2022 01:54 PM - edited 06-24-2022 10:21 PM
And... found other error prior to opening TAC case - tunnel3 had "tunnel vrf internet", which was part of an earlier troubleshooting effort that I forgot to remove. After clearing that, ISIS adjacencies formed right away, routes exchanged, and pings worked perfectly. Pasting complete config here for reference.
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 128.197.255.172
isis authentication mode md5
isis authentication key-chain isis-password
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
4 Replies 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2022 07:53 PM - edited 06-24-2022 05:52 AM
I realized I had the wrong source interface for the GRE tunnel. Corrected config below for reference of anyone that's looking for this later.
I still have a problem in that
show ip traffic
shows counters increasing, but not correctly: one router will send and receive, the other router sends but does not receive. I've corroborated this a few ways - with an in and an out ACL applied to the interface with
permit icmp any any log
that reports ping messages in one direction, I see ISIS IIH messages successfully passing one direction but not the other, and I see CLNS neighbor data on one router but not the other (ping across the IPsec tunnel always succeed, and unencrypted GRE works fine to bring up ISIS routing).
With the fixed config, the symptoms are significantly different to warranted a different post, so I'll follow up separately.
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 128.197.255.172
tunnel vrf internet
clns mtu 512
isis authentication mode md5
isis authentication key-chain isis-password
no isis hello padding
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2022 11:17 PM
Hello,
little documentation (if any at all) available indeed...
Can you post the full running configs (sh run) of both sides so we can lab this up ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2022 10:20 PM
I can go into detail on the "why" of a lot of these configs, but for simplicity I'll skip that unless asked.
- vrf Tunnel is unrelated to anything described here
- These two boxes are lab units so are not fully configured on all features compared to production
- IPs and any keys shown are lab/test data, not used in production
- I had to redact a lot of details per data classification policy, but hopefully shouldn't inhibit recreating the important parts
Cat8200#sh run
Building configuration...
Current configuration : 16455 bytes
!
! Last configuration change at 19:03:49 EDT Fri Jun 24 2022 by weylin
! NVRAM config last updated at 19:03:59 EDT Fri Jun 24 2022 by weylin
!
version 17.6
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 250M
!
hostname Cat8200
!
boot-start-marker
boot system bootflash:c8000be-universalk9.17.06.02.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition Tunnel
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition internet
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret [redacted]
!
aaa new-model
!
!
aaa group server tacacs+ TACACS_GROUP
server name tacacs01
server name tacacs02
ip tacacs source-interface Loopback0
!
aaa authentication [redacted]
aaa authorization [redacted]
aaa accounting [redacted]
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
ip name-server [redacted]
ip name-server vrf Mgmt-vrf [rdacted]
ip domain lookup source-interface Loopback0
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
vtp mode off
udld recovery
udld recovery interval 90
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
key chain isis-password
key 1
key-string [redacted]
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check none
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
[redacted]
quit
!
crypto pki certificate pool
! ('certificate ca' cmd has been deprecated. Downloaded
! Trustpool certificates should be re-downloaded
! using 'crypro pki trustpool import url <url>')
!
!
!
!
!
!
!
!
!
no license feature hseck9
license udi pid C8200-1N-4T sn [redacted]
license boot level network-essentials addon dna-essentials
license smart url cslu https://[redacted]
archive
log config
record rc
logging enable
logging size 1000
notify syslog contenttype plaintext
path bootflash:
maximum 14
write-memory
memory free low-watermark processor 68302
!
diagnostic bootup level complete
diagnostic monitor syslog
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 8192
errdisable flap-setting cause link-flap max-flaps 100 time 1800
errdisable recovery interval 60
!
username admin secret [redacted]
!
redundancy
mode none
!
!
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
!
!
!
lldp run
!
!
!
!
!
!
!
!
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
!
!
!
!
!
!
!
!
!
interface Loopback0
description Loopback0 default routing table
ip address [redacted] 255.255.255.255
!
interface Loopback1
description vrf Tunnel loopback
vrf forwarding Tunnel
no ip address
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
ip address 10.76.1.9 255.255.255.254
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
clns mtu 512
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 10.76.1.11 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 10.76.1.8
isis authentication mode md5
isis authentication key-chain isis-password
ip virtual-reassembly
!
interface Tunnel10
description guest network "core" router #1
bandwidth 1000000
vrf forwarding Tunnel
ip address [redacted] 255.255.255.254
no ip redirects
ip mtu 1414
ip ospf authentication message-digest
ip ospf message-digest-key [redacted]
ip ospf network point-to-point
ip ospf 204 area 0
history BPS
cdp enable
tunnel source Loopback0
tunnel destination [redacted]
!
interface Tunnel11
description guest network "core" router #2
bandwidth 1000000
vrf forwarding Tunnel
ip address [redacted] 255.255.255.254
no ip redirects
ip mtu 1414
ip ospf authentication message-digest
ip ospf message-digest-key [redacted]
ip ospf network point-to-point
ip ospf 204 area 0
history BPS
cdp enable
tunnel source Loopback0
tunnel destination [redacted]
!
interface GigabitEthernet0/0/0
description OOB Mgmt
vrf forwarding Mgmt-vrf
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group Management:in in
negotiation auto
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
router ospf 204 vrf Tunnel
log-adjacency-changes detail
redistribute connected
redistribute static
passive-interface default
!
router isis
net 49.0000.[redacted].00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
!
ip telnet source-interface Loopback0
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip forward-protocol nd
ip tftp source-interface Loopback0
ip tftp blocksize 8192
ip ssh source-interface Loopback0
ip ssh version 2
ip scp server enable
!
!
ip access-list standard SNMP-ro
10 remark filter restricting access to SNMP polling
20 permit [redacted]
!
ip access-list standard ntp-peer
10 remark NTP servers
20 permit [redacted]
!
ip access-list extended Management:in
10 permit ip any any
ip access-list extended line-vty:in
10 permit [redacted]
!
!
logging trap debugging
logging origin-id hostname
logging facility local4
logging source-interface Loopback0
logging host [redacted]
!
snmp-server community [redacted] RO SNMP-ro
snmp-server trap-source Loopback0
snmp-server contact [redacted]
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host [redacted]
!
tacacs server tacacs01
address ipv4 [redacted]
key [redacted]
tacacs server tacacs02
address ipv4 [rdacted]
key [redacted]
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
banner motd ^C
+------------------------------------+
| [redacted] |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at [redacted] is subject to |
| the terms of [redacted], please |
| see: http://[redacted] |
| for details. |
+------------------------------------+
^C
!
line con 0
stopbits 1
line aux 0
line vty 0 4
session-timeout 15
access-class line-vty:in in vrf-also
exec-timeout 15 0
session-limit 64
transport preferred none
transport input ssh
transport output ssh
line vty 5 97
session-timeout 15
access-class line-vty:in in vrf-also
exec-timeout 15 0
session-limit 64
transport preferred none
transport input ssh
transport output ssh
!
call-home
contact-email-addr [redacted]
no http secure server-identity-check
profile "CiscoTAC-1"
active
destination transport-method http
destination address http https://[redacted]
no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
ntp source Loopback0
ntp access-group peer ntp-peer
ntp server [redacted]
!
!
!
!
!
!
end
Cat8200#
clab-asr1002x-01#sh run
Building configuration...
Current configuration : 8494 bytes
!
! Last configuration change at 13:55:42 UTC Fri Jun 24 2022 by weylin
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname clab-asr1002x-01
!
boot-start-marker
boot system flash bootflash:asr1002x-universalk9.16.06.06.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret [redacted]
!
aaa new-model
!
!
aaa group server tacacs+ TACACS_GROUP
server name tacacs01
server name tacacs02
!
aaa authentication [redacted]
aaa authorization [redacted]
aaa accounting [redacted]
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
key chain isis-password
key 1
key-string [redacted]
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3027023122
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3027023122
revocation-check none
rsakeypair TP-self-signed-3027023122
!
!
crypto pki certificate chain TP-self-signed-3027023122
certificate self-signed 01
[redacted]
quit
!
!
license udi pid ASR1002-X sn [redacted]
license solution level securityk9
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
!
user-name admin
creation-time 1655583726
secret [redacted]
!
redundancy
mode none
!
crypto ikev2 proposal proposal-Cat8200
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy policy-Cat8200
proposal proposal-Cat8200
!
crypto ikev2 keyring ikev2-keyring-Cat8200
peer 10.76.16.63
address 10.76.16.63
pre-shared-key qawsedQAWSED12345!!!!!
!
!
!
crypto ikev2 profile ikev2-profile-Cat8200
match address local interface Port-channel1.2000
match identity remote address 10.76.16.63 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev2-keyring-Cat8200
lifetime 3600
dpd 10 5 on-demand
!
!
!
!
lldp run
cdp run
!
!
!
!
!
!
!
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ikev2-transform-Cat8200 esp-aes 256
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-profile-Cat8200
set transform-set ikev2-transform-Cat8200
set ikev2-profile ikev2-profile-Cat8200
!
!
!
!
!
!
!
!
!
interface Port-channel1
no ip address
no negotiation auto
!
interface Port-channel1.920
description ISIS with lab 6807
encapsulation dot1Q 920
ip address 10.76.1.7 255.255.255.254
ip router isis
isis network point-to-point
isis authentication mode md5
isis authentication key-chain isis-password
!
interface Port-channel1.2000
encapsulation dot1Q 2000
ip address 10.76.16.4 255.255.255.0
!
interface Port-channel1.2800
encapsulation dot1Q 2800 native
!
interface Tunnel0
description test ipsec tunnel for isis-over-ipsec with cat8200
ip address 10.76.1.8 255.255.255.254
ip tcp adjust-mss 1379
history BPS all
tunnel source Port-channel1.2000
tunnel mode ipsec ipv4
tunnel destination 10.76.16.63
tunnel protection ipsec profile ipsec-profile-Cat8200
ip virtual-reassembly
!
interface Tunnel1
description gre tunnel for isis-over-gre with cat8200
ip address 10.76.1.10 255.255.255.254
ip router isis
ip access-group Cat8200-test in
ip access-group Cat8200-test out
history BPS all
tunnel source Tunnel0
tunnel destination 10.76.1.9
isis authentication mode md5
isis authentication key-chain isis-password
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
negotiation auto
channel-group 1 mode active
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.17.245.11 255.255.255.0
negotiation auto
cdp enable
!
router isis
net 49.0000.[redacted].00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Port-channel1.920
no passive-interface Tunnel1
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip tftp blocksize 8192
ip route 0.0.0.0 0.0.0.0 10.76.16.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.17.245.1
!
!
!
ip access-list extended Cat8200-test
permit icmp any any log-input
permit ip any any
!
!
tacacs server tacacs01
address ipv4 [redacted]
key [redacted]
tacacs server tacacs02
address ipv4 [redacted]
key [reacted]
!
!
!
!
control-plane
!
!
!
!
!
banner motd ^C
+------------------------------------+
| [redacted] |
+------------------------------------+
| !! WARNING !! |
| AUTHORIZED ACCESS ONLY! |
| Access to this system is permitted |
| for authorized persons only. All |
| connections are logged and |
| monitored. By accessing this |
| system, you acknowledge that use |
| of this and any other technology |
| at [redacted] is subject to |
| the terms of [redacted], please |
| see: http://[redacted] |
| for details. |
+------------------------------------+
^C
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport preferred none
transport input ssh
transport output ssh
line vty 5 97
transport preferred none
transport input ssh
transport output ssh
!
!
!
!
!
!
!
end
clab-asr1002x-01#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 10.76.10.243 YES DHCP up up
GigabitEthernet0/0/1 10.76.16.63 YES NVRAM up up
GigabitEthernet0/0/2 unassigned YES NVRAM up up
GigabitEthernet0/0/3 unassigned YES manual down down
Loopback0 [redacted] YES manual up up
Loopback1 unassigned YES unset up up
Tunnel2 10.76.1.9 YES manual up up
Tunnel3 10.76.1.11 YES manual up up
Tunnel10 [redacted] YES manual up up
Tunnel11 [redacted] YES manual up up
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh crypto ikev2 ses
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
5 10.76.16.63/500 10.76.16.4/500 internet/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 3600/2588 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0xB22070F5/0x43C0EEC9
IPv6 Crypto IKEv2 Session
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
5 10.76.16.63/500 10.76.16.4/500 internet/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 3600/2592 sec
IPv6 Crypto IKEv2 SA
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh crypto ipsec sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 10.76.16.63
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.76.16.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2669, #pkts encrypt: 2669, #pkts digest: 2669
#pkts decaps: 10642, #pkts decrypt: 10642, #pkts verify: 10642
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.76.16.63, remote crypto endpt.: 10.76.16.4
plaintext mtu 1454, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x43C0EEC9(1136717513)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB22070F5(2988470517)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 2113, flow_id: ESG:113, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4607479/1020)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x43C0EEC9(1136717513)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 2114, flow_id: ESG:114, sibling_flags FFFFFFFF80000048, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4607459/1020)
IV size: 16 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh int tu2
Tunnel2 is up, line protocol is up
Hardware is Tunnel
Description: test ipsec tunnel for isis-over-ipsec with asr1k
Internet address is 10.76.1.9/31
MTU 9954 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 5/255, rxload 5/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 10.76.16.63 (GigabitEthernet0/0/1), destination 10.76.16.4
Tunnel Subblocks:
src-track:
Tunnel2 source tracking subblock associated with GigabitEthernet0/0/1
Set of tunnels with source GigabitEthernet0/0/1, 3 members (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1454 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "test")
Last input 00:00:02, output 07:21:07, output hang never
Last clearing of "show interface" counters 2d01h
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 2000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
139647 packets input, 27584648 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
11703 packets output, 5603777 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh int tu3
Tunnel3 is up, line protocol is up
Hardware is Tunnel
Description: test gre tunnel for isis-over-ipsec with asr1k
Internet address is 10.76.1.11/31
MTU 9976 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 7/255, rxload 5/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 10.76.1.9 (Tunnel2), destination 10.76.1.8
Tunnel Subblocks:
src-track:
Tunnel3 source tracking subblock associated with Tunnel2
Set of tunnels with source Tunnel2, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1430 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 2d01h
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 2000 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
10328 packets input, 4813363 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
165033 packets output, 41539208 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh clns nei
System Id Interface SNPA State Holdtime Type Protocol
clab-asr1002x-0 Tu3 10.76.1.8 Up 28 L2 IS-IS
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh isis nei
System Id Type Interface IP Address State Holdtime Circuit Id
clab-asr1002x-0 L2 Tu3 10.76.1.10 UP 22 10
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh ip route vrf *
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.76.1.10 to network 0.0.0.0
i*L2 0.0.0.0/0 [115/20] via 10.76.1.10, 06:53:53, Tunnel3
10.0.0.0/8 is variably subnetted, 18 subnets, 5 masks
i L2 10.76.1.1/32 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.1.2/31 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.1.4/31 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.1.6/31 [115/20] via 10.76.1.10, 06:53:53, Tunnel3
C 10.76.1.8/31 is directly connected, Tunnel2
L 10.76.1.9/32 is directly connected, Tunnel2
C 10.76.1.10/31 is directly connected, Tunnel3
L 10.76.1.11/32 is directly connected, Tunnel3
i L2 10.76.16.0/24 [115/10] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.33.0/24 [115/20] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.100.0/24 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.101.0/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.101.32/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.101.64/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.101.128/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.101.192/27 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.76.101.240/28 [115/30] via 10.76.1.10, 06:53:53, Tunnel3
i L2 10.123.0.224/28 [115/20] via 10.76.1.10, 06:53:53, Tunnel3
[redacted]/16 is variably subnetted, 9 subnets, 4 masks
i L2 [redacted]
Routing Table: Mgmt-vrf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.76.10.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 10.76.10.1
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.76.10.0/24 is directly connected, GigabitEthernet0/0/0
L 10.76.10.243/32 is directly connected, GigabitEthernet0/0/0
S 10.254.12.16/32 [254/0] via 10.76.10.1, GigabitEthernet0/0/0
Routing Table: Tunnel
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
[redacted]/24 is variably subnetted, 4 subnets, 2 masks
C [redacted]/31 is directly connected, Tunnel10
L [redacted]/32 is directly connected, Tunnel10
C [redacted]/31 is directly connected, Tunnel11
L [redacted]/32 is directly connected, Tunnel11
Routing Table: internet
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.76.16.0/24 is directly connected, GigabitEthernet0/0/1
L 10.76.16.63/32 is directly connected, GigabitEthernet0/0/1
Cat8200#
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2022 01:54 PM - edited 06-24-2022 10:21 PM
And... found other error prior to opening TAC case - tunnel3 had "tunnel vrf internet", which was part of an earlier troubleshooting effort that I forgot to remove. After clearing that, ISIS adjacencies formed right away, routes exchanged, and pings worked perfectly. Pasting complete config here for reference.
Cat8200#! I've manually inserted "!" for readability
Cat8200#
Cat8200#
Cat8200#sh vrf
Name Default RD Protocols Interfaces
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0/0
Tunnel <not set> ipv4,ipv6 Lo1
Tu10
Tu11
internet <not set> ipv4,ipv6 Gi0/0/1
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^crypto [^p]
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy test
proposal test
!
crypto ikev2 keyring test
peer 10.76.16.4
address 10.76.16.4
pre-shared-key qawsedQAWSED12345!!!!!
!
crypto ikev2 profile test
match fvrf internet
match address local interface GigabitEthernet0/0/1
match identity remote address 10.76.16.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local test
lifetime 3600
dpd 10 5 on-demand
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set test esp-aes 256
mode tunnel
!
crypto ipsec df-bit clear
!
crypto ipsec profile test
set transform-set test
set ikev2-profile test
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^(key|router).*isis
key chain isis-password
key 1
key-string 7 [redacted]
!
router isis
net 49.0000.1281.9725.4051.00
is-type level-2-only
metric-style wide
log-adjacency-changes
redistribute connected
redistribute static ip
passive-interface default
no passive-interface Tunnel3
Cat8200#
Cat8200#
Cat8200#
Cat8200#
Cat8200#sh run | sec ^interface (GigabitEthernet0/0/1|Loopback0|Tunnel[23])
interface Loopback0
description Loopback0 default routing table
ip address 128.197.254.51 255.255.255.255
!
interface Tunnel2
description test ipsec tunnel for isis-over-ipsec with asr1k
bandwidth 1000000
ip address 128.197.255.173 255.255.255.254
no ip unreachables
ip tcp adjust-mss 1379
history BPS all
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 10.76.16.4
tunnel vrf internet
tunnel protection ipsec profile test
ip virtual-reassembly
!
interface Tunnel3
description test gre tunnel for isis-over-ipsec with asr1k
ip address 128.197.255.171 255.255.255.254
ip router isis
history BPS all
tunnel source Tunnel2
tunnel destination 128.197.255.172
isis authentication mode md5
isis authentication key-chain isis-password
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
vrf forwarding internet
ip address 10.76.16.63 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
Cat8200#
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
