Re: ISSUES WITH GRE TUNNEL

tomocisco · ‎07-27-2012

Hi All,

I earlier started a discussion thread on IP Connectivity issues I was having with my IPSec VPN, the issue was not resolved. I then had to change my router configuration to GRE over IPSec. Pasted below is the sho run, sho crypto session, show crypto ipsec sa and sho crypto isakmp sa for the Head office and remote sites. From the outputs, you will see that the vpn appears down. And indeed I cannot reach resources over the vpn, the ip phones & cameras are not accessible over the vpn connection. But ping results both from the router and from the LAN systems show 100% success.

What could be responsible for this. Ping result shows that there is connection between the two LAN while 'show crypto session', 'sho crypto ipsec sa' and 'sho crypto isakmp sa' indicates that the vpn is not operational.

Also from the SDM, when I test the tunel, this message is displayed: "THE PEER MUST BE ROUTED THROUGH THE CRYPTO MAP INTERFACE. THE FOLLOWING PEER(S) DO NOT HAVE A ROUTING ENTRY IN THE ROUTING TABLE. (1) 4.2.2.2.

Please can someone tell me how to correct this and what route statement I am missing in the config.

SHOW RUN FOR REMOTE SITE:

Current configuration : 6086 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1653327508

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1653327508

revocation-check none

rsakeypair TP-self-signed-1653327508

!

ip cef

!

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key 6 OOJAQ address 1.2.2.2

!

crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac

!

crypto map VPN-TO-PH 10 ipsec-isakmp

set peer 1.2.2.2

set transform-set ME-VPN

match address SDM_1

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Loopback0

ip address 192.200.200.1 255.255.255.255

!

interface Tunnel0

description ### Tunnel to LAGOS ###

ip address 192.100.100.2 255.255.255.252

tunnel source 4.2.2.2

tunnel destination 1.2.2.2

tunnel mode ipip

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 4.2.2.2 255.255.255.248

ip verify unicast source reachable-via rx allow-default 101

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1400

duplex auto

speed auto

crypto map VPN-TO-PH

crypto ipsec df-bit clear

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Dialer1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 4.2.2.1

ip route 192.168.0.0 255.255.255.0 Tunnel0

!

no ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload

!

ip access-list extended SDM_1

remark SDM_ACL Category=20

permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!

logging trap debugging

logging facility local2

access-list 100 remark EXCLUDED FROM NAT

access-list 100 remark SDM_ACL Category=16

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit udp any any eq bootpc

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

control-plane

!

end

SHOW RUN FOR HEAD OFFICE:

lag#sho run

Building configuration...

Current configuration : 6499 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

!

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-3885639516

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3885639516

revocation-check none

rsakeypair TP-self-signed-3885639516

!

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key 6 \]OWLi address 4.2.2.2

!

crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac

!

crypto map VPN-TO-PH local-address Loopback1

crypto map VPN-TO-PH 10 ipsec-isakmp

set peer 4.2.2.2

set transform-set ME-VPN

match address VPN-TRAFFIC

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Loopback0

no ip address

!

interface Loopback1

ip address 1.2.2.2 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

crypto map VPN-TO-PH

!

interface Tunnel0

description ### Tunnel t0 PHC ###

ip address 192.100.100.1 255.255.255.252

tunnel source 1.2.2.2

tunnel destination 4.2.2.2

tunnel mode ipip

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

shutdown

!

interface FastEthernet0

description ### DOPC PRIMARY LINK ###

ip address 172.16.247.11 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

description ### DOPC SECONDARY LINK ###

ip address 172.16.249.11 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet2

description ### Masters LAN Interface ###

switchport access vlan 100

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

interface Vlan100

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

router bgp 65142

no synchronization

bgp log-neighbor-changes

network 1.2.2.2 mask 255.255.255.252

neighbor 172.16.247.1 remote-as 65136

neighbor 172.16.249.1 remote-as 65136

no auto-summary

!

ip forward-protocol nd

ip route 192.168.1.0 255.255.255.0 Tunnel0

!

ip http server

ip http access-class 20

ip http authentication local

ip http secure-server

ip nat inside source route-map LAT interface Loopback1 overload

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

permit tcp any any eq bgp

permit tcp any eq bgp any

!

logging trap debugging

logging facility local2

access-list 20 permit 192.168.0.9

access-list 100 remark EXCLUDE NAT

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark

access-list 101 permit udp any any eq bootpc

no cdp run

!

route-map LAT permit 1

match ip address 100

!

control-plane

!

end

SHO CRYPTO SESSION FOR HEAD OFFICE

lag#sho crypto session

Crypto session current status

Interface: Loopback1

Session status: DOWN

Peer: 4.2.2.2 port 500

IPSEC FLOW: permit 6 0.0.0.0/0.0.0.0 port 179 0.0.0.0/0.0.0.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit 6 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 port 179

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

SHOW CRYPTO IPSEC SA:

lag#sho crypto ipsec sa

interface: Loopback1

Crypto map tag: VPN-TO-PH, local addr 1.2.2.2

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/179)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)

current_peer 4.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.2.2.2, remote crypto endpt.: 4.2.2.2

path mtu 1514, ip mtu 1514, ip mtu idb Loopback1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/179)

current_peer 4.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.2.2.2, remote crypto endpt.: 4.2.2.2

path mtu 1514, ip mtu 1514, ip mtu idb Loopback1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer 4.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.2.2.2, remote crypto endpt.: 4.2.2.2

path mtu 1514, ip mtu 1514, ip mtu idb Loopback1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

SHOW CRYPTO ISAKMP SA:

lag#sho crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

SHO INTERFACE T0:

lag#sho int t0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Description: ### Tunnel t0 PHC ###

Internet address is 192.100.100.1/30

MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 1.2.2.2, destination 4.2.2.2

Tunnel protocol/transport IP/IP

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 00:00:03, output 00:05:52, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

40062 packets input, 7935632 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

33207 packets output, 4807492 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

PING RESULT TO REMOTE LAN:

lag#ping 192.168.1.1 sour 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 184/320/532 ms

Please can any see where the problem is from the config and how to rectify.

Thanks as always for your contributions.

Tom

Edison Ortiz · ‎07-27-2012

Here is a good document on GRE over IPSec.

Based on your outputs, you need a lot of fixing so I prefer if you read this document and understand how tunnels are built with IPSec.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

For starters, I recommend peering using the remote peer external interface instead of using loopbacks (which can potentially cause recursive routing, if not careful) as well as using GRE host x.x.x.x host x.x.x.x for the IPSec interesting traffic.

Regards,

Edison

tomocisco · ‎07-27-2012

Hi Edison,

Thanks for the link.

I am studying it.

If I may ask, Can I peer with local IP addresses. The external interface are configured with local addresses from my ISP local address range, the public IP is on the Loopback. Is it possible to peer with these local IP addresses?

I also noticed from the material posted that in the crypto isakmp key statement

"crypto isakmp key 6 xxxxx address 0.0.0.0 0.0.0.0"

the statement ends with 0.0.0.0 0.0.0.0 instead of ending with the address of the peer router (so I think).

Thanks

Tom

Edison Ortiz · ‎07-27-2012

You could set the peer with local IP address but this can't be within the encryption domain.

That's the reason we often recommend using the external facing IP addresses for peering.

The crypto ..... address 0.0.0.0 will allow you to use that key for any peer but you still need to specify the peers under the isakmp policy.

tomocisco · ‎07-27-2012

Hi Edison,

Thank you for your contribution.

Below is a rough sketch of my network. I have gone through the material you reffered me to. Please can you give me a sample config I can use for the network below. I want to configure afresh. But I have a problem of how to use the physical interfaces at the Head office for tunneling while still using the Loopback public IP for internet access. The whole thing look confusing. That is why I actually preferred site to site Ipsec.

Thanks

Tom

Richard Burts · ‎07-27-2012

Tom

This does present a bit of a challenge and I will be interested in what Edison may suggest. In setting up a tunnel the tunnel source address must be reachable from the peer device. So when tunneling over the Internet it is most common to use the outside address because it is usually the address that is reachable from a peer across the Internet. Since your physical interfaces all seem to have private addresses it would be difficult to tunnel using them.

A second possible challenge about using the physical interface address for the tunnel is the implication that traffic going out those interfaces will be translated by your provider before the traffic actually gets on to the Interenet. Can you confirm whether or not address translation is performed on traffic outbound from the Head Office to the Internet?

HTH

Rick

HTH

Rick

Edison Ortiz · ‎07-28-2012

Are these fictitious addresses?

Or

Do you have another device facing the Internet that is missing on this diagram?

172.16.x.x is not a routable internet address and 4.2.x.x is actually reserved for internet DNS servers.

Again, if you want to learn technologies the proper way, you first have to start with the basics - peer with the external facing interface because as Rick mentioned, it is reachable end-to-end.

If you start peering with a loopback, then routing must take place before encryption.

You also have to exclude the loopback from encryption and this design can become quite complicated.

After you've done a couple of designs, you will learn the best thing is keeping things simple.

Richard Burts · ‎07-27-2012

Tom

I believe that the ping is successful because the ip in ip tunnel is configured and working. But the traffic through the tunnel is not encrypted because of the problems in configuring the VPN. I offer the following observations about the issues and possible fixes for the issues:

- the error message about routing 4.2.2.2 which is the peer address from the Head Office. I assume that you are learning that address from BGP which means that you go through interface Fastether0 or Fastether1 to get to the peer. But the crypto map is configured on interface loopback1. For the crypto map to work the traffic to the peer needs to go through the interface that has the crypto map. So in your configuration the traffic to 4.2.2.2 would need to be routed through loopback1. But that is not very feasible. So I would suggest moving the crypto map from loopback1 to the Fastethernet interfaces.

- for the crypto negotiation to be successful the access lists on both ends must match. But your access lists do not match. On the remote you permit only traffic subnet to subnet. But on the Head Office you permit BGP in addition to the subnet to subnet traffic. I believe that is a problem. I am puzzled why you have put BGP into the access list because there is not going to be any BGP to the peer since the peer is not configured to run BGP. So I suggest that you remove the BGP lines from the access list on the Head Office.

- when I configure this type of VPN I specify that the tunnel mode is GRE and my access list would be permit gre host 4.2.2.2 host 1.2.2.2. Your configuration uses tunnel mode ipip and the access list permits subnet to subnet traffic. Perhaps that works. But if you make the other changes that I have suggested and it still does not work then I suggest changing the tunnel mode and the access lists.

HTH

Rick

HTH

Rick

tomocisco · ‎07-27-2012

Hi Rick,

Thanks for your input.

I am still studying the material from the link posted above. I have edited the access list on both side to permit gre host 4.2.2.2 host 1.2.2.2, also I've done away with the BGP in the access list, as suggested.

As for the crypto map, I moved it from the loopback to the Tunnel 0 interface.

Though no noticable change, I am looking at the posted material for reconfiguration.

Thanks

Tom

Richard Burts · ‎07-27-2012

Tom

With the changes you have made I believe that you are going in the right direction but still have some more to do before it will work.

In older versions of IOS you would apply the crypto map on the tunnel interface (as well as on a physical interface). But in recent versions of IOS the crypto map needs to go on a physical interface and not the tunnel.

HTH

Rick

HTH

Rick