Only able to IPSEC SVTI interesting destination when sourcing from Loopback

CiscoPurpleBelt · ‎02-05-2020

Not sure if this is default behavior or what but I can only ping my lab Lo0 of peer router (6.6.6.6) when sourcing from Lo0 of local router. So IPSEC SVTI tunnel is built between two routers (R1 and R2) with couple routers in between simply passing all traffic via OSPF. The tunnel state is good - QM Idle. Here is R1 config:

CE_R1#sh run
Building configuration...

Current configuration : 2161 bytes
!
! Last configuration change at 02:20:16 UTC Thu Feb 6 2020
!
version 16.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CE_R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$6aiT$LKvEnNSBMrYDguNTlnyPP0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9L4OGSZMF0B
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username cisco privilege 15 secret 5 $1$EAHP$D3l28AA81b2WwEeqg5eMW0
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 172.16.1.6
!
!
crypto ipsec transform-set IPSEC_Tun0_TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC_Tun0_TS
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 100.1.1.1 255.255.255.0
tunnel source 10.1.1.1
tunnel mode ipsec ipv4
tunnel destination 172.16.1.6
tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet1
ip address 10.255.2.189 255.255.0.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.1.0.254 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 10.1.1.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface GigabitEthernet1
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 6.6.6.0 255.255.255.0 Tunnel0
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0
login
line vty 1
login
length 0
line vty 2 4
login
!
!
!

Francesco Molino · ‎02-05-2020

Hi

What other destination IPs/Subnets you want to reach over your VTI IPSEC tunnel?
On this R1 config, you only have 1 route going over the tunnel for prefix 6.6.6.0/24.
If you want to reach other subnets, you need to add the right static routes and the same on R2 for return traffic.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CiscoPurpleBelt · ‎02-06-2020

Right now it is only the 6.6.6.6 Lo0. I am not sure why it will only ping when sourcing from R1 Lo0.

Francesco Molino · ‎02-07-2020

What is the config on the other end?
You need to make sure, static routes towards the ipsec tunnel for all your subnets have been configured on the other end.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎02-08-2020

I agree with @Francesco Molino that we should see the config of the other router and that it might be helpful to have some information about the routers in the middle. My guess is that the config of the other router is similar in having a static route to your loopback forwarded through the tunnel and all other traffic sent through the physical outbound interface. If that is true then I believe that this is the behavior. If you ping 6.6.6.6 sourced from 1.1.1.1 then the ping request is forwarded using the tunnel and the response is sent using the tunnel and ping is successful. But if you ping 6.6.6.6 using any other source address then the ping request is sent using the tunnel but the response is sent not over the tunnel but through the physical outbound interface and for some reason is not delivered to the source.

HTH

Rick

CiscoPurpleBelt · ‎02-08-2020

Gents,

I have posted both configs for R1 and R2 and attached the topology. I can upload the rest of the PE router configs if something still is not adding up/pointing to issues with these routers in between however they are simply configured with OSPF area 0 advertising all interfaces, that is it. Really appreciate all the help!

========================================

CE_R6#sh run
Building configuration...

Current configuration : 2168 bytes
!
! Last configuration change at 16:16:52 UTC Sat Feb 8 2020
!
version 16.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CE_R6
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$AiIq$IVTqj8gNBeWsIe3qZH7g40
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9IR62R9KOLD
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username cisco privilege 15 secret 5 $1$txWl$GA565flyxO3Zu9RGByAr80
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 10.1.1.1
!
!
crypto ipsec transform-set IPSEC_Tun0_TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC_Tun0_TS
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 6.6.6.6 255.255.255.255
!
interface Tunnel0
ip address 60.60.60.1 255.255.255.0
tunnel source 172.16.1.6
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet1
ip address 10.255.2.212 255.255.0.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 172.16.1.6 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip address 172.16.0.254 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface GigabitEthernet1
ip route 0.0.0.0 0.0.0.0 172.16.1.5
ip route 1.1.1.0 255.255.255.0 Tunnel0
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0
login
line vty 1
login
length 0
line vty 2 4
login
!
!
!
!
!
!
end

---------------------------------------------------------------------------------

CE_R1#sh run
Building configuration...

Current configuration : 2791 bytes
!
! Last configuration change at 16:16:26 UTC Sat Feb 8 2020
!
version 16.6
service config
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CE_R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$6aiT$LKvEnNSBMrYDguNTlnyPP0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
!
flow record Netflow_Record
description Netflow Accounting
match ipv4 source address
match ipv4 destination address
collect counter bytes long
!
!
flow exporter NetFlowExporter
destination 10.1.1.2
transport udp 12345
!
!
flow monitor NetFlowMonitor
exporter NetFlowExporter
record Netflow_Record
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9BXI3TREZV2
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username cisco privilege 15 secret 5 $1$EAHP$D3l28AA81b2WwEeqg5eMW0
!
redundancy
!
!
!
!
!
!
!
class-map match-all 1
match access-group 1
class-map match-all TEST_QMAP
match access-group 1
match input-interface GigabitEthernet2
!
policy-map Single_Rate_Two_Color
class TEST_QMAP
policy-map TEST_PM
policy-map polmap
class 1
bandwidth 2
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 172.16.1.6
!
!
crypto ipsec transform-set IPSEC_Tun0_TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set IPSEC_Tun0_TS
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 100.1.1.1 255.255.255.0
tunnel source 10.1.1.1
tunnel mode ipsec ipv4
tunnel destination 172.16.1.6
tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet1
ip address 10.255.2.211 255.255.0.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 10.1.0.254 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
ip flow monitor NetFlowMonitor input
ip address 10.1.1.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface GigabitEthernet1
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 6.6.6.0 255.255.255.0 Tunnel0
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 1 permit 10.1.0.253
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0
login
line vty 1
login
length 0
line vty 2 4
login
!
!
!
!
!
!
end

CE_R1#

Richard Burts · ‎02-08-2020

Thanks for the config of the 2 routers. If I am understanding correctly your statement here that the routers in between are just running OSPF and advertising their own interfaces then my suggestion in my previous post is correct. Let us think about how it would work (or not work). Assume that R1 pings the loopback of R6. The ping has destination of 6.6.6.6 and source of 10.1.1.1. It is sent through the tunnel and arrives at R6. R6 generates a response which has destination address of 10.1.1.1. R6 routing table says to use the default route and so it goes to the PE router. But the PE router does not know about 10.1.1.1.

I want to point out something that I noticed. On R6 this is the tunnel

interface Tunnel0
ip address 60.60.60.1 255.255.255.0

and this is the tunnel on R1

interface Tunnel0
ip address 100.1.1.1 255.255.255.0

Depending on you want to use the tunnel the mismatch may not matter and the tunnel will work. But for example if you want to run a dynamic routing protocol over the tunnel (which would be the best way to resolve the issue in the original post) then the mismatch will prevent the routing protocol from forming a neighbor relationship.

HTH

Rick

Francesco Molino · ‎02-08-2020

Both static routes are configured to reach only loopbacks ip.
What other subnets you want to reach?
Few comments on your config:
- gig1 interfaces are on the same subnet on both routers.
- tunnels IPs are not in the same subnet.

Can you detail a bit your plans and what you're willing to achieve?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question