cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5293
Views
0
Helpful
24
Replies
Beginner

Route-map not sending traffic over vpn.

You are the second person to suggest VTI to me.   I'm more than happy to upload both configs.  Unfortunately the second device is not a cisco. Its a linux box running Openswan.  After talking to jon earlier it turns out that yes the issue is that the tunnels are not coming up.  The only one I can get to come up is the subnet to subnet one. As soon as I try to get the 192.168.30.0 0.0.0.255 any eq www or 443 up the tunnel never forms.  I'm almost positive it's on the openswan side.

I've since removed everything and am trying to just get a single tunnel up, the port 80 one.  So far it's not coming up.

If this were a second cisco device I think I might have been done a long time ago with this.

Rising star

Route-map not sending traffic over vpn.

ok, then I assume that both sites have to have same ACLs to establish connection. So in current topology you have probably only two options.

1) delete all modification which you done and use IPsec tunnel only for LAN-to-LAN traffic.

2) configure default route so all traffic will run via IPsec tunnel, although I am not sure if this is suitable for you or even if this is possible with Openswan [I have never used it].

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
Beginner

Route-map not sending traffic over vpn.

I considered that but cant. I need certain traffic to still originate from here, I only want http/https routed over the VPN.

Thanks

Rising star

Route-map not sending traffic over vpn.

Did you consider to use proxy? You said that second device is linux box, so if you configure this linux box as proxy server for http/https traffic, web traffic will run via IPsec tunnel [I assume that linux box has IP from 192.168.10.0/24 subnet] and from linux box to the internet.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
Highlighted
Beginner

Re: Route-map not sending traffic over vpn.

Yes! That was what I was acutally trying to accomplish here. I figured I needed to get the IPSEC tunnel up first which is why I was going through all this.   The proxy portion is painless, its the fact that I wanted it through an IPSEC tunnel that seems to have made this difficult.

Edit: I know I could do that now with what is working. I don't want to have to set a proxy address on al machines. I want it all handled by the router itself.

Hall of Fame Guru

Re: Route-map not sending traffic over vpn.

Bruce

Config looks okay just a few little things -

1) your crypto map acl includes https but your NAT acl doesn't. Doesn't matter as long as you are testing with http.

2) you have this NAT statement -

ip nat inside source static tcp 192.168.30.13 80 interface FastEthernet0/1 80

so just to clarify, you are not testing web access from this address are you as it will NAT the source IP and then the crypto map acl won't match.

 

Edit - ignore 2) above. I misread it and it doesn't apply to outbound traffic.

In terms of the crypto output can you -

1) edit your post (which you can do) and remove the public IPs. Just a precaution but we don't need to see them for troublshooting and best not to publish that sort of information.

2) send errors look like an issue on this end as opposed to receive errors. So can you clear the crypto tunnel to start afresh and then try connecting and see what the output is showing.

Jon

Beginner

Re: Route-map not sending traffic over vpn.

1. I'm only testing http right now. Plus just easier to only have to remove one line when I need web access back.

2. nope not using that machine.

1. I edited that. Thanks, I've been trying to remember to clear those ips on all posts.

2. I did a clear crypto sa.  

Then I added back in the deny statement to my acl for www traffic.  Then I tried to go to a few sites.  I got nowhere.  Here is the output from a show crypto ipsec sa

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/6/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/80)

   current_peer 2.2.2.2 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 315, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 37.235.55.196

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0x0(0)

Same as last time.  

Hall of Fame Guru

Re: Route-map not sending traffic over vpn.

Bruce

Your IPSEC tunnel is not establising correctly ie. there are no phase 2 tunnels coming up. Now we know you can get the tunnels to come up because they did before all the changes. Can you make sure any changes you have made are matched at the other end.

Obviously the NAT is not relevant as that is only local to the router.

Jon

Beginner

Route-map not sending traffic over vpn.

Yeh, I see that now.  Actually I don't think they were ever up.  Looking below i just assumed that if I saw it there it was up. I didn't notice the Active SA's was 0 on both the 443 and the 80. 

So yes it looks like thost are not up.   I have 0 idea how to get them up either.  I haven't had much luck with finding any useful information on doing this with openswan.  Doing different subnets is ok but ports, I'm still looking around and maybe I'll have to change how i do this.  I ran into this when I first started to do this.  My acl for my vpn was like the port 80 one below and it would never come up.

Thanks for all the help.  I'll post back if I come up with anything.  For now I'm stumped.

  IPSEC FLOW: permit 6 192.168.30.0/255.255.255.0 0.0.0.0/0.0.0.0 port 443

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

  IPSEC FLOW: permit 6 192.168.30.0/255.255.255.0 0.0.0.0/0.0.0.0 port 80

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 229 life (KB/Sec) 0/0

  IPSEC FLOW: permit ip 192.168.30.0/255.255.255.0 192.168.10.0/255.255.255.0

        Active SAs: 4, origin: crypto map

        Inbound:  #pkts dec'ed 35 drop 0 life (KB/Sec) 4395176/3536

        Outbound: #pkts enc'ed 36 drop 6 life (KB/Sec) 4395176/3536

Beginner

Re: Route-map not sending traffic over vpn.

Here is the answer to this if anyone is interested.

The policy map was never going to work the way it was previously. There was no place to route the traffic.   What I needed was a gre tunnel.

interface Tunnel0
ip address 10.10.10.2 255.255.255.252
ip mtu 1420
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
crypto map IOFVPN

and a route to point to the internal subnet on the remote side with a gateway of the remote side.

S    192.168.10.0/24 [1/0] via 10.10.10.1

I've never used gre before but I will now. Getting the tunnel up was pretty basic both on the cisco and linux ( openswan ) side. Once that was up and running I tested without ipsec.

On my fa0/0 interface, my internal I put:

ip policy route-map PROXY-REDIRECT

route-map proxy-redirect permit 100
 match ip address PROXY-REDIRECT
 set ip next-hop recursive 192.168.10.1

The matching ACL is:

ip access-list extended proxy-redirect
 deny   tcp host 192.168.30.13 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq 443
 permit tcp 192.168.30.0 0.0.0.255 any eq irc
 permit tcp 192.168.30.0 0.0.0.255 any eq 6667
 deny   tcp 192.168.30.0 0.0.0.255 any eq 5938
 deny   tcp any any
 deny   udp any any
 deny   ip any any

As soon as I added that my traffic started passing the way I wanted it. I'll note here that this ACL could be shrunk. I added the implicit deny's because I was having the odd traffic pass over the link.

Once was verified working then I just needed to wrap it in ipsec. Configuring the Cisco side was easy.

crypto isakmp policy 1
 encr aes 192
 authentication pre-share
 group 2
 lifetime 43200
crypto isakmp key *********** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac 
 mode transport
!
crypto map IOFVPN 1 ipsec-isakmp 
 description IOM
 set peer 2.2.2.2
 set transform-set IOFSET2 
 match address IPSEC-GRE-IOF

ip access-list extended IPSEC-GRE-IOF
 permit gre host 1.1.1.1 host 2.2.2.2

** Must use transport mode. It took me a bit to figure that one out.

Apply that crypto map to both f0/1 and tun0 and you have a tunnel.

The openswan side is what gave me trouble though this whole thing. Their config is a bit odd and it just took some getting used to.

At the end of the day all traffic that I want is peeled off and routed through an ipsec protected gre tunnel to a remote endpoint.

Enjoy.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards