Solved: Re: Routing internet destination traffic accross a VTI with IPSec

Felipe A. Amaya · ‎06-02-2018

Hi Everyone,

I just deployed an IPsec using Virtual Tunnel Interface at one of our remote branches, I am learning all OSPF routes learned from my HQ router which is great! however my issue is that if I am sitting at the branch office and I want to go to a website I drop at the branch router as I have a static router pointing to the ISP default gateway as follows: ip route 0.0.0.0 0.0.0.0 x.x.x.1 per the documentation I need this route to stablish the IPsec tunnel. All OSPF traffic is routed through the tunnel interface, the internet bound traffic also needs to traverse through the tunnel headed to the HQ so that it can pass through our existing security stack.

Here is what I am thinking of doing.

My ISP facing interface has a /29 ip address such as:

int g0/0/1

ip address 205.x.x.3 255.255.255.248

IP route 0.0.0.0 0.0.0.0 205.x.x.1

Change the default route as follows:

ip route 205.x.x.3 255.255.255.255 205.x.x.1 (for IPsec)

ip route 0.0.0.0 0.0.0.0 10.x.x.9 (next hop router) headquarters

router ospf 100

redistribute static

So my thinking is when a user at the branch office tries to browse traffic should flow through the tunnel interface and the HQ router should sending outward.

your opinion and suggestions will be greatly appreciated!

Thanks.

Peter Paluch · ‎06-02-2018

Hi Felipe,

Current

ip route 0.0.0.0 0.0.0.0 205.x.x.1

proposed

ip route 205.x.x.3 255.255.255.255 205.x.x.1

This does not look right. It should be:

ip route 12x.x.230.50 255.255.255.255 205.x.x.1

Remember - the point of the static route is to explain how to reach the remote destination 12x.x.230.50 (which is the far end of the IPsec tunnel) through the next hop 205.x.x.1 that is on a directly connected network on Gi0/0/1. Configuring a static route to 205.x.x.3 has no meaning - that IP address is your own IP address already.

Does this make sense? Please feel welcome to ask further!

Best regards,
Peter

View solution in original post

Peter Paluch · ‎06-02-2018

Hi Felipe,

From your description, technically, I believe that your thinking is absolutely correct - you will need to modify your default route to point through the IPsec tunnel, and also add a static /32 route for the particular endpoint of the IPsec tunnel to point to the ISP.

I am not sure, however, if the /32 route you have suggested is correct. It is my understanding that the 205.x.x.3 is the IP address of your branch router, not the IPsec tunnel tailend (the tunnel destination). The /32 route, however, needs to refer to the IP address of the HQ tunnel tailend, and just the next hop would be 205.x.x.1 (the ISP's address facing the branch router).

The only question I have is more about your company policy: Is it expected that in fact all traffic, both intra-company, and internet-bound, is supposed to be traversing through the IPsec tunnel and through the HQ? This is something specific to your company which we cannot answer. One of the things that raises doubts is that if your company policy was truly to route everything through HQ, you would likely have received a default route through OSPF over the IPsec tunnel.

Actually, this is something interesting - maybe you actually have received that default route in OSPF, but since you have a static default route, the one potentially learned through OSPF would not show in the routing table. Can you check using show ip ospf database external 0.0.0.0 whether you get any output? If you do, then there is a default route advertised over OSPF alright, and it would be sufficient to just add the static /32 route for the IPsec tunnel tailend.

Feel welcome to ask further!

Best regards,
Peter

Felipe A. Amaya · ‎06-02-2018

Hi Peter,

Thank you....

Here is the output of the sho ip ospf database external 0.0.0.0, and yes the company policy is to send all internet traffic through the tunnel and then it should pass our security stack for inspection.

Rtr2-1701500a1#sho ip ospf database external 0.0.0.0

OSPF Router with ID (10.11.0.254) (Process ID 101)

Type-5 AS External Link States

LS age: 1370
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 10.0.5.2
LS Seq Number: 800013FB
Checksum: 0x347E
Length: 36
Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

LS age: 690
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 10.12.0.3
LS Seq Number: 80001140
Checksum: 0x6EF9
Length: 36
Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

LS age: 249
Options: (No TOS-capability, No DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 12x.x.x.230 <--------------------changed one of our public
LS Seq Number: 80002E54
Checksum: 0xD414
Length: 36
Network Mask: /0
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 1
        Forward Address: 0.0.0.0
        External Route Tag: 0

Peter Paluch · ‎06-02-2018

Hi Felipe,

Okay, then this makes perfect sense. Thank you!

All you should need now is to configure the proper /32 static route pointing toward public IP address of the IPsec tailend (from the branch office point-of-view), and then remove the static default route - the OSPF default route should then take over.

Are you currently at the branch office? Doing this configuration remotely needs double and triple checking to make sure you don't cut yourself off.

For the "Advertising Router" field in the outputs - that is the OSPF RouterID of the router that advertised the default route as an LSA5. It may or may not be a real IP address.

Best regards,
Peter

Felipe A. Amaya · ‎06-02-2018

Peter.

I understand. I’m not physically at the location and I could very well get knocked out.

Plan.

Ip route 205.x.x.3 /32 205.x.x.x 1

no ip route 0.0.0.0 0.0.0.0 205.x.x.1

i do have another static to prevent recursive Routing which is as follows

ip route 12x.x.x.59 /32 205.x.x.1 which should not play a part? Right

Peter Paluch · ‎06-02-2018

Felipe,

Ip route 205.x.x.3 /32 205.x.x.x 1

But isn't 205.x.x.3 your own address? Why would you add a static route to an IP address that is already directly configured on your own interface? This doesn't make sense to me.

What is the configuration of the IPsec tunnel - in particular, what is the IP address present in the tunnel destination command? You need to use that IP address in the /32 static route.

Best regards,
Peter

Felipe A. Amaya · ‎06-02-2018

In our branch office.

interface Tunnel7
description tunnel to 4850
bandwidth 50000
ip address 10.11.254.253 255.255.255.252
no ip redirects
ip pim sparse-mode
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 12x.x.230.50
tunnel protection ipsec profile x_IPSEC_PROFILE

interface GigabitEthernet0/0/1
description ISP to Rtr1-48502008a2_g0/1 Acct# x.x.
bandwidth 50000
ip address 205.x.x.3 255.255.255.248

(the following prevents recursive routing) in my case

ip route 12x.x.230.50 255.255.255.255 20x.x.x.1

The static default which I intend to change

Current

ip route 0.0.0.0 0.0.0.0 205.x.x.1

proposed

ip route 205.x.x.3 255.255.255.255 205.x.x.1

As is OSPF

router ospf 101
router-id 10.11.0.254
auto-cost reference-bandwidth 10000
passive-interface default
no passive-interface GigabitEthernet0/0/3 <----Local LAN at Branch
no passive-interface Tunnel7
network 10.11.0.254 0.0.0.0 area 11
network 10.11.1.252 0.0.0.3 area 11
network 10.11.0.0 0.0.255.255 area 11

Rtr2-1701500a1#sho ip ospf ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.11.4.2         1   FULL/DR         00:00:39    10.11.1.253     GigabitEthernet0/0/3
10.0.3.25         1   FULL/DR         00:00:33    10.11.254.254   Tunnel7

Thank you Peter, all is working with the exception of my internet bound traffic which dies at the branch router.

Rtr2-1701500a1#traceroute 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *

Felipe A. Amaya · ‎06-02-2018

Also, one more thing to point out based on the sho ip ospf database external 0.0.0.0

OSPF Router with ID (10.11.0.254) (Process ID 101)

Type-5 AS External Link States

Â LS age: 1370
Â Options: (No TOS-capability, No DC, Upward)
Â LS Type: AS External Link
Â Link State ID: 0.0.0.0 (External Network Number )
Â Advertising Router: 10.0.5.2 <---- This is Valid

Peter Paluch · ‎06-02-2018

Hi Felipe,

Current

ip route 0.0.0.0 0.0.0.0 205.x.x.1

proposed

ip route 205.x.x.3 255.255.255.255 205.x.x.1

This does not look right. It should be:

ip route 12x.x.230.50 255.255.255.255 205.x.x.1

Remember - the point of the static route is to explain how to reach the remote destination 12x.x.230.50 (which is the far end of the IPsec tunnel) through the next hop 205.x.x.1 that is on a directly connected network on Gi0/0/1. Configuring a static route to 205.x.x.3 has no meaning - that IP address is your own IP address already.

Does this make sense? Please feel welcome to ask further!

Best regards,
Peter

Felipe A. Amaya · ‎06-02-2018

Thanks Peter.

I will review my configurations closely later tonight. I appreciate all your input.

Felipe A. Amaya · ‎06-04-2018

Hi Peter,

I applied the changes as you suggested and my outward bound traffic is successfully flowing through the tunnel.

Thank you so much for you assistance over the weekend.

Sincerely,

Felipe