06-29-2012 08:50 AM - edited 03-04-2019 04:50 PM
Hi All
Not sure if this is the right way of configuring IPSEC VPN Tunnel, I feel of having routing issue on IPSEC Tunnel. On stopping Tunnel and Internet interface all is OK.
My scenario is following
Sales Office 1 & Sales Office 2 are in same country and DataCenter in another country
Sales office 1 connect to Sales office 2 over local MPLS cloud provided by in country telecom provider
Sales office 1 connects to DC over INTERNET via IPSEC VPN tunnel with Router at both ends
Sales office 2 reaches DC passing Sales office 1 MPLS
so far all is ok
As Sales office 2 had another new connection to DC over Internet via IPSEC VPN - all problem started
Sales Office 2 has one Router where LAN, MPLS, Internet link are terminated.
Before adding new internet connection there was only static routes pointing to next MPLS Hop.
after adding Internet link the config has static routes, dynamic routes and Tunnel config
SALES Office 2 Router config
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key KIPT address 78.x.x.x
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set WORK esp-3des esp-md5-hmac
!
crypto map WORK 10 ipsec-isakmp
set peer 78.x.x.x
set transform-set WORK
match address IP123
interface Tunnel 1
ip address 10.0.0.2 255.255.255.252
tunnel source 65.84.x.x
tunnel destination 78.x.x.x
interface FastEthernet0/0
description MPLS
ip address 172.16.16.178 255.255.255.248
speed auto
duplex auto
interface FasthEthernet 0/1
description LAN
ip address 192.168.1.254 255.255.255.0
interface FastEthernet 3/0
description INTERNET
ip address 65.84.x.x 255.255.255.252
crypto map WORK
router ospf 1
network 192.168.1.254 0.0.0.255 area 0
network 10.0.0.2 0.0.0.3 area 0
ip route 0.0.0.0 0.0.0.0 FastEthernet 3/0
ip route 172.20.20.0 255.255.255.0 172.16.16.177
ip route 172.20.20.0 255.255.255.0 Tunnel 1
ip route 192.168.30.0 255.255.255.0 172.16.16.177
ip route 172.20.90.0 255.255.255.0 172.16.16.177
ip access-list extended IP123
permit 192.168.1.0 0.0.0.255 172.20.20.0 0.0.0.255
permit 192.168.1.0 0.0.0.255 172.90.20.0 0.0.0.255
permit 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
I hope to get some idea on the issue
cheers
Paul
06-29-2012 09:14 AM
The traffic you have marked for encryption is traversing an interface that has no crypto-map.
If your connection to DC is via F3/0 and then your next hop for 172.20.20.0, 172.20.90.0 and 192.168.30.0 should be F3/0 or preferably the IP address of the ISP internet router.
I also noticed you have a GRE tunnel. It's your intention to do IPSec over GRE or GRE over IPSec?
Regards,
Edison
06-29-2012 10:23 PM
Hi Edison
I understood your point on F3/0. Simple IPSEC didnt work so we started testing with Tunnel config and keeping IPSEC.
Can you explain difference between IPSEC over GRE and GRE over IPSEC.
can you suggest possible solution to make this working
cheers
Paul
07-02-2012 07:47 AM
With IPSec over GRE, you first encrypt the packet with IPSec then forward it out onto the next hop via a GRE tunnel.
With GRE over IPSec, you forward the packet into a GRE tunnel then encrypt it with IPSec as it exit the router.
To correct your issue, you need to have "crypto map WORK" on F3/0.
Regards,
Edison
07-02-2012 10:32 PM
I already got "crypto map WORK" on F3/0.
interface FastEthernet 3/0
description INTERNET
ip address 65.84.x.x 255.255.255.252
crypto map WORK
07-06-2012 06:14 AM
Ok, I reviewed your config one more time and here are the things you should modify:
(Note: I'm asssuming subnets 172.20.20.0/24, 172.20.90.0/24 and 192.168.30.0/24 are located in HQ and must be encryped).
Remove these static routes:
ip route 172.20.20.0 255.255.255.0 172.16.16.177
ip route 172.20.20.0 255.255.255.0 Tunnel 1
ip route 192.168.30.0 255.255.255.0 172.16.16.177
ip route 172.20.90.0 255.255.255.0 172.16.16.177
You should only have the default pointing to F3/0
Remove your OSPF for now:
router ospf 1
network 192.168.1.254 0.0.0.255 area 0
network 10.0.0.2 0.0.0.3 area 0
Fix your ACL
ip access-list extended IP123
!
permit 192.168.1.0 0.0.0.255 172.90.20.0 0.0.0.255
!
should be:
permit 192.168.1.0 0.0.0.255 172.20.90.0 0.0.0.255
!
07-16-2012 01:23 AM
Hi All
sorry for late reply, the above solution didnt work. We pushed provider to provide BGP config instead of static. We tested BGP config by shutdown the Internet interface FA 3/0 and all is working with no issues. As Interface fa 3/0 is up the connection goes up/down. Another test we did is stop MPLS Interface and noticed all is working fine.
When Both MPLS and Internet Link is up the issue comes up, Our requirement is preferred MPLS path over IPSEC tunnel and fallback to IPSEC if MPLS is down
Appreicate feedback
cheers
Paul
07-16-2012 01:46 AM
Hi,
if you're using BGP for primary and static for the secondary then you need to modify the AD of the static route to be greater than BGP( so > 20).
Regards.
Alain.
Don't forget to rate helpful posts.
07-16-2012 02:31 AM
Hi Alain
Traffic flow should be MPLS (BGP) for primary path and IPSEC VPN as failover path.
if both interfaces are Up/UP then connection starts flapping, for now I stop MPLS Interface
Plz do look at config and feedback
** SALES Office 2 Router config **
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key KIPT address 78.x.x.x
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set WORK esp-3des esp-md5-hmac
!
crypto map WORK 10 ipsec-isakmp
set peer 78.x.x.x
set transform-set WORK
match address IP123
interface Tunnel 1
ip address 10.0.0.2 255.255.255.252
tunnel source 65.84.x.x
tunnel destination 78.x.x.x
interface FastEthernet0/0 --> Shutdown
description MPLS
ip address 172.16.16.178 255.255.255.248
speed auto
duplex auto
interface FasthEthernet 0/1
description LAN
ip address 192.168.1.254 255.255.255.0
interface FastEthernet 3/0
description INTERNET
ip address 65.84.x.x 255.255.255.252
crypto map WORK
router ospf 1
redistribute bgp 65000 subnets
network 192.168.1.254 0.0.0.255 area 0
network 10.0.0.2 0.0.0.3 area 0
router bgp 65000
no synchronization
bgp log-neighbor-changes
redistribute ospf 1
neighbor 172.16.16.177 remote-as 7542
no auto-summary
ip route 0.0.0.0 0.0.0.0 FastEthernet 3/0
ip access-list extended IP123
permit 192.168.1.0 0.0.0.255 172.20.20.0 0.0.0.255
permit 192.168.1.0 0.0.0.255 172.20.90.0 0.0.0.255
permit 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
07-16-2012 03:06 AM
Hi,
I would get rid of the tunnel interface and change the static route to point to the IP next hop and with an AD of 111.
if it stillisn't working then could you post output of sh ip route when both interfaces are UP/UP.
Regards.
Alain.
Don't forget to rate helpful posts.
07-17-2012 01:30 AM
Hi Alain
removing the Tunnel config and adding static routes didnt help.
07-17-2012 10:25 AM
Hi,
show us the new config and the sh ip route output.
Regards.
Alain
Don't forget to rate helpful posts.
07-06-2012 06:43 AM
Hi Paul,
I recommend using IPSEC profiles for tunnel protection and use routing protocol (EIGRP) if possible which will save you a lot of troubles. Let me know if you need sample config.
HTH
Iyad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide