06-17-2010 11:53 AM - edited 03-04-2019 08:49 AM
Hi,
I would like to set up an IPsec protected GRE tunnel between PE (3825, 12.4(24)T3) and CE (2851, 12.4(22)T5).
The PE runs multiple VRFs.
PE:
FastEthernet 192.168.1.5/30 in VRF AAA-WAN
Loopback 192.168.2.5/32 in VRF AAA-WAN
Tunnel 192.168.3.5/30 in VRF AAA
CE:
FastEthernet 192.168.1.6/30
Loopback 192.168.2.6/32
Tunnel 192.168.3.6/30
PE (VRF AAA-WAN) and CE run ROUTER EIGRP 19 to establish connectivity between the loopback interfaces, which are the tunnel source and destination. EIGRP neighborship gets established for process 19.
The tunnel interfaces are up/up, but i can't ping between the tunnel interfaces. Removing the tunnel protection does not help, so it does not seem to be an issue regarding IPsec.
Setting the whole thing up without VRFs (in global table on PE) works fine.
Any hints are appreciated.
Regards,
Robert
============================================================
hostname PE
!
ip vrf AAA
rd 10.190.190.1:3600
route-target export 65000:3600
route-target import 65000:3600
!
ip vrf AAA-WAN
rd 10.190.190.1:3699
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key SECRET address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set AAA-TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile AAA-P
set transform-set AAA-TS
!
interface Loopback3601
ip vrf forwarding AAA-WAN
ip address 192.168.2.5 255.255.255.255
!
interface Tunnel3601
ip vrf forwarding AAA
ip address 192.168.3.5 255.255.255.252
tunnel source Loopback3601
tunnel destination 192.168.2.6
tunnel vrf AAA-WAN
tunnel protection ipsec profile AAA-P
!
interface FastEthernet1/0
ip vrf forwarding AAA-WAN
ip address 192.168.1.5 255.255.255.252
!
router eigrp 19
no auto-summary
!
address-family ipv4 vrf AAA-WAN
network 192.168.1.4 0.0.0.3
network 192.168.2.4 0.0.0.3
no auto-summary
autonomous-system 19
exit-address-family
!
router eigrp 20
no auto-summary
!
address-family ipv4 vrf AAA
network 192.168.3.4 0.0.0.3
no auto-summary
autonomous-system 20
exit-address-family
!
============================================================
hostname CE
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key SECRET address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set AAA-TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile AAA-P
set transform-set AAA-TS
!
interface Loopback3601
ip address 192.168.2.6 255.255.255.255
!
interface Tunnel3601
ip address 192.168.3.6 255.255.255.252
tunnel source Loopback3601
tunnel destination 192.168.2.5
tunnel protection ipsec profile AAA-P
!
interface GigabitEthernet0/1
ip address 192.168.1.6 255.255.255.252
!
router eigrp 19
network 192.168.1.4 0.0.0.3
network 192.168.2.4 0.0.0.3
no auto-summary
!
router eigrp 20
network 192.168.3.4 0.0.0.3
no auto-summary
============================================================
PE#sh int tu3601
Tunnel3601 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.3.5/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.2.5 (Loopback3601), destination 192.168.2.6
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "AAA-P")
Last input 00:25:13, output never, output hang never
Last clearing of "show interface" counters 03:44:55
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 353
Queueing strategy: fifo (QOS pre-classification)
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5 packets input, 620 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 620 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
PE#sh ip route vrf AAA-WAN
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.4 is directly connected, FastEthernet1/0
192.168.2.0/32 is subnetted, 2 subnets
D 192.168.2.6 [90/770560] via 192.168.1.6, 00:24:42, FastEthernet1/0
C 192.168.2.5 is directly connected, Loopback3601
PE#sh ip route vrf AAA
192.168.3.0/30 is subnetted, 1 subnets
C 192.168.3.4 is directly connected, Tunnel3601
PE#ping vrf AAA-WAN 192.168.1.6
Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
PE#ping vrf AAA-WAN 192.168.2.6
Sending 5, 100-byte ICMP Echos to 192.168.2.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PE#ping vrf AAA 192.168.3.6
Sending 5, 100-byte ICMP Echos to 192.168.3.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
============================================================
CE#sh int tu3601
Tunnel3601 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.3.6/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.2.6 (Loopback3601), destination 192.168.2.5
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "AAA-P")
Last input 00:31:22, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 82
Queueing strategy: fifo (QOS pre-classification)
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5 packets input, 620 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
5 packets output, 620 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
CE#sh ip route
192.168.1.0/30 is subnetted, 1 subnets
C 192.168.1.4 is directly connected, GigabitEthernet0/1
192.168.2.0/32 is subnetted, 2 subnets
C 192.168.2.6 is directly connected, Loopback3601
D 192.168.2.5 [90/770560] via 192.168.1.5, 00:28:51, GigabitEthernet0/1
192.168.3.0/30 is subnetted, 1 subnets
C 192.168.3.4 is directly connected, Tunnel3601
CE#ping 192.168.1.5
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CE#ping 192.168.2.5
Sending 5, 100-byte ICMP Echos to 192.168.2.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
CE#ping 192.168.3.5
Sending 5, 100-byte ICMP Echos to 192.168.3.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
06-25-2010 09:48 AM
This looks broken to me.
Based on your configs and output this looks like it should work.
-Ben
10-04-2010 01:34 PM
Hi Robert,
Did you manage to get to the bottom of this?
I'm trying the achieve the same thing - Tunnel Source interfaces as Loopbacks in a VRF, Tunnel interfaces in the Global table.
Tunnels get shown as up, but no traffic. I run OSPF over these tunnels - when they're all in the Global table all works fine, when in the VRF no traffic passes.
Interesting that I'm using the same IOS version as you - possible IOS bug?
Be interested to know if you've made progress with this.
Thanks,
Rupes
10-04-2010 05:44 PM
The PE configs are wrong.
See the changes below.
no crypto isakmp key SECRET address 0.0.0.0 0.0.0.0
crypto keyring AAA-K vrf AAA-WAN
pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
crypto isakmp profile AAA-I
keyring AAA-K
match identity address 0.0.0.0 0.0.0.0 AAA-WAN
vrf AAA-WAN
!
crypto ipsec transform-set AAA-TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile AAA-P
set transform-set AAA-TS
set isakmp-profile AAA-I
!
10-13-2010 02:41 PM
I am not able to do ping between tunnel interfaces, did you find the solution?
I was doing the same, move the tunnels to the wan (no result), removing ipsec makes it work.
I use "tunnel mode ipsec ipv4" instead of GRE.
Config is exactly the same but I dont use EIGRP just static routing,
Biggest problem is: tunnels are up/up, crypt engines are talking, so ipsec looks ok with the commands and SAs and all those things, but not ping over the tunnel interfaces.
Some light will be very appreciated here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: