Solved: GRE routing and encryption on ASR1000 platforms

michael.cantrall · ‎10-08-2011

Hello everyone, I have a routing issue involving GRE Tunnels, traffic routing across them and future encryption for that traffic. Currently I have 2 ASR1002 routers that are connected via gigabitethernet ports traversing a metro ethernet. The connection is full functional and traffic is flowing, however I have a requirement to both segregate the traffic across (GRE TUNNEL) the link and eventually encrypt that traffic to prevent outside access or interception. I have included partial exceprts of the configurations:

Router inside main faciity

interface Tunnel200

description Metro Tunnel B9 to Townsite

ip address x.x.x.6 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1/0

tunnel destination x.x.x.197

!

interface GigabitEthernet0/0/0 --Port into core--

ip address x.x.x.193 255.255.255.252

ip policy route-map Metro_Link

negotiation auto

!

interface GigabitEthernet0/1/0 --Port into metro ethernet--

description B9 - Townsite

ip address x.x.x.198 255.255.255.252

no negotiation auto

!

router eigrp 1515 --Main eigrp AS

network x.x.x.x

no eigrp log-neighbor-changes

!

router eigrp 200 --EIGRP AS for Tunnel

network x.x.x.4 0.0.0.3

passive-interface default

no passive-interface Tunnel200

!

access-list 199 permit ip any x.x.xx2.0 0.0.0.255

access-list 199 permit ip any x.x.xx3.0 0.0.0.255

access-list 199 permit ip any x.x.xx.4.0 0.0.0.255

access-list 199 permit ip any host x.x.x.191

access-list 199 permit ip any x.x.x.200 0.0.0.3

!

route-map Metro_Link permit 10

match ip address 199

set interface Tunnel200

!

This was set up to force all traffic entering this router to the distant subnets to use the GRE Tunnel.

The distant end router is to use the Tunnel for all traffic other that the local subnets

interface Tunnel200

description Metro Tunnel B9 to Townsite

ip address x.x.x.5 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1/0

tunnel destination x.x.x.198

!

interface GigabitEthernet0/0/0

ip address x.x.x.202 255.255.255.252

ip policy route-map Metro_Link

no negotiation auto

!

interface GigabitEthernet0/1/0

description B9 - Townsite

ip address x.x.x.197 255.255.255.252

no negotiation auto

!

router eigrp 1515

network x.x.x.x

no eigrp log-neighbor-changes

!

router eigrp 200

network x.x.x.4 0.0.0.3

passive-interface default

no passive-interface Tunnel200

!

ip route 0.0.0.0 0.0.0.0 Tunnel200 --Default route

ip route x.x.xx2.0 255.255.255.0 GigabitEthernet0/0/0 --subnet on attached switch

ip route x.x.xx3.0 255.255.255.0 GigabitEthernet0/0/0 --subnet on attached switch

ip route x.x.xx4.0 255.255.255.0 GigabitEthernet0/0/0 --subnet on attached switch

ip route x.x.x.191 255.255.255.255 GigabitEthernet0/0/0 --subnet on attached switch

!

access-list 199 permit ip x.x.xx2.0 0.0.0.255 any

access-list 199 permit ip x.x.xx3.0 0.0.0.255 any

access-list 199 permit ip x.x.xx4.0 0.0.0.255 any

access-list 199 permit ip host x.x.x.191 any

access-list 199 permit ip x.x.x.200 0.0.0.3 any

!

route-map Metro_Link permit 10

match ip address 199

set interface Tunnel200

!

Both ASR1002 routers have identical IOS versions, ESP10 and SPA cards 5x1Ge

Links are G0/0/0 to either core or area switch and G0/1/0 to metro ethernet. Tunnel with future encryption needs to be on the second link.

All traffic flowing in either direction needs to be encrypted as the metro link is provided by an external agency.

What is the best approach to accomplish this? Sample configurations would be greatly appreciated as I have tried IPSEC tunnel alone and no traffic was being encrypted.

Richard Burts · ‎10-08-2011

Michael

If you tried the IPSec tunnel and no traffic was being encrypted then there was a flaw in your implementation. Either the IPSec configuration was flawed or the routing logic to send traffic through the tunnel was flawed.

I have read through your post several times and still do not have a clear understanding of what is going on. In particular the profusion of x.x.x in the addressing makes it very difficult to understand what is going on. If you do not want to expose your addressing (which is understandable) then perhaps you can transpose your addressing to the appropriate private addressing range (10.0.0.0 if your network is class A, or 172.16.0.0 is your network is class B, or 192.168.0.0 if your network is class C) and give us addresses that help us see what addressing is on the tunnels, what is on the interfaces, etc.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎10-08-2011

Michael

If you tried the IPSec tunnel and no traffic was being encrypted then there was a flaw in your implementation. Either the IPSec configuration was flawed or the routing logic to send traffic through the tunnel was flawed.

I have read through your post several times and still do not have a clear understanding of what is going on. In particular the profusion of x.x.x in the addressing makes it very difficult to understand what is going on. If you do not want to expose your addressing (which is understandable) then perhaps you can transpose your addressing to the appropriate private addressing range (10.0.0.0 if your network is class A, or 172.16.0.0 is your network is class B, or 192.168.0.0 if your network is class C) and give us addresses that help us see what addressing is on the tunnels, what is on the interfaces, etc.

HTH

Rick

HTH

Rick

michael.cantrall · ‎10-08-2011

Rick here is the modification. I actually mispoke on the encryption I did in fact see sa's and a few packets encrypted and decrypted, however I lost connectivity to all the user subnets. I will added the configuration I used for that at the end.

Router inside main faciity

interface Tunnel200

description Metro Tunnel B9 to Townsite

ip address 172.16.0.6 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1/0

tunnel destination 10.0.0.197

!

interface GigabitEthernet0/0/0 --Port into core--

ip address 10.0.0.193 255.255.255.252

ip policy route-map Metro_Link

negotiation auto

!

interface GigabitEthernet0/1/0 --Port into metro ethernet--

description B9 - Townsite

ip address10.0.0.198 255.255.255.252

no negotiation auto

!

router eigrp 1515 --Main eigrp AS

network 10.0.0.0

no eigrp log-neighbor-changes

!

router eigrp 200 --EIGRP AS for Tunnel

network 172.16.0.4 0.0.0.3

passive-interface default

no passive-interface Tunnel200

!

access-list 199 permit ip any10.0.0.2.0 0.0.0.255

access-list 199 permit ip any 10.0.3.0 0.0.0.255

access-list 199 permit ip any 10.0..4.0 0.0.0.255

access-list 199 permit ip any host 10.0.0.191

access-list 199 permit ip any 10.0.0.200 0.0.0.3

!

route-map Metro_Link permit 10

match ip address 199

set interface Tunnel200

!

This was set up to force all traffic entering this router to the distant subnets to use the GRE Tunnel.

The distant end router is to use the Tunnel for all traffic other that the local subnets

interface Tunnel200

description Metro Tunnel B9 to Townsite

ip address 172.16.0.5 255.255.255.252

keepalive 10 3

tunnel source GigabitEthernet0/1/0

tunnel destination 10.0.0.198

!

interface GigabitEthernet0/0/0

ip address 10.0.0.202 255.255.255.252

ip policy route-map Metro_Link

no negotiation auto

!

interface GigabitEthernet0/1/0

description B9 - Townsite

ip address 10.0.0.197 255.255.255.252

no negotiation auto

!

router eigrp 1515

network 10.0.0.0

no eigrp log-neighbor-changes

!

router eigrp 200

network 172.16.0.4 0.0.0.3

passive-interface default

no passive-interface Tunnel200

!

ip route 0.0.0.0 0.0.0.0 Tunnel200 --Default route

ip route 10.0.2.0 255.255.255.0 GigabitEthernet0/0/0 --subnet on attached switch

ip route 10.0.3.0 255.255.255.0 GigabitEthernet0/0/0 --subnet on attached switch

ip route 10.0.4.0 255.255.255.0 GigabitEthernet0/0/0 --subnet on attached switch

ip route 10.0.0.191 255.255.255.255 GigabitEthernet0/0/0 --subnet on attached switch

!

access-list 199 permit ip 10.0.2.0 0.0.0.255 any

access-list 199 permit ip 10.0.3.0 0.0.0.255 any

access-list 199 permit ip 10.0.4.0 0.0.0.255 any

access-list 199 permit ip host 10.0.0.191 any

access-list 199 permit ip 10.0.0.200 0.0.0.3 any

!

route-map Metro_Link permit 10

match ip address 199

set interface Tunnel200

This was the format I had used for the IPSEC

Townsite

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Help address 0.0.0.0 0.0.0.0
crypto IPsec transform-set Metro_Link esp-3des esp-sha-hmac
crypto IPsec profile Hello
set transform-set Metro_Link
!
int tunn 200
desc Metro Tunnel B9 to Townsite
ip 172.16.0.5 255.255.255.252
tunn sour 10.0.0.197
tunn dest 10.0.0.198
tunn mode IPsec ipv4
tunn protec IPsec profile Hello
!
ip route 0.0.0.0 0.0.0.0 Tunnel200

B9 ASR config statements

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Help address 0.0.0.0 0.0.0.0
crypto IPsec transform-set Metro_Link esp-3des esp-sha-hmac
crypto IPsec profile Hello
set transform-set Metro_Link
!
int tunn 200
desc Metro Tunnel B9 to Townsite
ip 172.16.0.6 255.255.255.252
tunn sour 10.0.0.198
tunn dest 10.0.0.197
tunn mode IPsec ipv4
tunn protec IPsec profile Hello
!
ip route 10.0.2.0 255.255.255.0 Tunnel200
ip route 10.0.3.0 255.255.255.0 Tunnel200
ip route 10.0.4.0 255.255.255.0 Tunnel200
ip route 10.0.0.200 255.255.255.252 Tunnel200

craneman · ‎10-13-2011

Interesting one....my guess is it might have something to do with "order of processing".....where policy maps are last to looked at when a packet enters a routers interface...may want to try it without policy maps.....see below:

3. Network Based Application

Recognition (NBAR)

4. BGP Policy Accounting

5. Output QoS Classification

6. Output ACL Check

7. IOS IPS Inspection

8. Input Stateful Packet Inspection (IOS FW)

9. Input ACL

10. Input Flexible Packet Matching (FPM)

11. IPsec Decryption ( if encrypted)

12. Unicast RPF Check

13. Input QoS Marking

14. Input Policing (CAR)

15. Input MAC/Precedence Accounting

16. NAT Outside-to-Inside

17. Policy Routing

1. IP Traffic Export (RITE)

2. QoS Policy Propagation thru BGP ( QPPB)

craneman · ‎10-13-2011

somehow the 1 and 2 got out of place when I pasted the order of processing.....