IPSEC tunnel and Routing protocols

mahesh18 · ‎12-22-2012

Hi Everyone,

I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.

Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?

In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?

IF someone can explain me this please?

Thanks

Mahesh

cadet alain · ‎12-22-2012

Hi,

to use a routing protocol using multicast with a IPSec VPN tunnel you need ;

- use IPSec over GRE as GRE supports multicast

- configure a VTI IPSec tunnel compared to a crypto-map IPSec tunnel.

Regards.

Alain

Don't forget to rate helpful posts.

mahesh18 · ‎12-22-2012

Hi Alain,

Can you please explain me what is VTI IPSEC tunnel?

Thanks

Mahesh

cadet alain · ‎12-22-2012

Hi,

traditional IPSec VPN tunnel is using crypto map assigned to outbound interface and this crypto map is matching a crypto ACL which means that you have to initiate interesting traffic( traffic permitted in this crypto ACL to initiate the tunnel.

A VTI tunnel is not using crypto map but instead a tunnel interface is created and all traffic routed through this tunnle will be encrypted by IPSec.

http://www.ccierants.com/2009/09/ipsec-with-vti-best-damn-way-to-do-it.html

Regards.

Alain

Don't forget to rate helpful posts.

Abzal · ‎12-22-2012

Hi,

If you configure OSPF neighbor and point a static route to subnets behind IPSEC router it is possible. IPSEC as far I know supports only unicast packets over VPN tunnel. For example GRE supports both multicast and unicast that's why it supports OSPF, EIGRP like dynamic protocols.
Can you post config of ospf and tunnel interface as well ip routes.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

mahesh18 · ‎12-22-2012

Hi Abzal,

I am not using GRE

Side B

router ospf 1

router-id 3.4.4.4

log-adjacency-changes

area 10 virtual-link 10.4.4.1

passive-interface Vlan10

passive-interface Vlan20

network 3.4.4.4 0.0.0.0 area 0

network 192.168.4.0 0.0.0.255 area 10

network 192.168.5.0 0.0.0.255 area 0

network 192.168.10.0 0.0.0.255 area 0

network 192.168.20.0 0.0.0.255 area 0

network 192.168.30.0 0.0.0.255 area 0

network 192.168.98.0 0.0.0.255 area 0

network 192.168.99.0 0.0.0.255 area 0

3550SMIA#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.5.3 to network 0.0.0.0

O 192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11

100.0.0.0/32 is subnetted, 1 subnets

O 100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11

3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

C 3.4.4.0/24 is directly connected, Loopback0

C 192.168.30.0/24 is directly connected, Vlan30

64.0.0.0/32 is subnetted, 1 subnets

O E2 64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11

4.0.0.0/32 is subnetted, 1 subnets

O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

C 192.168.10.0/24 is directly connected, Vlan10

172.31.0.0/24 is subnetted, 4 subnets

O E2 172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11

O E2 172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11

O E2 172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11

O E2 172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11

O 192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11

O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8

C 192.168.99.0/24 is directly connected, FastEthernet0/8

C 192.168.20.0/24 is directly connected, Vlan20

192.168.5.0/31 is subnetted, 1 subnets

C 192.168.5.2 is directly connected, FastEthernet0/11

C 10.0.0.0/8 is directly connected, Tunnel0

192.168.6.0/31 is subnetted, 1 subnets

O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11

O 192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11

O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11

Side A

router ospf 1

log-adjacency-changes

network 192.168.97.0 0.0.0.255 area 0

network 192.168.98.0 0.0.0.255 area 0

network 192.168.99.0 0.0.0.255 area 0

1811w# sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.99.2 to network 0.0.0.0

O 192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0

100.0.0.0/32 is subnetted, 1 subnets

O 100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0

3.0.0.0/32 is subnetted, 2 subnets

O 3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0

O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

64.0.0.0/32 is subnetted, 1 subnets

O E2 64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0

4.0.0.0/32 is subnetted, 1 subnets

O 4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0

O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

172.31.0.0/24 is subnetted, 4 subnets

O E2 172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0

O E2 172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0

O E2 172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0

O E2 172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0

O 192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0

C 192.168.98.0/24 is directly connected, BVI98

C 192.168.99.0/24 is directly connected, FastEthernet0

O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

192.168.5.0/31 is subnetted, 1 subnets

O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0

192.168.6.0/31 is subnetted, 1 subnets

O 192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0

O 192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0

O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0

This shows that both sides are communicating via OSPF right ?

Thanks

Mahesh

cadet alain · ‎12-22-2012

Hi,

this doesn't show they are using the IPSec tunnel to do it .

Regards.

Alain

Don't forget to rate helpful posts.

mahesh18 · ‎12-22-2012

But does this show

3550SMIA#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.99.2 192.168.99.1 QM_IDLE 1005 ACTIVE

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

Crypto map tag: VPN_MAP, local addr 192.168.99.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

current_peer 192.168.99.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4114, #pkts encrypt: 4114, #pkts digest: 4114

#pkts decaps: 4055, #pkts decrypt: 4055, #pkts verify: 4055

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

path mtu 1500, ip mtu 1500

current outbound spi: 0xC936CF9D(3375812509)

inbound esp sas:

spi: 0xB481DC3B(3028409403)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 189, flow_id: 189, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4519331/2630)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC936CF9D(3375812509)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 190, flow_id: 190, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4519338/2626)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

3550SMIA#

1811w#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE

IPv6 Crypto ISAKMP SA

So this shows that they are using IPSEC tunnel right?

Thanks

Mahesh