06-08-2020 03:51 PM
Hello All,
I have set up site to site vpn on my home lab.
I have ospf running between the wan. local and remote site, everything working fin.
However, when I apply the Crypto map to the interfaces, I lose routing between the Local LAN, Wan and Remote sites.
when I take the crypto map of the interfaces the ospf adjacency is forming and the connectivity comes back but the tunnel goes down, see below
1 00:50:18.575: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /224.0.0.5, src_addr= 1.1.1.2, prot= 89
Thank you for your help.
Regards,
Star
Solved! Go to Solution.
06-10-2020 02:38 PM
Hello,
with (S)VTIs, you do not need any access lists anymore. So in your case, access list 100 is not needed anymore.
On both your tunnels, you might need to add:
ip ospf network broadcast
ip ospf mtu-ignore
06-08-2020 10:29 PM
06-10-2020 11:21 AM
Hello Thank you of the info, please see below as requested.
i tried to do access-list per host and network still didn't work.
access-list 100 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
as soon as i apply the access-list to the interface i lose ospf connectivity,.
Thank you
06-09-2020 12:00 AM
Hello,
try an (S)VTI instead of the crypto map.
SVTI looks something like below:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key cisco123 address 10.1.1.1
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source 192.168.1.1
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSEC_P
06-10-2020 11:19 AM
Hello,
Thank you for the info, the tunnel is up and active but when i apply the access-list to the tunnel the ospf connectivity goes down again.
please below, i tried to do access-list per host and network still didn't work.
access-list 100 permit ip host 10.10.10.1 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
06-10-2020 01:21 PM
Hello,
post the current running configurations of both your routers...
06-10-2020 02:21 PM
Hello Georg,
please see below and i have attached lab diagram pic for more clarifications. many thank you
R3#sh running-config
Building configuration...
Current configuration : 2054 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
ip ospf 1 area 0
tunnel source 2.2.2.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile IPSEC_P
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex full
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
ip address 2.2.2.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1002 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
!
!
R3#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 2.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
+++++++++++++++++++++++++++++++++++++++++++++
R1 output
R1#sh running-config
Building configuration...
Current configuration : 1991 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 2.2.2.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_P
set transform-set TS
!
interface Tunnel1
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.1
tunnel protection ipsec profile IPSEC_P
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/4
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/5
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/6
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/7
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
ip address 1.1.1.1 255.255.255.0
ip ospf 1 area 0
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1002 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R1#sh cry
R1#sh crypto ip
R1#sh crypto ipsec sa
R1#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
06-10-2020 02:38 PM
Hello,
with (S)VTIs, you do not need any access lists anymore. So in your case, access list 100 is not needed anymore.
On both your tunnels, you might need to add:
ip ospf network broadcast
ip ospf mtu-ignore
06-12-2020 02:39 AM
Hello Geeorg,
Thank you for the info it worked, i removed the access-lists and added the commands to the tunnel interface the ospf went down and come back up but unfortunately I am still unable to ping the remote LAN addresses.
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: