01-08-2019 01:11 PM - edited 02-21-2020 09:32 PM
Dear all,
I would like to ask about IPSec tunnel with aws.
I want to connect to aws with my DC with IPSec. AWS have PA firewall and I have cisco router. My router and ISP links is establish with eBGP. I didn't advertise network to ISP (bgp peering only).AWS advertise the network to ISP.
When i create IPSec PA and cisco i got the below error message and Tunnel is flapping( up and down) .So when tunnel is up my route table show traffic to aws is pass throught tunnel.when tunnel is down my routing table show all traffic is using bgp. when i tested in lab,i didn't get this error. Please help me to find the root case.
Solved! Go to Solution.
01-08-2019 01:25 PM
Hi there,
Recursive routing means that the tunnel endpoint IP is being advertised as available via the tunnel itself.
To get around this issue, either filter the routes being advertised via the tunnel, or perhaps easier, configure static routes at both ends (Cisco router, and PA firewall) directing traffic destined for the remote tunnel endpoint via the ISP next-hop address. This static route will always have a lower AD than the competing route being received via the tunnel so your tunnel will no longer flap.
Please provide your router config if this needs further clarity.
cheers,
Seb.
01-09-2019 05:09 AM
Your cofig:
!ip route 10.11.10.0 255.255.252.0 Tunnel1
!
Is telling the router to send packets destined for the remote tunnel endpoint (10.11.10.18) via the tunnel. As soon as the tunnel1 comes up this static route will become active and your tunnel will flap. I suggest the following config:
!
no ip route 10.11.10.0 255.255.252.0 Tunnel1
ip route 10.11.10.18 255.255.255.255 <LOCAL_ISP_NEXT_HOP_IP>
!
This will ensure the router always send traffic destined to the remote tunnel endpoint IP (ie your IPsec traffic) via your ISP.
cheers,
Seb.
01-08-2019 01:22 PM
Hi,
You probably have a routing issue, potentially routing the tunnel destination address using the tunnel interface? This link provides more information on this issue.
Can you check the routing configuration on the router
HTH
01-08-2019 01:25 PM
Hi there,
Recursive routing means that the tunnel endpoint IP is being advertised as available via the tunnel itself.
To get around this issue, either filter the routes being advertised via the tunnel, or perhaps easier, configure static routes at both ends (Cisco router, and PA firewall) directing traffic destined for the remote tunnel endpoint via the ISP next-hop address. This static route will always have a lower AD than the competing route being received via the tunnel so your tunnel will no longer flap.
Please provide your router config if this needs further clarity.
cheers,
Seb.
01-08-2019 05:35 PM - edited 01-08-2019 09:29 PM
Hi ALL,
Please see below config is in my router (ip is not real IP). i already configure static route in both side ( cisco and PA) because of I didn't know how route filter. if i configure VTI source with loopback ,can i over come this issue ? Do i need to upgrade IOS ? my IOS version is c800-universalk9-mz.SPA.155-3.M5.bin.
crypto ikev2 proposal proposal1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy1
match address local 2.1.203.4
proposal proposal1
!
!
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote any
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint ca
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSecProfile1
set transform-set TS
set ikev2-profile profile1
!!
interface Tunnel1
description IPSec to AWS
ip address 1.1.1.16 255.255.255.0
tunnel source GigabitEthernet8
tunnel mode ipsec ipv4
tunnel destination 10.11.10.18 <========= PA untrus interface
tunnel protection ipsec profile IPSecProfile1
!
interface GigabitEthernet8
ip address 2.1.203.4 255.255.255.240
duplex auto
speed auto
!
!
router bgp 65100
bgp log-neighbor-changes
neighbor 2.1.203.5 remote-as 100
!
ip route 10.11.10.0 255.255.252.0 Tunnel1
01-09-2019 05:09 AM
Your cofig:
!ip route 10.11.10.0 255.255.252.0 Tunnel1
!
Is telling the router to send packets destined for the remote tunnel endpoint (10.11.10.18) via the tunnel. As soon as the tunnel1 comes up this static route will become active and your tunnel will flap. I suggest the following config:
!
no ip route 10.11.10.0 255.255.252.0 Tunnel1
ip route 10.11.10.18 255.255.255.255 <LOCAL_ISP_NEXT_HOP_IP>
!
This will ensure the router always send traffic destined to the remote tunnel endpoint IP (ie your IPsec traffic) via your ISP.
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide