Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
15
Helpful
4
Replies

AWS and IPSec

Go to solution
MrBeginner
Spotlight
Spotlight

‎01-08-2019 01:11 PM - edited ‎02-21-2020 09:32 PM

Dear all,

I would like to ask about IPSec tunnel with aws.

I want to connect to aws with my DC with IPSec. AWS have PA firewall and I have cisco router. My router and ISP links is establish with eBGP. I didn't advertise network to ISP (bgp peering only).AWS advertise the network to ISP.

When i create IPSec PA and cisco i got the below error message and Tunnel is flapping( up and down) .So when tunnel is up my route table show traffic to aws is pass throught tunnel.when tunnel is down my routing table show all traffic is using bgp. when i tested in lab,i didn't get this error. Please help me to find the root case.

Labels:
Preview file
36 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-08-2019 01:25 PM

Hi there,
Recursive routing means that the tunnel endpoint IP is being advertised as available via the tunnel itself.

To get around this issue, either filter the routes being advertised via the tunnel, or perhaps easier, configure static routes at both ends (Cisco router, and PA firewall) directing traffic destined for the remote tunnel endpoint via the ISP next-hop address. This static route will always have a lower AD than the competing route being received via the tunnel so your tunnel will no longer flap.

Please provide your router config if this needs further clarity.

cheers,
Seb.

View solution in original post

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to MrBeginner

‎01-09-2019 05:09 AM

Your cofig:

!ip route 10.11.10.0 255.255.252.0 Tunnel1
!

 

Is telling the router to send packets destined for the remote tunnel endpoint (10.11.10.18) via the tunnel. As soon as the tunnel1 comes up this static route will become active and your tunnel will flap. I suggest the following config:

 

!
no ip route 10.11.10.0 255.255.252.0 Tunnel1
ip route 10.11.10.18 255.255.255.255 <LOCAL_ISP_NEXT_HOP_IP>
!

 

This will ensure the router always send traffic destined to the remote tunnel endpoint IP  (ie your IPsec traffic) via your ISP.

 

cheers,

Seb.

 

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-08-2019 01:22 PM

Hi,

You probably have a routing issue, potentially routing the tunnel destination address using the tunnel interface? This link provides more information on this issue.

 

Can you check the routing configuration on the router

 

HTH

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎01-08-2019 01:25 PM

Hi there,
Recursive routing means that the tunnel endpoint IP is being advertised as available via the tunnel itself.

To get around this issue, either filter the routes being advertised via the tunnel, or perhaps easier, configure static routes at both ends (Cisco router, and PA firewall) directing traffic destined for the remote tunnel endpoint via the ISP next-hop address. This static route will always have a lower AD than the competing route being received via the tunnel so your tunnel will no longer flap.

Please provide your router config if this needs further clarity.

cheers,
Seb.

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Seb Rupik

‎01-08-2019 05:35 PM - edited ‎01-08-2019 09:29 PM

Hi ALL,

Please see below config is in my router (ip is not real IP). i already configure static route in both side ( cisco and PA) because of  I didn't know how route filter. if i configure VTI source with loopback ,can i over come this issue ? Do i need to upgrade IOS ? my IOS version is c800-universalk9-mz.SPA.155-3.M5.bin.

 

crypto ikev2 proposal proposal1
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy policy1
match address local 2.1.203.4
proposal proposal1
!
!
crypto ikev2 profile profile1
description IKEv2 profile
match identity remote any
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint ca
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSecProfile1
set transform-set TS
set ikev2-profile profile1
!!
interface Tunnel1
description IPSec to AWS
ip address 1.1.1.16 255.255.255.0
tunnel source GigabitEthernet8
tunnel mode ipsec ipv4
tunnel destination 10.11.10.18   <========= PA untrus interface
tunnel protection ipsec profile IPSecProfile1
!
interface GigabitEthernet8
ip address 2.1.203.4 255.255.255.240
duplex auto
speed auto
!

!
router bgp 65100
bgp log-neighbor-changes
neighbor 2.1.203.5 remote-as 100
!
ip route 10.11.10.0 255.255.252.0 Tunnel1

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to MrBeginner

‎01-09-2019 05:09 AM

Your cofig:

!ip route 10.11.10.0 255.255.252.0 Tunnel1
!

 

Is telling the router to send packets destined for the remote tunnel endpoint (10.11.10.18) via the tunnel. As soon as the tunnel1 comes up this static route will become active and your tunnel will flap. I suggest the following config:

 

!
no ip route 10.11.10.0 255.255.252.0 Tunnel1
ip route 10.11.10.18 255.255.255.255 <LOCAL_ISP_NEXT_HOP_IP>
!

 

This will ensure the router always send traffic destined to the remote tunnel endpoint IP  (ie your IPsec traffic) via your ISP.

 

cheers,

Seb.

 

 

Customers Also Viewed These Support Documents