Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2369
Views
0
Helpful
2
Replies

GRE Tunnel over ipsec , bgp won't come up

josh94950
Level 1
Level 1

‎10-15-2013 09:14 PM - edited ‎02-21-2020 07:14 PM

Hello All,

An interesting issue, could be silly but I don't get it.. pretty simple configuration ..

Building configuration...

Current configuration : 1020 bytes

ip vrf CIT

rd 65500:100

!

!

interface Tunnel731

bandwidth 500000

ip vrf forwarding CIT

ip address 10.192.1.1 255.255.255.252

ip access-group cit-tunnel-protect in

ip mtu 1400

ip tcp adjust-mss 1360

load-interval 30

tunnel source Loopback0

tunnel destination 123.45.6.7

tunnel protection ipsec profile cit

crypto engine slot 1/0 inside

router bgp 65004

!

address-family ipv4 vrf CIT

  no synchronization

  neighbor 10.192.1.2 remote-as 65522

  neighbor 10.192.1.2 activate

exit-address-family

!

end

int lo0

ip add 98.76.54.32 255.255.255.255

Extended IP access list cit-tunnel-protect

    10 permit tcp 10.192.1.0 0.0.0.3 10.192.1.0 0.0.0.3 eq bgp

    20 permit icmp 10.192.1.0 0.0.0.3 10.192.1.0 0.0.0.3

    65000 deny ip any any

----------------------------------------------------------

ping no problem, routing no problem but the problem is 

when IKE1 session is intiated by the  remote peer , bgp comes up no problem but if session is initiated by the local peer bgp won't come up ..

show cyrpto isakmp sa :

IPv4 Crypto ISAKMP SA

  dst                    src             state          conn-id slot status

98.76.54.32    123.45.6.7    QM_IDLE          68011 ACTIVE          ----- bgp comes up fine

--------------------------------------------------------------------------------------------------------------------------------------

123.45.6.7     98.76.54.32  QM_IDLE          68011 ACTIVE             ---- bgp won't come up 

I tried to remove the access-list , but I think same results were observed...

What am I missing here ?

Thanks,

Josh

Labels:
0 Helpful
2 Replies 2

Patrick Moubarak
Level 4
Level 4

‎10-16-2013 11:56 AM

Could it be the ACL; try adding the following:

    15 permit tcp 10.192.1.0 0.0.0.3 eq bgp 10.192.1.0 0.0.0.3

BGP runs on TCP so it's kind of a client/server connection. One side uses random port >1024 to TCP/179 on the other side. You ACL matches depending on which BGP neighbor initiated the connection but does not match both cases...

Patrick

0 Helpful

josh94950
Level 1
Level 1
In response to Patrick Moubarak

‎10-16-2013 02:05 PM

Thansk Patrick, I am seeing the same behaviour even with out the access-list. I am waiting to see how the remote router is configured . I don't see phase2 coming up when the local peer ( 98.76.54.32 ) initiated the session.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents