cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1716
Views
20
Helpful
17
Replies

Migration from DMVPN to L2L E-Line Redundant GRE Over IPSec with VRF or VTI Multiple VRF with DPD and Failover

tom.neteng
Level 1
Level 1

I'm attempting to move a DMVPN MPLS setup over to a site-to-site for a main corporate office and branch office.  The routing protocol currently in use is EIGRP.  I'm not certain why the DMVPN was originally setup, but makes really no sense over point-to-point links with no real expansion plans for more sites in the near future.  Because the institution is regulated, I would like to encrypt the traffic traveling over the Metro-E links.

 

Basically, each site has a 2911 router currently attached to an MPLS line, which I am going to transition over to two interfaces each connected to a separate provider, using routed interfaces and decommissioning the MPLS.  My original implementation plan was to use GRE over IPSec VPNs, but then I started reading about VTIs and began to wonder if that wasn't a more optimal design.

 

Does it make any practical difference, other than the additional data not needed by VTI as a result of there being no GRE encapsulation?

 

All I want to do is to be able to have a primary circuit through one E-Line, with failover in the event of a single tunnel loss.  I was planning on implementing two new VRFs on each router with periodic DPD and adjusting the bandwidth and delay metrics in order to favor one link over the other.  Does anyone see a problem with that design?

 

While not a core requirement, is there any way to use both circuits simultaneously, or is that something that is not recommended, even if possible?

 

Tom

17 Replies 17

Francesco Molino
VIP Alumni
VIP Alumni

Hi 

 

What ever solution you will use you'll be able to add dynamic routing and use both link at the same time.

 

Take a look on the design good here:

https://supportforums.cisco.com/kxiwq67737/attachments/kxiwq67737/6001-discussions-vpn/33053/1/80195-Virtual%20Tunnel%20Interface%20Design%20Guide.pdf

 

There is a comparison for all 3 connection types.

 

Personally I would keep the dmvpn.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you.

 

I have a configuration in place, and while the links come up, I can't get the GRE over IPSec running.  Can someone please tell me what I'm missing?  I tried to generate interesting traffic to the other side of the tunnel and also using the vrf option in ping, but nothing...

 

Here is my config on R2.  R1 has a duplicate config, but the IPs are changed from .2 to .1.

 

ip vrf vrf1
rd 1:1
!
ip vrf vrf2
rd 2:2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ******* address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set T101-AES256 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile T101-AES256
set security-association lifetime seconds 86400
set transform-set T101-AES256
!
crypto map T101 local-address GigabitEthernet0/2
crypto map T101 101 ipsec-isakmp
set peer 172.16.101.1
set transform-set T101-AES256
match address 101
!
interface Loopback101
ip vrf forwarding vrf1
ip address 10.101.255.2 255.255.255.0
!
interface Tunnel101
bandwidth 100000
ip address 10.255.101.2 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.110.2
tunnel destination 172.16.101.1
tunnel vrf vrf1
!
interface GigabitEthernet0/2
description MetroE
ip address 172.16.110.2 255.255.255.0
duplex auto
speed auto
crypto map T101

router eigrp 100
network ***** omitted
passive-interface GigabitEthernet0/2
passive-interface Tunnel101

access-list 101 permit gre host 172.16.110.2 host 172.16.101.1

Hi Tom,

What is your reasons for running a VTI (Tunnel 101) and the crypto map?

Running a VTI with an IPSec profile attached would provide you with the encryption you want, then just run a routing protocol or static route. You also may want to use IKEv2 (FlexVPN VTI) with the latest next generation encryption

I thought it was required. It looks like there’s a crypto map auto generated, but the documentation I was reading noted that a crypto map should be included.

 

How would I accomplish using VTI with only an IPSec or IKEv2 profile?

 

I’m coming over from the world of ASAs, WatchGuards, SonicWALLs and Palo Altos.  So building tunnels from the CLI from scratch is somewhat new to me.  In the past, I’d mostly used the wizards and made modifications to the configurations such as adding peers.

 

Tom

Hi

Here a doc that can help you for sure.

The config would be;

interface type number
ip address x.x.x.x x.x.x.x
tunnel mode ipsec ipv4
tunnel source g0/2
tunnel destination 172.16.101.1
tunnel protection IPsec profile T101

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Why would like to build a GRE over an IPSEC?
You can configure your VTI directly (tunnel mode ipsec and protection ipsec) or use a GRE an encrypt the traffic (tunnel protection ipsec) like you had on your DMVPN.

Also you're using an acl filtered on GRE protocol to build up the VPN? ACL 101 is your crypto acl, is that what you want?
As I understand your conifg, you would better go with VTI

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Isn’t there traffic that’s visible when you build IPSec over GRE such as EIGRP hellos and other traffic that could be viewed | modified?  I am working with a regulated environment and I want to be able to run a dynamic routing protocol and have no traffic visible in transit, that may reveal any information about the network.

 

 

From my understanding that leaves me either GRE over IPSec or IPSec VTIs.  I wanted to get a better handle on VRFs, so I thought I would combine a VRF with GRE over IPSec, but wasn’t able to get the tunnel up.  I thought perhaps I needed a crypto policy or some sort of VRF integration that I missed.

 

Tom

Yes you're right regarding ipsec over gre. That's why on my previous post i have you the config for vti.
I also see that i forgot to paste the doc link:
https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

Anyway, gre over ipsec should work as well. Can you paste the config of both sites?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

To add to the information Francesco has provided. In regard to IKEv2 specific configuration, here is an example config. The ISR G2 2911 that you have supports FlexVPN (IKEv2), it does come with some "Smartdefaults" - default IKEv2 Proposal, IPSec Profile etc....but you may want to create your own.

 

\\ IKEv2 Proposal

crypto ikev2 proposal PROPOSAL-1
encryption aes-cbc-256
group 14
integrity sha256

crypto ikev2 policy IKEV2_POLICY
proposal PROPOSAL-1

 

\\ IKEv2 Keyring

crypto ikev2 keyring KEYRING
 peer ANY-PEER
  address 0.0.0.0
  pre-shared-key local cisco1234
  pre-shared-key remote cisco1234
  exit 

 

\\ IKEv2 Profile

! Amend the local fqdn to the name of your router

! Amend the remote fqdn domain lab.net

crypto ikev2 profile IKEV2_PROFILE
 match identity remote fqdn domain lab.net
 identity local fqdn hq-rtr.lab.net
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING

 

\\ IPSec Profile

crypto ipsec profile IPSEC_PROFILE
 set ikev2-profile IKEV2_PROFILE
 

\\ Use IPSec profile on Tunnel interface
interface tunnel X
 tunnel protection ipsec profile IPSEC_PROFILE

 

Resources

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.html
http://resources.intenseschool.com/configuring-ikev2-on-cisco-ios-7-flexvpn-and-aaa/#article

https://integratingit.wordpress.com/2016/07/07/configuring-cisco-flexvpn-svti/

 

HTH

Thanks for the link and the config.  I will review this morning.  I posted the relevant section of the config from R2 in the reply above.  I'm not trying to copy and paste the full config from R1, because there is also a lot of voice stuff going on and some IPs that I don't want to disclose.  Here is the other side:

 

no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
ip vrf VRF1
rd 1:1
!
ip vrf VRF2
rd 2:2
!
!
!
!
no ip bootp server
ip domain name tomneteng.local
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-ni
!
!
trunk group FXO
!
!
trunk group PRI
hunt-scheme sequential
!
!
!
bunch of voice stuff
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key ***** address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set T101-AES256 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto ipsec profile T101-AES256
set security-association lifetime seconds 86400
set transform-set T101-AES256
!
crypto map T101 local-address GigabitEthernet0/0
crypto map T101 101 ipsec-isakmp
set peer 172.16.110.2
set transform-set T101-AES256
match address 101
!
interface Loopback101
ip vrf forwarding VRF1
ip address 10.101.255.1 255.255.255.0
!
interface Tunnel101
bandwidth 100000
ip address 10.255.101.1 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.101.1
tunnel destination 172.16.110.2
tunnel vrf VRF1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 172.16.101.1 255.255.255.0
duplex auto
speed auto
crypto map T101
!
redistribute static route-map static-into-eigrp
passive-interface GigabitEthernet0/0
passive-interface Tunnel101
!
router bgp
omitted
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-top-talkers
top 15
sort-by bytes
!
ip pim rp-address omitted
logging source-interface GigabitEthernet0/0.550 (I deleted this subinterface but it still shows in show ip int br as "deleted".)
logging host ommitted
access-list 101 permit gre host 172.16.101.1 host 172.16.110.2
!
route-map static-into-eigrp permit 10
match tag 100

 

I got the original config from here:

 

https://networkology.net/2013/07/14/gre-over-ipsec-configured-and-explained-ccie-notes/

 

Is the site correct?

Thanks.  I posted another reply earlier that I edited, but I'm not certain what happened to it.  Will the following config provide failover and work for export to the global VRF once dynamic routing is turned back on on those interfaces?  Or do I need to utilize the import unicast command?

 

R1

crypto isakmp keepalive 5 periodic

ip vrf vrf1
rd 101:1
route-target export 101:1
route-target import 101:1

ip vrf vrf2
rd 102:1
route-target export 102:1
route-target import 102:1

crypto ipsec transform-set T101-AES256 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear

crypto ipsec profile T101-AES256
set security-association lifetime seconds 86400
set transform-set T101-AES256

interface Tunnel101
ip vrf forwarding vrf1
bandwidth 100000
ip address 10.255.101.1 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.101.1
tunnel destination 172.16.110.2
tunnel mode IPsec ipv4
tunnel protection IPsec profile T101-AES256

interface Tunnel102
ip vrf forwarding vrf2
bandwidth 100000
ip address 10.255.102.1 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.102.1
tunnel destination 172.16.120.2
tunnel mode IPsec ipv4
tunnel protection IPsec profile T102-AES256

interface GigabitEthernet0/2
ip address 172.16.101.1 255.255.255.0
duplex auto
speed auto

 

other interface not operational yet

R2

 

crypto isakmp keepalive 5 periodic

ip vrf vrf3
rd 110:2
route-target export 110:2
route-target import 110:2

ip vrf vrf4
rd 120:2
route-target export 120:2
route-target import 120:2

crypto ipsec transform-set T101-AES256 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec df-bit clear

crypto ipsec profile T101-AES256
set security-association lifetime seconds 86400
set transform-set T101-AES256

interface Tunnel101
ip vrf forwarding vrf3
bandwidth 100000
ip address 10.255.101.2 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.110.2
tunnel destination 172.16.101.1
tunnel mode IPsec ipv4
tunnel protection IPsec profile T101-AES256

interface Tunnel102
ip vrf forwarding vrf4
bandwidth 100000
ip address 10.255.102.2 255.255.255.0
no ip redirects
ip mtu 1400
ip flow ingress
ip flow egress
ip tcp adjust-mss 1360
delay 1000
tunnel source 172.16.120.2
tunnel destination 172.16.102.1
tunnel mode IPsec ipv4
tunnel protection IPsec profile T102-AES256

interface GigabitEthernet0/0
ip address 172.16.110.2 255.255.255.0
duplex auto
speed auto

 

other interface not operational

 

Tom

The config of tunnels will work.

 

However can you clarify what you're asking?

Will the following config provide failover and work for export to the global VRF once dynamic routing is turned back on on those interfaces?  Or do I need to utilize the import unicast command?

You'll have 2 tunnels built and now you need that traffic from inside goes though 1 and the other in case the 1st crashes, right?

You didn't paste the config of your routing? Your local subnets are in vrfs as well?

 

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco,

 

Thanks.  I ended up having to manually specify tunnel mode and delete a crypto map that I had configured earlier, but all is well and the config worked for the most part.  Although I'm not certain if it should be necessary to assign an address to a loopback to be able to source ping the other side of the tunnel.  I thought that's something that wasn't needed with a VTI.  Will take a look into when I have some more time.

 

I am eliminating the DMVPN.  I was able to get the first VTI up and running today and ping across when specifying that VRF as the destination.  But I don't know how the route export will work to the global VRF.  And, the global VRF is not named right now.  I have only setup VRFs for the tunnel traffic.  What I would like to do is have the two tunnels operating simultaneously and the routes imported from each VRF to the global VRF so that if one tunnel were to fail, the routes would drop out.  If I need to move everything else to a third named VRF, that is not a huge issue, but I would like to avoid it if possible.

 

I originally thought that I could do this having the global VRF terminating two tunnels, but during my research I read that such a scenario could result in a tunnel staying up that's not passing traffic and failover not wanting to occur so that the best route was to use multiple VRFs. Here's one of the articles I read:

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multi-point-vpn-dmvpn/119022-configure-dmvpn-00.html

 

"If both of the ISPs terminate in the global VRF, they share the same routing table and both of the mGRE interfaces rely on the global routing information. In this case, if the primary ISP fails, the primary ISP interface might not go down if the failure point is in the backbone network of ISPs and not directly connected. This results in a scenario where both of the mGRE tunnel interfaces still use the default route that points to the primary ISP, which causes the DMVPN redundancy to fail."

 

If this doesn't have the same correlation for Metro E, I will just terminate both on the global VRF, but it would be good to know how to do this in the future, if I'm tunneling out over multiple providers instead.

 

Another issue that I have is using gts on that interface.  It doesn't support that command.  Any idea on how to do that or do I have to use CAR with rate-limit?  I just want a generic policy to limit to 100 meg and queue additional traffic.

 

The local subnets are integrated into eigrp and static routes are exported into the dynamic protocol in the default vrf on both sides.

 

router eigrp 100

network ...

 

I do not have any separate instances of eigrp running internally per vrf.  Is it necessary to have a separate instance per vrf or can the export with a unique RD on both sides handle the integration into the native eigrp?  Or would this require an ivrf and moving everything to a named vrf or import command or something else?

 

Tom

Reading back over my original reply, I think I misread the original intent of the article I cited which demonstrated that a static route would cause an issue.  As long as a dynamic routing protocol is used, there would be no need for additional VRFs unless I'm trying to support a multi-tenant environment.

 

Additionally, I found the following sources of information:

 

http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/

http://packetlife.net/blog/2013/sep/26/vrf-export-maps/

http://www.networkingwithfish.com/tunnels-and-the-use-of-front-door-vrfs/

https://learningnetwork.cisco.com/docs/DOC-25017

 

This is interesting, as well:

 

http://eminent-ccie.blogspot.com/2010/06/vrf-aware-dmvpn-with-dual-isp.html

 

Apparently, you can also loopback a gre tunnel to exchange routes as well:

 

https://njetwork.wordpress.com/2012/10/03/tunneling-between-global-router-and-vrf-within-a-single-cisco-box/

 

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: