Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
910
Views
0
Helpful
5
Replies

VRF/VLAN Routing Issues

e.lacks.jr
Level 1
Level 1

‎06-13-2017 01:57 PM

I am having a terrible time with this.   I have managed to get the VPN tunnel to initiate, but only from location 1.  Traffic coming from X.X.X.254 does not start a tunnel.  All routing appears to be correct; if I remove the Crypto map from both interfaces pings flow. However, once the tunnel is established pings do not work either direction.  

{EDIT}

So VPN tunnel is not the problem.  I have a routing issue... The setup has dual 4503 serving as routers, they have HSRP VLANs on them.  The issues is that the host device is connected to SW2  (the secondary HSRP) for this VLAN/VRF, and so the packet is sent to Y.Y.Y but the wrong "gateway" IP is in the packet header.  This explains why the packet arrives, but not IPSEC. 

Would a policy map help me prohibit  L3 routing on SW2, I need all L2 VLAN 998 packets to be processed by L3 (SW1)?

The peculiar thing is that once the VPN tunnel is up, X.X.X.254 is still sending packets, but not via IPSEC.

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /Y.Y.Y.171, src_addr= X.X.X.254, prot= 1

LOCATION 1

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)

rtr-lab-oma#sh run | s cry

crypto pki token default removal timeout 0
crypto keyring PSK-CTYOMA
pre-shared-key address X.X.X.193 key !*!*!*!*
pre-shared-key address X.X.X.194 key !*!*!*!*
pre-shared-key address X.X.X.195 key !*!*!*!*
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28000
crypto isakmp profile PROF-CTYOMA
keyring PSK-CTYOMA
match identity address X.X.X.193 255.255.255.128
crypto ipsec transform-set TSET-CTYOMA esp-des esp-md5-hmac
crypto map VPN-CTY-IPSEC 10 ipsec-isakmp
set peer X.X.X.195
set transform-set TSET-CTYOMA
set isakmp-profile PROF-CTYOMA
match address VPN-TRAFFIC-CTYOMA
reverse-route
crypto map VPN-CTY-IPSEC

interface FastEthernet0/0
description OUTSIDE WORLD
ip address Y.Y.Y.170 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN-CTY-IPSEC
end

Extended IP access list VPN-TRAFFIC-CTYOMA
10 permit ip host X.X.X.254 host Y.Y.Y.171 log
20 permit ip host Y.Y.Y.171 host X.X.X.254 log (108 matches)

LOCATION 2

Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch  Software (cat4500e-UNIVERSALK9-M), Version 03.06.05.E RELEASE SOFTWARE (fc2)

Supervisor 7L-E (license Level: entservices)

sw-wdc-02#sh run | s cry
service password-encryption
crypto keyring PSK-CTYOMA vrf V998:INTERNET
pre-shared-key address Y.Y.Y.170 key !*!*!*!*
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28000
crypto isakmp profile PROF-CTYOMA
vrf V998:INTERNET
keyring PSK-CTYOMA
match identity address Y.Y.Y.170 255.255.255.255 V998:INTERNET
local-address Vlan998
crypto ipsec transform-set TSET-CTYOMA esp-des esp-md5-hmac
mode tunnel
crypto map VPN-CTY-IPSEC local-address Vlan998
crypto map VPN-CTY-IPSEC 10 ipsec-isakmp
set peer Y.Y.Y.170
set transform-set TSET-CTYOMA
set isakmp-profile PROF-CTYOMA
match address VPN-TRAFFIC-CTYOMA
reverse-route


interface Vlan998
description CENTURYLINK not FW
vrf forwarding V998:INTERNET
ip address X.X.X.195 255.255.255.192
standby 1 ip X.X.X.193
standby 1 priority 105
standby 1 preempt
standby 1 name V998HA
standby 1 track 1 decrement 10
crypto map VPN-CTY-IPSEC redundancy V998HA
end

Extended IP access list VPN-TRAFFIC-CTYOMA
10 permit ip host Y.Y.Y.171 host X.X.X.254 log
20 permit ip host X.X.X.254 host Y.Y.Y.171 log


sw-wdc-02#sh vrf V998:INTERNET
Name Default RD Protocols Interfaces
V998:INTERNET <not set> ipv4 Vl998

sw-wdc-02#sh ip route vrf V998:INTERNET

Routing Table: V998:INTERNET
[...]
Gateway of last resort is 65.120.78.245 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 65.120.78.245
63.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C X.X.X.192/26 is directly connected, Vlan998
L X.X.X.195/32 is directly connected, Vlan998
65.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C A.A.A.4/30 is directly connected, GigabitEthernet3/2
L A.A.A.6/32 is directly connected, GigabitEthernet3/2

VPN RESULTS

LOCATION 1

rtr-lab-oma#sh cry session
Crypto session current status

Interface: FastEthernet0/0
Profile: PROF-CTYOMA
Session status: UP-ACTIVE
Peer: X.X.X.195 port 500
IKEv1 SA: local Y.Y.Y.170/500 remote X.X.X.195/500 Active
IPSEC FLOW: permit ip host Y.Y.Y.171 host X.X.X.254
Active SAs: 2, origin: crypto map

rtr-lab-oma#sh cry route

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs

Routes created in table GLOBAL DEFAULT
X.X.X.254/255.255.255.255 [1/0] via X.X.X.195 tag 0
on FastEthernet0/0 RRI

LOCATION 2

sw-wdc-02#sh cry session
Crypto session current status

Interface: Vlan998
Profile: PROF-CTYOMA
Session status: UP-ACTIVE
Peer: Y.Y.Y.170 port 500
Session ID: 0
IKEv1 SA: local X.X.X.195/500 remote Y.Y.Y.170/500 Active
IPSEC FLOW: permit ip host X.X.X.254 host Y.Y.Y.171
Active SAs: 2, origin: crypto map

sw-wdc-02#sh cry route

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs

Routes created in table V998:INTERNET
Y.Y.Y.171/255.255.255.255 [1/0] via Y.Y.Y.170 tag 0 count 1 rtid 7
on Vlan998 RRI

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-14-2017 05:48 AM

I have never seen a Cisco 4500 used to terminate a crypto map.  I do not believe this is a supported configuration.  I am amazed you got it to work at all.

0 Helpful

e.lacks.jr
Level 1
Level 1
In response to Philip D'Ath

‎06-14-2017 06:14 AM

With Enterprise Lic, the switch basically is a dual purpose piece of equipment. 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to e.lacks.jr

‎06-14-2017 06:16 AM

I did a search and didn't manage to find any documentation or examples of such a configuration.

0 Helpful

e.lacks.jr
Level 1
Level 1
In response to Philip D'Ath

‎06-14-2017 06:42 AM

Biscuits!!!!  I have a feeling you may be correct, why of why is that the feature set they left out!

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/configuration/guide/config/intro.html?bookSearch=true#wp1023637

However, Why does the tunnel establish and debug shows it going through all the setup process, key negotiation and such if the feature set is not supported?  Could you review my config and let me know if you see any glaring issues still?  

This is my study for CCNA R&S and Security in production class.  LOL

0 Helpful

e.lacks.jr
Level 1
Level 1
In response to Philip D'Ath

‎06-14-2017 07:25 AM

Alright according to the Cisco Feature Navigator:

http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

IPSec Network Security is available on my release.

3.6E 3.6.5E MD No CAT4500E-SUP7E UNIVERSAL CRYPTO (ENTERPRISE SERVICES) 0 0 No cat4500e-universalk9.SPA.03.06.05.E.152-2.E5.tar

That brings me back to configuration issues :(

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents