DSL GRE IPSec & OSPF

tsalt · ‎12-22-2004

Dear All,

I am trying to get OSPF to set up a GRE tunnel secured by IP-Sec running OSPF as my routing protocol. The router is a DSL enabled router running 12.3 IOS. The GRE and IPSec tunnels establis ok and I can see Hello packets coming into the router when debug is run. The router also shows that it is sending Hello packets although I cannot correlate whether these are reaching the remote device as the device is a non cisco box.

Below is my config that I am using, IP addresses have been removed

!

crypto isakmp policy 10

authentication pre-share

lifetime 28800

crypto isakmp key testl address a.a.a.a

!

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set COME2 esp-des esp-sha-hmac

mode transport

!

crypto map CRIPTA2 10 ipsec-isakmp

set peer 208.x.x.16

set transform-set COME2

set pfs group2

match address 110

!

interface Tunnel2

description Tunnel secondario

ip address 10.255.253.14 255.255.255.252

ip mtu 1438

ip ospf network point-to-point

ip ospf cost 100

tunnel source c.c.c.c

tunnel destination a.a.a.a

crypto map CRIPTA2

!

interface Loopback0

ip address 10.255.253.11 255.255.255.255

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip address c.c.c.c

pvc 8/35

protocol ip c.c.c.c

encapsulation aal5snap

!

crypto map CRIPTA2

!

interface BRI0

no ip address

shutdown

dialer pool-member 1

isdn switch-type basic-net3

!

interface FastEthernet0

ip address x.x.x.x 255.255.255.0

speed auto

!

router ospf 64515

log-adjacency-changes

network 10.255.253.12 0.0.0.3 area 1.1.1.1

network 192.168.10.0 0.0.0.255 area 1.1.1.1

!

ip route 0.0.0.0 0.0.0.0 b.b.b.b

Thanks

Tom

Richard Burts · ‎12-22-2004

Tom

It would help us if you could be a little more clear about what is working and what is not working - or what your question is.

I have looked through the part of config that you posted and do not notice any particular issues. It would be helpful if you could also show the content of access list 110 which is used to identify IPSec traffic.

You say that GRE is working and that IPSec is working. So can you verify that if you do extended ping from the router specifying the ping destination as the tunnel destination and the ping source as the tunnel source, does the ping work ok?

It might be helpful to post the output of show ip ospf and of show ip ospf interface and of show ip ospf neighbor.

HTH

Rick

HTH

Rick

tsalt · ‎12-23-2004

Rik,

Thanks for your reply.

Access-list

access-list 110 permit gre host 195.43.176.202 host 208.175.178.16

The GRE tunnel with IP-Sec is working ok and I can ping both ends. I cant establish any OSPF adjacency between the 2 devices. I can see OSPF Hello packets coming down the tunnel but the Cisco does not establish adjacency.

Unfortunatly i don have access to teh device at present as we have gone to a standard IP-Sec config to give the customer some service.

I didnt try pinging at teh time but on both devices the IP-Sec SAs were established.

Richard Burts · ‎12-23-2004

Tom

Thanks for posting the access list. The access list looks good.

I believe that it will work, but to be sure, can you do an extended ping from the local router to the remote where the extended ping specifies the ping target as the remote tunnel IP address, and specifies the ping source as the local tunnel IP address? And if you could also verify that this works from the remote router? (I realize that you say the remote router is a non-Cisco device so do not know for sure if it has a facility like the Cisco extended ping where you can specify the target and source addresses.)

At this point I belive that you have good IP connectivity and so that is probably not what is causing your problem. My focus at this point would be the OSPF parameters. The OSPF part of the config that you posted looks reasonable. Can you post anything about the OSPF parameters at the remote?

It might be helpful if you could post the output of debug. You mentioned that you had run debug but not which debug - it would be especially helpful to see output of OSPF adjacency debugs. I am wondering if there is a mismatch of some OSPF parameter (area ID, and timers are possibilities that come to mind first).

HTH

Rick

HTH

Rick

tsalt · ‎12-27-2004

Rik,

Thnaks. I shall have a test router available for the 5/6th Jan to do some testing. I shall do the tests then and also do some debug output for you from teh cisco router.