GRE/Ipsec Problems

Josh Sprang · ‎10-27-2012

I am having problems spinning up a GRE/IPSEC tunnel to a remote site. The WAN on the remote side DSL. Connection is as follows:

local-------------------------------------------remote

6509<gre source>-----ASA--<ipsec source>-----------1841 <ipsec destination>--------3550-12g<gre destination>

I the IPsec tunnel is up fine between the 1841 and the ASA. 3550 tunnel source <loopback 1> can ping the interface vlan on the 6509 desitnation and reverse. I have a /30 on the tunnel interfaces. I cannot ping the two tunnel interfaces accross via the /30 the GRE. show ip route and traces show them going into the tunnels. Also I notices packets are not matched on the crypto ACL for GRE. IP packets for ICMP are. Both Tunnel interfaces are up/up connected. I have kicked down the mtu on the tunnel to 1400 and mss to 1360 but no luck. Any Ideas? I am stumped.. See relevant config below:

3550:

interface Tunnel1

ip address 10.25.30.13 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Loopback1

tunnel destination 10.25.0.4

tunnel path-mtu-discovery

# ping 10.25.30.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.25.30.14, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Routing entry for 10.25.30.12/30

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via Tunnel1

Route metric is 0, traffic share count is 1

interface Loopback1

ip address 10.25.117.18 255.255.255.255

end

SOUTHRTRB#show int tunnel 1

Tunnel1 is up, line protocol is up

1841:

crypto isakmp policy 10

encr *

authentication pre-share

group *

crypto isakmp key ..... address .....

!

crypto ipsec transform-set .... esp-... esp-...-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer ....

set transform-set .....

match address 101

interface Dialer1

ip address negotiated

no ip unreachables

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication pap callin

ppp chap hostname

ppp chap password 7

ppp pap sent-username

crypto map vpn

access-list 101 permit ip host 10.25.117.18 host 10.25.0.4

access-list 101 permit gre host 10.25.117.18 host 10.25.0.4

Extended IP access list 101

10 permit ip host 10.25.117.18 host 10.25.0.4 (913 matches)

20 permit gre host 10.25.117.18 host 10.25.0.4

ASA:

access-list vpn extended permit ip host 10.25.0.4 host 10.25.117.18

nat (inside) 0 access-list vpn

access-list sou extended permit ip host 10.25.0.4 host 10.25.117.18

access-list sou extended permit gre host 10.25.0.4 host 10.25.117.18

access-list sou; 2 elements; name hash: 0x988a052a

access-list sou line 1 extended permit ip host 10.25.0.4 host 10.25.117.18 (hitcnt=14) 0xbfcfe00c

access-list sou line 2 extended permit gre host 10.25.0.4 host 10.25.117.18 (hitcnt=0) 0x7072016a

crypto isakmp policy 110

authentication pre-share

encryption

hash

group

lifetime 86400

crypto map AT 600 match address sou

crypto map AT 600 set peer

crypto map AT 600 set transform-set

6500:

interface Tunnel80

ip address 10.25.30.14 255.255.255.252

ip pim sparse-dense-mode

tunnel source 10.25.0.4

tunnel destination 10.25.117.18

tunnel path-mtu-discovery

Tunnel80 is up, line protocol is up

#ping 10.25.30.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.25.30.13, timeout is 2 seconds:

...

#show ip route 10.25.30.13

Routing entry for 10.25.30.12/30

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via bgp 65000

Advertised by bgp 65000

Routing Descriptor Blocks:

* directly connected, via Tunnel80

Route metric is 0, traffic share count is 1

david.tran · ‎10-27-2012

Your setup look correct. One thing I would do if you want to see GRE to match the ACL, yo need to do this:

access-list 101 permit gre host 10.25.117.18 host 10.25.0.4

access-list 101 permit ip host 10.25.117.18 host 10.25.0.4

most of the time, GRE and IPSec end-point are the same but your setup is little different.

On the ASA, add the following route: route inside 10.25.30.14 255.255.255.255 next-hop-6509

On the ASA, add the following route: route outside 10.23.30.13 255.255.255.255 internet-next-hop

On the Cisco 1841, add the following route: ip route 10.25.30.13 255.255.255.255 next-hop-3550

On the Cisco 1841, add the following route: ip route 10.23.30.14 255.255.255.255 internet-next-hop

Now for everything else, it does not know, it will use the default route.

This "should" work.

If you think about it, it makes sense. Your ASA does not know about your tunnel80, on the 6509, In order for the GRE to be encrypted, it must know specific route. The same goes for the Cisco 1841 as well.

Does that help you?

Karsten Iwen · ‎10-28-2012

If I remember right, GRE is not supported on the Catalyst 3550. Also if it is possible to configure that, I wouldn't expect that it will work.

A supported way to configure that is to do both the GRE- and IPSec-encapsulation on the 1841.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

olpeleri · ‎10-29-2012

Correct, GRE tunnel should be terminated on the 1841, not on the 3550.[ where it will be process switched on an untested command ]