07-03-2014 06:18 AM - edited 02-21-2020 07:42 PM
Hi all,
I have a problem with an implementation about GRE IPSEC Tunnels working with vrf's.
I explain you the situation from the begining.
I have two 2921 ( c2900-universalk9-mz.SPA.152-4.M5.bin ) routers which I want to implement a GRE IPSEC tunnel between them. I need one of them to work with vrf's, because I have other vpn's in and i need to be done like this.
The Outside interfaces of them have private IP's, but I have a FW in front of each one that they make NAT to public IP's. I attach a simple diagram for you to understand it.
Without vrf's, the solution is working fine, but the problem starts when I configure it with vrf's.
The vpn comes up, I'm able to reach the other site ( I've created one loopback in each router and permit the simple access between them) by loopbacks, the tunnels are up, but I can't reach the other side of the tunnel (ping), and logically the ospf that I configured doesn't come up. I don't really know what's wrong and it's been more than a week trying to solve it, but no success.
Look that the vpn is up:
ROUTER A (with vrf):
ROUTERA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.19.208.101 PEER_PUBLIC_ADDRESS QM_IDLE 7799 ACTIVE
!
ROUTERA#SH CRYpto IPSec SA
interface: Port-channel7.55
Crypto map tag: vpn_provider, local addr 172.19.208.101
protected vrf: prova
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/0/0)
current_peer PEER_PUBLIC_ADDRESS port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.19.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
current outbound spi: 0x390A97F8(956995576)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9B68F445(2607346757)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2949, flow_id: Onboard VPN:949, sibling_flags 80004040, crypto map: vpn_provider
sa timing: remaining key lifetime (k/sec): (4608000/1539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x390A97F8(956995576)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2950, flow_id: Onboard VPN:950, sibling_flags 80004040, crypto map: vpn_provider
sa timing: remaining key lifetime (k/sec): (4608000/1539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: prova
local ident (addr/mask/prot/port): (172.19.208.101/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.25.208.101/255.255.255.255/47/0)
current_peer PEER_PUBLIC_ADDRESS port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 ---> Don't know why it doesn't encrypt
#pkts decaps: 585, #pkts decrypt: 585, #pkts verify: 585
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.19.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
current outbound spi: 0x843F9D9F(2218761631)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD27130F3(3530633459)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2951, flow_id: Onboard VPN:951, sibling_flags 80000040, crypto map: vpn_provider
sa timing: remaining key lifetime (k/sec): (4249959/1591)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x843F9D9F(2218761631)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2952, flow_id: Onboard VPN:952, sibling_flags 80000040, crypto map: vpn_provider
sa timing: remaining key lifetime (k/sec): (4249996/1591)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
ROUTER B (without vrf):
ROUTERB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
PEER_PUBLIC_ADDRESS 172.25.208.101 QM_IDLE 1106 ACTIVE
!
ROUTERB#sh crypto ipsec sa
interface: Port-channel7.55
Crypto map tag: mymap, local addr 172.25.208.101
protected vrf: (none)
local ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
current_peer PEER_PUBLIC_ADDRESS port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.25.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
current outbound spi: 0x9B68F445(2607346757)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x390A97F8(956995576)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2087, flow_id: Onboard VPN:87, sibling_flags 80000040, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4164051/1332)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9B68F445(2607346757)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2088, flow_id: Onboard VPN:88, sibling_flags 80000040, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4164051/1332)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (172.25.208.101/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.19.208.101/255.255.255.255/47/0)
current_peer PEER_PUBLIC_ADDRESS port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 656, #pkts encrypt: 656, #pkts digest: 656
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 ---> Don't know why it doesn't decrypt
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.25.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
current outbound spi: 0xD27130F3(3530633459)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x843F9D9F(2218761631)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: Onboard VPN:89, sibling_flags 80004040, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4188983/1384)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD27130F3(3530633459)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: Onboard VPN:90, sibling_flags 80004040, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4188942/1384)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Can somebody help me please??
I attach the network diagram above.
I put below the config of the routers:
ROUTER A:
......
!
vrf definition prova
rd 65501:2
!
address-family ipv4
exit-address-family
!
......
!
crypto keyring prova
pre-shared-key address PEER_PUBLIC_ADDRESS key XXXXXXXXX
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp profile prova
vrf prova
keyring prova
match identity address 172.25.208.101 255.255.255.255
!
crypto ipsec transform-set esp-aes-sha1 esp-aes esp-sha-hmac
mode tunnel
!
crypto map vpn_provider 200 ipsec-isakmp
set peer PEER_PUBLIC_ADDRESS
set transform-set esp-aes-sha1
set isakmp-profile prova
match address 120
!
interface Loopback0
vrf forwarding prova
ip address 10.10.10.10 255.255.255.255
!
interface Tunnel200
vrf forwarding prova
ip address 192.168.90.1 255.255.255.252
ip mtu 1420
ip ospf mtu-ignore
ip ospf cost 200
tunnel source Port-channel7.55
tunnel destination 172.25.208.101
!
interface Port-channel7
no ip address
hold-queue 150 in
!
interface Port-channel7.55
encapsulation dot1Q 55 native
ip address 172.19.208.101 255.255.255.128
crypto map vpn_provider
!
router ospf 20 vrf prova
router-id 192.168.90.1
network 10.10.10.10 0.0.0.0 area 0
network 192.168.90.0 0.0.0.3 area 0
!
ip route vrf prova 0.0.0.0 0.0.0.0 172.19.208.126 global
!
access-list 120 permit gre host 172.19.208.101 host PEER_PUBLIC_ADDRESS
access-list 120 permit gre host 172.19.208.101 host 172.25.208.101
access-list 120 permit ip host 10.10.10.10 host 20.20.20.20
!
.....
ROUTER B:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXX address PEER_PUBLIC_ADDRESS
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer PEER_PUBLIC_ADDRESS
set transform-set esp-aes-sha1
match address 198
!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
!
interface Tunnel100
ip address 192.168.90.2 255.255.255.252
ip mtu 1420
ip virtual-reassembly in
ip ospf mtu-ignore
ip ospf cost 200
tunnel source Port-channel7.55
tunnel destination 172.19.208.101
!
interface Port-channel7
description to_r-coresc
no ip address
!
interface Port-channel7.55
encapsulation dot1Q 55 native
ip address 172.25.208.101 255.255.255.128
crypto map mymap
!
router ospf 20
router-id 192.168.90.2
network 20.20.20.20 0.0.0.0 area 0
network 192.168.90.0 0.0.0.3 area 0
!
!
ip route 0.0.0.0 0.0.0.0 172.25.208.126
!
access-list 198 permit gre host 172.25.208.101 host PEER_PUBLIC_ADDRESS
access-list 198 permit gre host 172.25.208.101 host 172.19.208.101
access-list 198 permit ip host 20.20.20.20 host 10.10.10.10
Thank you in advance and I wish someone can help me.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide