Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
0
Replies

GRE IPSEC TUNNEL with VRF's and NAT PROBLEM

marcrodrigueztristany
Level 1
Level 1

‎07-03-2014 06:18 AM - edited ‎02-21-2020 07:42 PM

Hi all,

 

I have a problem with an implementation about GRE IPSEC Tunnels working with vrf's.

I explain you the situation from the begining.

I have two 2921 ( c2900-universalk9-mz.SPA.152-4.M5.bin )  routers which I want to implement a GRE IPSEC tunnel between them. I need one of them to work with vrf's, because I have other vpn's in and i need to be done like this.

The Outside interfaces of them have private IP's, but I have a FW in front of each one that they make NAT to public IP's. I attach a simple diagram for you to understand it.

Without vrf's, the solution is working fine, but the problem starts when I configure it with vrf's.

The vpn comes up, I'm able to reach the other site ( I've created one loopback in each router and permit the simple access between them) by loopbacks, the tunnels are up, but I can't reach the other side of the tunnel (ping), and logically the ospf that I configured doesn't come up. I don't really know what's wrong and it's been more than a week trying to solve it, but no success.

Look that the vpn is up:

ROUTER A (with vrf):

ROUTERA#sh crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.19.208.101  PEER_PUBLIC_ADDRESS QM_IDLE           7799 ACTIVE
!
ROUTERA#SH CRYpto IPSec SA


interface: Port-channel7.55
    Crypto map tag: vpn_provider, local addr 172.19.208.101

   protected vrf: prova
   local  ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/0/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.19.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0x390A97F8(956995576)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9B68F445(2607346757)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2949, flow_id: Onboard VPN:949, sibling_flags 80004040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4608000/1539)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x390A97F8(956995576)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2950, flow_id: Onboard VPN:950, sibling_flags 80004040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4608000/1539)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: prova
   local  ident (addr/mask/prot/port): (172.19.208.101/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.25.208.101/255.255.255.255/47/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 ---> Don't know why it doesn't encrypt
    #pkts decaps: 585, #pkts decrypt: 585, #pkts verify: 585
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.19.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0x843F9D9F(2218761631)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD27130F3(3530633459)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2951, flow_id: Onboard VPN:951, sibling_flags 80000040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4249959/1591)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x843F9D9F(2218761631)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2952, flow_id: Onboard VPN:952, sibling_flags 80000040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4249996/1591)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 

ROUTER B (without vrf):

ROUTERB#sh crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
PEER_PUBLIC_ADDRESS 172.25.208.101  QM_IDLE           1106 ACTIVE
!
ROUTERB#sh crypto ipsec sa

interface: Port-channel7.55
    Crypto map tag: mymap, local addr 172.25.208.101

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
    #pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.25.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0x9B68F445(2607346757)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x390A97F8(956995576)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2087, flow_id: Onboard VPN:87, sibling_flags 80000040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4164051/1332)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9B68F445(2607346757)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2088, flow_id: Onboard VPN:88, sibling_flags 80000040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4164051/1332)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.25.208.101/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.19.208.101/255.255.255.255/47/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 656, #pkts encrypt: 656, #pkts digest: 656
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0  ---> Don't know why it doesn't decrypt
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.25.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0xD27130F3(3530633459)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x843F9D9F(2218761631)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: Onboard VPN:89, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4188983/1384)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD27130F3(3530633459)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: Onboard VPN:90, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4188942/1384)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 


Can somebody help me please??

I attach the network diagram above.

I put below the config of the routers:

 

ROUTER A:

......
!
vrf definition prova
 rd 65501:2
 !
 address-family ipv4
 exit-address-family

......
!
crypto keyring prova  
  pre-shared-key address PEER_PUBLIC_ADDRESS key XXXXXXXXX
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp profile prova
   vrf prova
   keyring prova
   match identity address 172.25.208.101 255.255.255.255 
!
crypto ipsec transform-set esp-aes-sha1 esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map vpn_provider 200 ipsec-isakmp 
 set peer PEER_PUBLIC_ADDRESS
 set transform-set esp-aes-sha1 
 set isakmp-profile prova
 match address 120
!         
interface Loopback0
 vrf forwarding prova
 ip address 10.10.10.10 255.255.255.255
!
interface Tunnel200
 vrf forwarding prova
 ip address 192.168.90.1 255.255.255.252
 ip mtu 1420
 ip ospf mtu-ignore
 ip ospf cost 200
 tunnel source Port-channel7.55
 tunnel destination 172.25.208.101
!
interface Port-channel7
 no ip address
 hold-queue 150 in
!
interface Port-channel7.55
 encapsulation dot1Q 55 native
 ip address 172.19.208.101 255.255.255.128
 crypto map vpn_provider
!
router ospf 20 vrf prova
 router-id 192.168.90.1
 network 10.10.10.10 0.0.0.0 area 0
 network 192.168.90.0 0.0.0.3 area 0
!
ip route vrf prova 0.0.0.0 0.0.0.0 172.19.208.126 global
!
access-list 120 permit gre host 172.19.208.101 host PEER_PUBLIC_ADDRESS
access-list 120 permit gre host 172.19.208.101 host 172.25.208.101
access-list 120 permit ip host 10.10.10.10 host 20.20.20.20
!
.....

ROUTER B:

 

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXX address PEER_PUBLIC_ADDRESS
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp 
 set peer PEER_PUBLIC_ADDRESS
 set transform-set esp-aes-sha1 
 match address 198
!
interface Loopback0
 ip address 20.20.20.20 255.255.255.255
!
interface Tunnel100
 ip address 192.168.90.2 255.255.255.252
 ip mtu 1420
 ip virtual-reassembly in
 ip ospf mtu-ignore
 ip ospf cost 200
 tunnel source Port-channel7.55
 tunnel destination 172.19.208.101
!
interface Port-channel7
 description to_r-coresc
 no ip address
!
interface Port-channel7.55
 encapsulation dot1Q 55 native
 ip address 172.25.208.101 255.255.255.128
 crypto map mymap
!
router ospf 20
 router-id 192.168.90.2
 network 20.20.20.20 0.0.0.0 area 0
 network 192.168.90.0 0.0.0.3 area 0
!
!
ip route 0.0.0.0 0.0.0.0 172.25.208.126
!
access-list 198 permit gre host 172.25.208.101 host PEER_PUBLIC_ADDRESS
access-list 198 permit gre host 172.25.208.101 host 172.19.208.101
access-list 198 permit ip host 20.20.20.20 host 10.10.10.10

 

Thank you in advance and I wish someone can help me.

Regards

1 person had this problem
Labels:
Preview file
73 KB
Preview file
2 KB
Preview file
2 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents