GRE/IPsec Tunnels

Dph3ct · ‎11-13-2019

Hi guys,

I've recently started in a new position (6 weeks now) and I'm the only network engineer within this company. This company are a nationwide company and have trade depots all over the UK. I'm still getting my head around how it's all configured and hooked up, but as I didn't build this network there are aspects with confused me.

Anyway, looking at the site to site VPN we use, I think its an GRE over IPSEC (of which unfortunately, I've had zero experience of). I've had to have a look at it as this week as we are moving ISPs at four of our depots. Yesterday I was doing one depot ISP migration and I could see the tunnel interface was up/up but I couldn't actually ping the other site router interface (but it did have a WAN connection). In the end I rolled it back to get it working.

As the only bit that is changing is the ISP WAN IP and login information, I looked through the config of both routers replacing any uses of the old WAN IP with the new WAN IP. As I said this did get the tunnel interface up/up. No other IP addressing has changed at all, so in theory this should just be a straight swap of info shouldn't it?

Unfortunately this company do not have a support contract of any sort for networking, I am going to bring this up in a meeting this morning as this is the first employer I've worked with that doesn't have one.

The depot end is a 887 router and the head office is 2921 router.

If you want some configs please let me know.

Thanks for any help offered :).

Rob Ingram · ‎11-13-2019

Hi,

Could the spoke router ping the hub routers Public IP address (not the tunnel IP) after the IP address change?

If you had full connectivity between the 2 my initial thoughts would be the IKE/IPSec SAs with the old IP address were still established. Next time you try shutdown the Tunnel interface, then change the IP address and then no shutdown the tunnel interface.

On the Hub are you using Pre Shared Keys (PSK)? The Hub might only have a PSK for the spoke routers' old IP address, this might need changing.

HTH

Dph3ct · ‎11-13-2019

Thanks for your response RJI.

I can ping the head office IP WAN ip address but not the other way (but I can't actually ping any other working depot WAN IP addresses, so I think this is normal and down to some router config). The IP address is negotiated on the dialer0 interface and I can see the correct IP on sho ip int brief as expected.

I think the tunnel shutdown might be a good shout, I didn't think of that one while I was freezing my backside off in a warehouse.

I've updated the PSK for the new IP address and kept the key the same, so this has been covered.

We're currently trying to get some support sorted out by one of our supplies, well my manager has queried it. Hopefully we can get it sorted by this coming Friday as that's when the old service gets cut off.

Is there anything else I could check?

Thanks again.

Rob Ingram · ‎11-13-2019

Do you have an ACL on the Hub or Spoke routers that permits only IPSec/ICMP traffic from known sources?
I assume the Hub is configured with a Dynamic VTI (virtual-template) rather than multiple Static VTIs?
On the Hub are you using isakmp profiles, that use ip address as remote identity? this might need changing

When you do the migration - On the spoke use the command "show crypto isakmp sa" to confirm the existing SA is removed before you unshut the tunnel interface. If not use the command "clear crypto isakmp sa" or "clear crypto session". Then un-shut the tunnel interface.

HTH