Solved: GRE OVER IPSec vpn

gaurav bhardwaj · ‎12-06-2012

ACC

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml#diag

this is lab i did, today,and offcouse i am able to understand this lab bus the confusion are

1 . why we use crypto map on both interface (phiycal interface or tunnel interface)

2. when i remove crypto map from tunnel interface i recieve this message

( R2691#*Mar 1 01:12:54.243: ISAKMP:(1002):purging node 2144544879 )

please tell me what is meaning of this message

3.But i can see vpn is working fine. this is cryto sa and crypto isakmp sa

R2691#sh crypto ipsec sa

interface: Serial0/0

Crypto map tag: vpn, local addr 30.1.1.21

protected vrf: (none)

local ident (addr/mask/prot/port): (30.1.1.21/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/47/0)

current_peer 10.1.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65

#pkts decaps: 66, #pkts decrypt: 66, #pkts verify: 66

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 30.1.1.21, remote crypto endpt.: 10.1.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

current outbound spi: 0xDBF65B0E(3690355470)

inbound esp sas:

spi: 0x44FF512B(1157583147)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 5, flow_id: SW:5, crypto map: vpn

sa timing: remaining key lifetime (k/sec): (4598427/3368)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xDBF65B0E(3690355470)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 6, flow_id: SW:6, crypto map: vpn

sa timing: remaining key lifetime (k/sec): (4598427/3368)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R2691#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

30.1.1.21 10.1.1.1 QM_IDLE 1002 0 ACTIVE

IPv6 Crypto ISAKMP SA.

4 . how do i know it is useing GRE over IPsec.

i am also attach my topology on which i did lab

anujsharma85 · ‎12-06-2012

As far as what I can recall, in older codes it was required to have crypto map on both tunnel and physical interface but now it is not.

Since we are using GRE over IPSEC, thus for verifying the tunnel I will do the following steps:

1.) check if tunnel interface is up. "show ip int br"

2.) check if tunnel statistics are increasing and packets are traversing across it. "show interface"

3.) Verify if crypto ACL includes only interesting traffic listed as GRE peers.

4.) If yes, check IPSEC SA statistics. "show crypto ipsec sa"

If all of them are showing correct statistics with respective counters increasing then traffic is passing through GRE and then getting encapsulating in IPSEC.

Hope this helps.

Regards,

Anuj

View solution in original post

anujsharma85 · ‎12-06-2012

As far as what I can recall, in older codes it was required to have crypto map on both tunnel and physical interface but now it is not.

Since we are using GRE over IPSEC, thus for verifying the tunnel I will do the following steps:

1.) check if tunnel interface is up. "show ip int br"

2.) check if tunnel statistics are increasing and packets are traversing across it. "show interface"

3.) Verify if crypto ACL includes only interesting traffic listed as GRE peers.

4.) If yes, check IPSEC SA statistics. "show crypto ipsec sa"

If all of them are showing correct statistics with respective counters increasing then traffic is passing through GRE and then getting encapsulating in IPSEC.

Hope this helps.

Regards,

Anuj

gaurav bhardwaj · ‎12-06-2012

MR. Anuj here is my config

R7200#sh ip int b

Interface IP-Address OK? Method Status Protocol

Serial1/0 10.1.1.1 YES NVRAM up up

Loopback1 50.1.1.1 YES NVRAM up up

Loopback2 50.1.2.1 YES NVRAM up up

Tunnel0 40.1.1.2 YES NVRAM up up

Tunnel1 40.1.2.2 YES NVRAM up up

Tunnel2 40.1.3.2 YES NVRAM up up

=========================================================

R7200#sh int tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 40.1.1.2/24

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 10.1.1.1 (Serial1/0), destination 30.1.1.1

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 00:00:04, output 00:00:04, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

2229 packets input, 213651 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

2292 packets output, 220520 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

===============================================================

my cryto acl

is

access-list 101 permit gre host 10.1.1.1 host 30.1.1.1

anujsharma85 · ‎12-06-2012

As per the config provided, crypto ACL includes local host as 10.1.1.1 while remote host as 30.1.1.1 however interface description shows 10.1.1.1 as serial / physical interface.

Thus, ideally crypto ACL should include traffic as ::

access-list 101 permit gre host host

Regards,

Anuj