Solved: Re: Howto define a full tunnel cryptomap ipsec?

tiwang · ‎08-02-2013

Hi out there
I am trying to do a full tunneling of all traffic - eg guide all traffic trough a crypto map based ipsec tunnel.
The crypto map acls defines my traffic pattern and as long as it is side to side it works fine - but if I try to do a f.ex:
Permit 10.14.35.0 0.0.0.255 any I cannot get the tunnel up - I could use a SVTI instead but I would prefer to do it through a cryptomap ipsec - is this not possibly?

Br ti

Sent from Cisco Technical Support Android App

Lei Tian · ‎08-04-2013

Ok, now I understand it. I have never seen using RRI injects default route, and I think it is not supported.

HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App

View solution in original post

Lei Tian · ‎08-05-2013

Hi, thanks for the update! Yes, a static default in VRF will do the trick.

Regards,
Lei Tian

Sent from Cisco Technical Support iPhone App

View solution in original post

Lei Tian · ‎08-02-2013

Hi,

What's the ACL on the other end? Are the ACL mirror image between both ends?

HTH,

Lei Tian

tiwang · ‎08-03-2013

Hi again
Yes they are "mirrored" - ex:

Permit 10.144.38.0 0.0.0.255 172.17.4.0 0.0.0.255

And the other end:

Permit 172.17.4.0 0.0.0.255 10.144.38.0 0.0.0.255

This works ok - but if I use "any" :

Permit 10.144.38.0 0.0.0.256 any

Other end:

Permit any 10.144.38.0 0.0.0.255

Then I cannot get the tunnel up. At the headend I use rri for route adding and I can see that I don't get a "default" route added in that vrf neither

Ideas? Suggestions?

Best regards to

Sent from Cisco Technical Support Android App

Lei Tian · ‎08-03-2013

Is ISAKMP SA not up, or is IPSec SA not up?

Sent from Cisco Technical Support iPhone App

tiwang · ‎08-03-2013

Hi again

It must be the ipsec part which fails . I have it in a gns3 lab which I could upload if interested?
Anyway - if I just extend my ACL with the any statements the tunnel comes fine up but I doesn't get a default route added in the i-vrf so there must be a trick somehow to get all traffic into the tunnel - hmmm ?

Sent from Cisco Technical Support Android App

Lei Tian · ‎08-04-2013

So the tunnel is up? Route injection will install the destination route in routing table, not the source. Yes, sharing your configs would help.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

tiwang · ‎08-04-2013

a topology drawing

Lei Tian · ‎08-04-2013

Ok, now I understand it. I have never seen using RRI injects default route, and I think it is not supported.

HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App

tiwang · ‎08-04-2013

hi again

No you are completely right - got just confused because some of the setup did work (the "local" routing through RRI) and some not (the default gw through RRI) - when I tried to open the tunnel by pinging a remote destination it didn't open the tunnel becuase of the missing route - I didn't realised this and digged in the ipsec instead - where I couldn't find some errors but of course it is just a problem with that default gw. The ACL's work as expected if I add the default route to the vrf cvrf3881 and the packets are forwarded correctly - thanks

The only needed extra config line is

ip route vrf cvrf3881 0.0.0.0 0.0.0.0 195.41.38.10

on edge01

best regards /ti

Lei Tian · ‎08-05-2013

Hi, thanks for the update! Yes, a static default in VRF will do the trick.

Regards,
Lei Tian

Sent from Cisco Technical Support iPhone App