Yes, we want to do GRE within

emailsbecker · ‎07-15-2016

I studied tunnels for my cert tests years ago but haven't touched them at all in my work since then. I'm taking over a network someone else built, and it uses a lot of crypto tunnels and GRE tunnels. I'm not sure they're built properly. As I said, it's been a while. I thought the first step was to build the GRE tunnel, then build a crypto tunnel over that, and then enable routing across the crypto tunnel.

Right now I'm looking at two devices that have a GRE tunnel and a crypto tunnel between them but it doesn't look like the crypto tunnel is being routed over the GRE tunnel because the GRE tunnel isn't passing any packets while the crypto tunnel is.

The reason I ask is because I now have to configure a new tunnel. I built a new GRE tunnel and it was working fine until I configured my crypto tunnel. Now my crypto tunnel is working but my GRE tunnel is up/up on one side and up/down on the other. But when I do "show tunnel interface" the one I'm building shows "Mode:IPSEC/IP" where all the others show "Mode:GRE/IP". I'm wondering if I am misunderstanding something about the way the tunnels work. If I'm able to get my GRE tunnel to come up will it change to show "Mode:GRE/IP" even if it's running crypto over the GRE tunnel?

This is the command output from one of the existing tunnels:

Router2#sh int tu1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Description: Router6
Internet address is 172.25.9.1/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (2 sec), retries 4
Tunnel source 4.7.1.1 (GigabitEthernet0/0.200), destination 4.2.1.8
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0.200
Set of tunnels with source GigabitEthernet0/0.200, 6 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:08, output 00:00:01, output hang never
Last clearing of "show interface" counters 8w1d
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
10161799 packets input, 1242170088 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
4032589 packets output, 352453234 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out

Router2#sh cry sess rem 4.2.1.8 det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0.200
Uptime: 7w0d
Session status: UP-ACTIVE
Peer: 4.2.1.8 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.2.1.8
Desc: (none)
IKEv1 SA: local 4.7.1.1/500 remote 4.2.1.8/500 Active
Capabilities:D connid:4491 lifetime:00:24:59
IPSEC FLOW: permit 47 host 4.7.1.1 host 4.28.160.81
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 14851710 drop 33 life (KB/Sec) 4600558/2567 <<<--- incrementing
Outbound: #pkts enc'ed 8140768 drop 12 life (KB/Sec) 4600845/2567 <<<--- incrementing

Router2#sh tun int tu1
Tunnel1
Mode:GRE/IP, Destination 4.2.1.8, Source GigabitEthernet0/0.200
IP transport: output interface GigabitEthernet0/0.200 next hop 4.7.1.1
Application ID 1: unspecified
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0.200
Set of tunnels with source GigabitEthernet0/0.200, 6 members (includes iterators), on interface <OK>
Linestate - current up
Internal linestate - current up, evaluated up
OCE: IP tunnel decap
Provider: interface Tu1, prot 47
Performs protocol check [47]
Protocol Handler: GRE: opt 0x0
ptype: ipv4 [ipv4 dispatcher: from if Tu1]
ptype: ipv6 [ipv6 dispatcher: punt]
ptype: mpls [mpls dispatcher: drop]

m.kafka · ‎07-16-2016

What exactly are you trying? GRE within IPsec? Are you using tunnel-protection? In that case get rid of tunnel-keepalives. GRE keepalives dont work with tunnel-protection. This is well documented. Maybe that's the issue.

Give us a bit more details how you configured the tunnels.

Rgds, MiKa

emailsbecker · ‎07-18-2016

Yes, we want to do GRE within IPSEC.

Re: Keepalives ... R2 does have other tunnels built to it that are working, and I think they may require the keepalives. The tunnel I'm building uses VTI but the others were built before I got here and are not using VTI. In any case, I've removed the keepalive statements from the tunnel I'm working on. That hasn't changed the tunnel states.

Here are the router configs and some show commands. I've removed lines of output that I thought weren't needed, if there's something I left out that you want to see let me know. Also, you may notice at the R2 side there's a bridged /30 from the ISP and then our own /29 inside our network. Due to some quirkiness with how that /30 routes I've had to use the /30 IP in some places and the /29 in others. I'm not sure if this is part of the problem or not. I have modified IP addresses for security and removed passwords.

**************************************************
**************************************************

R2

crypto pki token default removal timeout 0
!
crypto isakmp key hunter2 address 3.5.7.1
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
crypto ipsec transform-set R2-R4-SET esp-3des esp-sha-hmac
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile R2-R4-VTI
set transform-set R2-R4-SET
set pfs group2
!
interface Tunnel4
description R4(Tu4)
bandwidth 300000
ip address 2.5.6.1 255.255.255.252
tunnel source GigabitEthernet0/0.21
tunnel mode ipsec ipv4
tunnel destination 3.5.7.1
tunnel path-mtu-discovery
tunnel protection ipsec profile R2-R4-VTI
!
interface GigabitEthernet0/0.21
description XO
encapsulation dot1Q 201
ip address 5.7.1.0 255.255.255.252
ip nat outside
!
ip route 3.5.7.1 255.255.255.255 GigabitEthernet0/0.21 5.7.1.9

**************************************************
**************************************************

R2 show commands

R2#sh cry ses rem 3.5.7.1 det
Crypto session current status

Interface: Tunnel4
Session status: DOWN-NEGOTIATING
Peer: 3.5.7.1 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IKEv1 SA: local 5.7.1.0/500 remote 3.5.7.1/500 Inactive
Capabilities:(none) connid:0 lifetime:0
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: GigabitEthernet0/0.21
Session status: UP-IDLE
Peer: 3.5.7.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 3.5.7.1
Desc: (none)
IKEv1 SA: local 9.7.3.0/500 remote 3.5.7.1/500 Active
Capabilities:D connid:4521 lifetime:23:39:18

R2#sh cry eng conn act | i 9.7.3.0

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
4521 IKE SHA+3DES 0 0 0 9.7.3.0

R2#sh cry is sa | i 9.7.3.0

dst src state conn-id status
9.7.3.0 3.5.7.1 QM_IDLE 4521 ACTIVE

R2#sh cry ips sa peer 3.5.7.1

interface: Tunnel4
Crypto map tag: Tunnel4-head-0, local addr 5.7.1.0

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.5.7.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 5.7.1.0, remote crypto endpt.: 3.5.7.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.21
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

Crypto Map IPv4 "Tunnel4-head-0" 65536 ipsec-isakmp
Profile name: R2-R4-VTI
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Transform sets={
R2-R4-SET: { esp-3des esp-sha-hmac } ,
}

Crypto Map IPv4 "Tunnel4-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 3.5.7.1
Extended IP access list
access-list permit ip any any
Current peer: 3.5.7.1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
R2-R4-SET: { esp-3des esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel4-head-0:
Tunnel4

**************************************************
**************************************************

R4

crypto pki token default removal timeout 0
!
crypto isakmp key hunter2 address 9.7.3.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set R4-R2-SET esp-3des esp-sha-hmac
!
crypto ipsec profile R4-R2-VTI
set transform-set R4-R2-SET
set pfs group2
!
interface Tunnel4
description R2(Tu4)
bandwidth 300000
ip address 2.5.6.2 255.255.255.252
tunnel source GigabitEthernet0/0.71
tunnel destination 9.7.3.0
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile R4-R2-VTI
!
interface GigabitEthernet0/0.71
description FIOS-MODEM
ip address 3.5.7.1 255.255.255.0
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.71 3.5.7.1
ip route 9.7.3.0 255.255.255.255 GigabitEthernet0/0.71 3.5.7.1

**************************************************
**************************************************

R4#sh cry sess det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Tunnel4
Session status: UP-IDLE
Peer: 9.7.3.0 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 9.7.3.0
Desc: (none)
IKE SA: local 3.5.7.1/500 remote 9.7.3.0/500 Active
Capabilities:D connid:4016 lifetime:23:34:27
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: GigabitEthernet0/0.71
Session status: DOWN-NEGOTIATING
Peer: 5.7.1.0 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IKE SA: local 3.5.7.1/500 remote 5.7.1.0/500 Inactive
Capabilities:(none) connid:0 lifetime:0
R4#sh cry eng conn act
Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
4016 Tu40 IKE SHA+3DES 0 0 3.5.7.1

R4#sh cry ips sa

interface: Tunnel4
Crypto map tag: Tunnel4-head-0, local addr 3.5.7.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 9.7.3.0 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 3.5.7.1, remote crypto endpt.: 9.7.3.0
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.71
current outbound spi: 0x0(0)

R4#sh cry map
Crypto Map "Tunnel4-head-0" 65536 ipsec-isakmp
Profile name: R4-R2-VTI
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
R4-R2-SET,
}

Crypto Map "Tunnel4-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 9.7.3.0
Extended IP access list
access-list permit ip any any
Current peer: 9.7.3.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
R4-R2-SET,
}
Interfaces using crypto map Tunnel4-head-0:
Tunnel4

emailsbecker · ‎07-25-2016

For anyone that happens to come across this thread:

As mentioned above, XO gave us a /29 and used static routing to get traffic across a /30 to us. Unfortunately XO duplicated the /30 IP in their network which was making it impossible for the GRE tunnel to come up. The IPSEC tunnel was coming up because their static route only pointed to us.

And the answer to my initial question is yes, once I got the GRE tunnel and IPSEC working at the same time the output of "show tunnel interface" now says "Mode:GRE/IP".

If you have a crypto session running over a GRE tunnel in the command "show tunnel interface" will the mode say IPSEC or GRE?