Re: IP Sec Tunnel Recursive routing

vikamchintan · ‎11-04-2022

Hi Team,

Attached is tunnel topology. I am trying to build ipsec tunnel from R1 to R7.

Following is R1 config and R7 config

R1
en
ter len 0
conf t
host R1
ip access-list extended Tun_R1_R7
permit gre host 30.0.0.1 host 30.0.0.9
exit
crypto isakmp policy 10
authentication pre-share
hash md5
encryption aes 256
group 24
!
crypto isakmp key Tunnel1_7 address 30.0.0.9
!
crypto ipsec transform-set Tun1_7 esp-aes esp-sha-hmac
mode transport
exit
crypto map R1_R7 10 ipsec-isakmp
match address Tun_R1_R7
set transform Tun1_7
set peer 30.0.0.9
exit
int lo0
ip add 1.1.1.1 255.255.255.255
int gi0/0
ip add 30.0.0.1 255.255.255.252
crypto map R1_R7
no shut
int gi0/1
ip add 10.0.0.1 255.255.255.252
no shut
int gi0/2
ip add 10.0.0.65 255.255.255.252
no shut
int gi0/3
ip add 11.0.0.1 255.255.255.252
no shut
int tun1
bandwidth 4000
ip add 50.0.0.1 255.255.255.252
ip mtu 1400
tunnel source gi0/0
tunnel destination 30.0.0.9
exit
router ospf 1
router-id 1.1.1.1
network 11.0.0.0 0.0.0.3 area 0
network 10.0.0.0 0.0.0.127 area 1
exit
router bgp 65012
bgp router-id 1.1.1.1
neighbor 30.0.0.2 remote-as 65120
neighbor 30.0.0.2 activate
neighbor 50.0.0.2 remote-as 65078
neighbor 50.0.0.2 activate
network 30.0.0.0 mask 255.255.255.252
network 50.0.0.0 mask 255.255.255.252
distance 200 50.0.0.2 0.0.0.0
end

R7

en
ter len 0
conf t
host R7
ip access-list extended Tun_R1_R7
permit gre host 30.0.0.9 host 30.0.0.1
exit
crypto isakmp policy 10
authentication pre-share
hash md5
encryption aes 256
group 24
!
crypto isakmp key Tunnel1_7 address 30.0.0.1
!
crypto ipsec transform-set Tun1_7 esp-aes esp-sha-hmac
mode transport
exit
crypto map R1_R7 10 ipsec-isakmp
match address Tun_R1_R7
set transform Tun1_7
set peer 30.0.0.1
exit
int lo0
ip add 7.7.7.7 255.255.255.255
int gi0/0
ip add 30.0.0.9 255.255.255.252
crypto map R1_R7
no shut
int gi0/1
ip add 20.0.0.1 255.255.255.252
no shut
int gi0/2
ip add 20.0.0.65 255.255.255.252
no shut
int gi0/3
ip add 21.0.0.1 255.255.255.252
no shut
int tun1
bandwidth 4000
ip add 50.0.0.2 255.255.255.252
ip mtu 1400
tunnel source gi0/0
tunnel destination 30.0.0.1
exit
router ospf 2
router-id 7.7.7.7
network 21.0.0.0 0.0.0.3 area 0
network 20.0.0.0 0.0.0.127 area 1
exit
router bgp 65078
bgp router-id 7.7.7.7
neighbor 30.0.0.10 remote-as 65120
neighbor 30.0.0.10 activate
neighbor 50.0.0.1 remote-as 65012
neighbor 50.0.0.1 activate
network 30.0.0.8 mask 255.255.255.252
network 50.0.0.0 mask 255.255.255.252
distance 200 50.0.0.1 0.0.0.0
end
wr
sh ip int br
sh run | sec router

In between R1 & R7 BGP and OSPF routing on SP_R1 & SP_R2 and redistributed routes too.

But got log as attached Tun_topology_recursive route log.jpg

Unable to understand where i go wrong here.

This same i tested on with Tunnel network 50.0.0.0/30 routed on OSPF and is successful there. But here went wrong.

Please let me know what's wrong here.

MHM Cisco World · ‎11-05-2022

the tunnel have two layer
overlayer network 50.0.0.0/30
underlayer network 30.0.0.0/30

you mistake is you confiug both under BGP, that not correct,
under BGP you must advertise only overlayer network 50.0.0.0/30 and remove the 30.0.0.0/30 (tunnel source/destination)

vikamchintan · ‎11-05-2022

Hi MHM Cisco World,

Thank you for your reply and correcting me.

So any tunneling network i configure, that has to be separately routed.

MHM Cisco World · ‎11-05-2022

Yes tunnel ip and any route use tunnel must config in your case under bgp,

Tunnel source must not config under bgp.