01-25-2013 07:06 AM - edited 02-21-2020 06:39 PM
Hi everyone,
I'm sure this topic has been beaten to death already on these forums. Nevertheless I have yet to find the exact solution I need. I have three devices, Two routers and one ASA. One of the routers sits behind the ASA and I have a GRE VTI setup between the two routers with ASA NATting one of the routers to a public IP. I can secure the tunnel using transport mode IPsec but as soon as I switch to tunnel mode, communication fails even though the SA gets established.
Please see the configuration below and tell me what I'm missing please. I've changed IP addresses for security.
The following config works when transform-set is set to transport mode
Note: Router 2 sits behind the ASA and is NATed to the public ip 200.1.1.2
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC
set transform-set SEC
!
!
interface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
!
crypto isakmp key SECURITYKEY address 200.1.1.2
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel121
ip address 172.16.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel protection ipsec profile IPSEC
!
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC
set transform-set SEC
!
crypto isakmp key SECURITYKEY address 200.1.1.1
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
There are no access-lists on the ASA except to allow ICMP any any
I greatly appreciate any guidance you guys can provide in advance.
Solved! Go to Solution.
01-26-2013 12:58 AM
Hi
MTU and overhead was the issue here.
You have changed encapsulation to ipv4 instead of GRE - which have less overhead (no GRE inside). That's why it started working.
If you still want to use GRE you need to decrease MTU as described.
---
Michal
01-25-2013 08:21 AM
Hi,
A lot of overhead with that cipher model and tunnel mode.
Try to change MTU and MSS on interface tunnel 121 (and tunnel2):
ip mtu 1400
ip tcp adjust-mss 1360
---
Michal
01-25-2013 12:03 PM
Thank you for the suggestion Michael. The MTU sizes are going to definitely come in handy for optimizing these tunnels. I actually figured out how to make this work after several days of banging on the keyboard.
The missing command from each of those VTI configs was:
tunnel mode ipsec ipv4
Therefore:
nterface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
tunnel mode ipsec ipv4
That seems to have fixed it. I'm not sure why but apparently that's what is needed to get tunnels traversing NAT. Without NAT, the two endpoints work in tunnel mode without this command.
01-26-2013 12:58 AM
Hi
MTU and overhead was the issue here.
You have changed encapsulation to ipv4 instead of GRE - which have less overhead (no GRE inside). That's why it started working.
If you still want to use GRE you need to decrease MTU as described.
---
Michal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide