11-03-2008 11:56 AM - edited 02-21-2020 04:01 PM
Hi,
We have created an ipsec tunnel working from a vrf but not from the global routing table. Here is the scenario:
crypto keyring tunnel vrf tunnel
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile tunnel
description tunnel
vrf tunnel
keyring tunnel
match identity address 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map test 1 ipsec-isakmp
set peer 81.81.81.81
set transform-set ESP-3DES-SHA
set isakmp-profile tunnel
match address 103
reverse-route
!
vrf tunnel
rd 100:1
interface GigabitEthernet0/1.484
description Routing
encapsulation dot1Q 484
ip address 10.5.24.121 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip split-horizon
ip ospf priority 0
standby 184 ip 10.5.24.120
standby 184 name HA-in
!
interface GigabitEthernet0/1.487
encapsulation dot1Q 487
ip vrf forwarding tunnel
ip address 10.5.27.2 255.255.255.248
!
interface GigabitEthernet0/0.1
description Sweden
encapsulation dot1Q 412
ip address 91.91.91.40 255.255.255.240
standby version 2
standby 512 ip 91.91.91.18
standby 512 name HA-out
standby 512 track GigabitEthernet0/1.484
!
interface GigabitEthernet0/0.413
description tunnel
encapsulation dot1Q 413
ip vrf forwarding tunnel
ip address 91.91.91.40 255.255.255.240
crypto map test
access-list 103 permit ip any 10.190.150.64 0.0.0.31
ip route 10.190.150.64 255.255.255.192 GigabitEthernet0/0.413
ip route vrf tunnel 0.0.0.0 0.0.0.0 91.91.91.33
ip route vrf tunnel 10.5.24.0 255.255.255.0 GigabitEthernet0/1.484 10.5.24.4 global
ip route vrf tunnel 10.190.150.64 255.255.255.224 91.91.91.33
if i do :
ping vrf tunnel 10.190.150.65 source 10.5.27.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.190.150.65, timeout is 2 seconds:
Packet sent with a source address of 10.5.27.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/84 ms
it works fine packet is encapsulated and it is sent across the ipsec tunnel
now if i ping from the global routing table,
ping 10.190.150.65 source 10.5.24.121
I dont get any response
I ve checked the counters from the ipsec crypto and they are incrementing in both direction (pkt encaps and decaps)
We are very close but something wrong locally with the packet on its way back., it is quite frustrating
What did we miss? I followed the instructions given from this link: http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
thank you for your help in advance
alex
11-05-2008 03:41 AM
We found the issue. the packet is sent to the next hop but it was not forwarding back the packet to the router. We have configured an other router (where we have interfaces 10.5.27.4, 10.5.24.28) and it worked. For those who want to make such config here is the answer!!
ip route 10.5.27.0 255.255.255.248 GigabitEthernet0/1.487 10.5.27.4 (an other router)
ip route 10.190.150.64 255.255.255.224 GigabitEthernet0/1.487 10.5.27.4 (other router)
ip route vrf norway 10.5.24.0 255.255.255.0 GigabitEthernet0/1.484 10.5.24.28 (other router)
ing 10.190.150.65 source 10.5.24.121
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.190.150.65, timeout is 2 seconds:
Packet sent with a source address of 10.5.24.121
!!!!!
regards
alex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: