ipsec tunnel traffic from global to vrf and the way back!

durale1789 · ‎11-03-2008

Hi,

We have created an ipsec tunnel working from a vrf but not from the global routing table. Here is the scenario:

crypto keyring tunnel vrf tunnel

pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxx

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp profile tunnel

description tunnel

vrf tunnel

keyring tunnel

match identity address 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map test 1 ipsec-isakmp

set peer 81.81.81.81

set transform-set ESP-3DES-SHA

set isakmp-profile tunnel

match address 103

reverse-route

!

vrf tunnel

rd 100:1

interface GigabitEthernet0/1.484

description Routing

encapsulation dot1Q 484

ip address 10.5.24.121 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

no ip split-horizon

ip ospf priority 0

standby 184 ip 10.5.24.120

standby 184 name HA-in

!

interface GigabitEthernet0/1.487

encapsulation dot1Q 487

ip vrf forwarding tunnel

ip address 10.5.27.2 255.255.255.248

!

interface GigabitEthernet0/0.1

description Sweden

encapsulation dot1Q 412

ip address 91.91.91.40 255.255.255.240

standby version 2

standby 512 ip 91.91.91.18

standby 512 name HA-out

standby 512 track GigabitEthernet0/1.484

!

interface GigabitEthernet0/0.413

description tunnel

encapsulation dot1Q 413

ip vrf forwarding tunnel

ip address 91.91.91.40 255.255.255.240

crypto map test

access-list 103 permit ip any 10.190.150.64 0.0.0.31

ip route 10.190.150.64 255.255.255.192 GigabitEthernet0/0.413

ip route vrf tunnel 0.0.0.0 0.0.0.0 91.91.91.33

ip route vrf tunnel 10.5.24.0 255.255.255.0 GigabitEthernet0/1.484 10.5.24.4 global

ip route vrf tunnel 10.190.150.64 255.255.255.224 91.91.91.33

if i do :

ping vrf tunnel 10.190.150.65 source 10.5.27.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.190.150.65, timeout is 2 seconds:

Packet sent with a source address of 10.5.27.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/80/84 ms

it works fine packet is encapsulated and it is sent across the ipsec tunnel

now if i ping from the global routing table,

ping 10.190.150.65 source 10.5.24.121

I dont get any response

I ve checked the counters from the ipsec crypto and they are incrementing in both direction (pkt encaps and decaps)

We are very close but something wrong locally with the packet on its way back., it is quite frustrating

What did we miss? I followed the instructions given from this link: http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml

thank you for your help in advance

alex

durale1789 · ‎11-05-2008

We found the issue. the packet is sent to the next hop but it was not forwarding back the packet to the router. We have configured an other router (where we have interfaces 10.5.27.4, 10.5.24.28) and it worked. For those who want to make such config here is the answer!!

ip route 10.5.27.0 255.255.255.248 GigabitEthernet0/1.487 10.5.27.4 (an other router)

ip route 10.190.150.64 255.255.255.224 GigabitEthernet0/1.487 10.5.27.4 (other router)

ip route vrf norway 10.5.24.0 255.255.255.0 GigabitEthernet0/1.484 10.5.24.28 (other router)

ing 10.190.150.65 source 10.5.24.121

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.190.150.65, timeout is 2 seconds:

Packet sent with a source address of 10.5.24.121

!!!!!

regards

alex