IPSEC VPN DOESN'T WORK WITH IP IN IP TUNNELS

Christopher Kofon · ‎10-17-2022

Hello Everyone.

I have 3 sites that I want to connect over the internet using IPsec. I am using EIGRP as my routing protocol and I am able to establish connectivity between the 3 sites. However, I cannot establish IPsec over the tunnels and I think it is because of the tunnel mode ipip command. If I remove the tunnel mode ipip command so the tunnel defaults to GRE, EIGRP will not form adjaceny.

Here is an excerpt of the configuration for 2 of the sites.

SITE A

AAA_CRT01#sh crypto session
Crypto session current status

Interface: FastEthernet0
Session status: DOWN
Peer: ccc.ccc.ccc.ccc port 500
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 172.30.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

AAA_CRT01#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.30.0.1 Tu1 14 01:15:52 44 1470 0 144
0 10.0.0.1 Tu0 14 01:15:53 53 1476 0 2652

!
crypto isakmp policy 1
encr aes
hash sha512
authentication pre-share
group 2
crypto isakmp key VVVVVVVVVV address ccc.ccc.ccc.ccc
crypto isakmp key VVVVVVVVVV address bbb.bbb.bbb.bbb
!
!
crypto ipsec transform-set AAA_VPN esp-aes esp-sha512-hmac
mode tunnel
!
!
!
crypto map AAA_VPN_MAP 10 ipsec-isakmp
set peer ccc.ccc.ccc.ccc
set peer bbb.bbb.bbb.bbb
set transform-set AAA_VPN
match address 110
!
!
!
!
!
!
interface Tunnel0
description VPN TUNNEL TO BBB
ip address 10.0.0.2 255.255.255.252
tunnel source aaa.aaa.aaa.aaa
tunnel mode ipip
tunnel destination bbb.bbb.bbb.bbb
!
interface Tunnel1
description VPN TUNNEL TO CCC
ip address 10.30.0.2 255.255.255.252
tunnel source aaa.aaa.aaa.aaa
tunnel mode ipip
tunnel destination ccc.ccc.ccc.ccc
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
description CONNECTION TO NGCOM
ip address aaa.aaa.aaa.aaa 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map AAA_VPN_MAP
!
interface GigabitEthernet0
description CONNECTION TO UAP-PRO
no ip address
!
interface GigabitEthernet1
description CONNECTION TO UAP-IW
no ip address
!
interface GigabitEthernet2
switchport access vlan 100
no ip address
!
interface GigabitEthernet3
switchport access vlan 100
no ip address
!
interface GigabitEthernet4
description CONNECTION TO TP-LINK SWITCH
switchport access vlan 100
no ip address
!
interface GigabitEthernet5
switchport access vlan 100
no ip address
!
interface GigabitEthernet6
switchport access vlan 100
no ip address
!
interface GigabitEthernet7
switchport access vlan 100
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description LAN INTERFACE
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
!
router eigrp 100
network 10.0.0.2 0.0.0.0
network 10.30.0.2 0.0.0.0
network 192.168.10.0
passive-interface Vlan100
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aa9 name INTERNET_ROUTE
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 172.30.0.0 0.0.0.255
access-list 110 permit gre any any
!
control-plane

SITE C

CCC_CRT01#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: aaa.aaa.aaa.aaa port 500
IPSEC FLOW: permit ip 172.30.0.0/255.255.255.0 192.168.10.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 172.30.0.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

CCC_CRT01#sh ip eigr
CCC_CRT01#sh ip eigrp n
CCC_CRT01#sh ip eigrp neighbors
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.30.0.2 Tu1 14 00:43:14 38 1476 0 1842
0 11.0.0.2 Tu0 11 15:02:15 15 1476 0 2651

!
!
!
crypto isakmp policy 1
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXXX address bbb.bbb.bbb.bbb
crypto isakmp key VVVVVVVVVVV address ccc.ccc.ccc.ccc.ccc
!
!
crypto ipsec transform-set AAA_VPN esp-aes esp-sha512-hmac
mode tunnel
!
!
!
crypto map IGPES_LOS_PHC 20 ipsec-isakmp
set peer aaa.aaa.aaa.aaa
set peer bbb.bbb.bbb.bbb
set transform-set AAA_VPN
match address 110
!
!
!
!
!
interface Tunnel0
description VPN TUNNEL TO BBB OFFICE
ip address 11.0.0.1 255.255.255.252
tunnel source ccc.ccc.ccc.ccc
tunnel mode ipip
tunnel destination bbb.bbb.bbb.bbb
!
interface Tunnel1
description VPN TUNNEL TO AAA
ip address 10.30.0.1 255.255.255.252
tunnel source ccc.ccc.ccc.ccc
tunnel mode ipip
tunnel destination aaa.aaa.aaa.aaa
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description CONNECTION TO SERVICE PROVIDER
ip address ccc.ccc.ccc.ccc 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map IGPES_LOS_PHC
!
interface GigabitEthernet0/1
description CONNECTION TO LOCAL AREA NETWORK
ip address 172.30.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy input TRAFFIC_POLICY
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
!
router eigrp 100
network 10.30.0.1 0.0.0.0
network 11.0.0.0 0.0.0.3
network 172.30.0.0 0.0.0.255
passive-interface GigabitEthernet0/1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 ccc.ccc.ccc.9 name IPNx_INTERNET_ROUTE
!
access-list 1 permit 172.30.0.0 0.0.0.255
access-list 110 permit ip 172.30.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 172.30.0.0 0.0.0.255 192.168.0.0 0.0.0.255

I would appreciate any suggestions as to why IPsec is not working.

Thanks very much for your assistance

Rob Ingram · ‎10-17-2022

@Christopher Kofon on Site C you are not permitting GRE in ACL 110. In a GRE over IPSec VPN you only specify GRE between peers, not the other interesting traffic.

Your NAT ACL needs to explictly deny traffic from the local network to the remote VPN network, otherwise you will unintentially translate the traffic over the VPN.

Ideally you run an a VTI or GRE over IPSec with Tunnel protection (tunnel interfaces but without the crypto map).

MHM Cisco World · ‎10-17-2022

tunnel mode ipip <<- why you use this command ???

Christopher Kofon · ‎10-17-2022

I found that the EIGRP doesn't form if I don't use this command. IOS version is 152-4.

MHM Cisco World · ‎10-17-2022

Hmm, that interest,
you can config
tunnel mode ipsec ipv4

and check the eigrp neighbor

Rob Ingram · ‎10-17-2022

@Christopher Kofon well ipip is not encrypted, so won't give you an IPsec VPN. Configure GRE over IPSec using the suggestions above in the first reply to resolve your issue.

Christopher Kofon · ‎10-18-2022

Thank you @MHM Cisco World and @Rob Ingram

I will schedule a time to make the changes to the configuration and I will update the community with the results. Thank you all for your assistance.