IPSEC VTI and OSPF

searchoptics_2011 · ‎05-26-2012

I have 5 routers (soon to be 6) with tunnels (all VTI) between them.

I also have a basic OSPF setup running here (previously it was RIP), and all networks can talk to each other, however there is one routing issue, where it takes a longer path to the remote network.

The Configs:

R1:

interface Tunnel0

description tunnel to detroit office

ip address 172.28.40.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel1

description tunnel to San Diego Office

ip address 172.28.42.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel2

description tunnel to Detroit DC

ip address 172.28.43.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel3

description tunnel to detroit office - standby

ip address 172.28.51.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0/0

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

router ospf 42

log-adjacency-changes

network 10.87.1.0 0.0.0.255 area 0

network 172.28.40.0 0.0.0.255 area 0

network 172.28.42.0 0.0.0.255 area 0

network 172.28.43.0 0.0.0.255 area 0

network 172.28.51.0 0.0.0.255 area 0

!

cerberus#sh ip route ospf

172.28.0.0/24 is subnetted, 7 subnets

O 172.28.49.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1

O 172.28.50.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1

O 172.28.41.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1

[110/2000] via 172.28.40.2, 05:47:06, Tunnel0

10.0.0.0/24 is subnetted, 2 subnets

O 10.87.2.0 [110/2001] via 172.28.42.2, 05:47:06, Tunnel1

O 192.168.1.0/24 [110/1001] via 172.28.42.2, 05:47:06, Tunnel1

O 192.168.2.0/24 [110/1001] via 172.28.40.2, 05:47:06, Tunnel0

cerberus#

As you can see for 10.87.2.x it is going through the 192 network, when it has a direct tunnel through tunnel 2

R2:

interface Tunnel0

description tunnel to AIS San Diego

ip address 172.28.42.2 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

interface Tunnel1

description tunnel to detroit office

ip address 172.28.41.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

interface Tunnel2

description tunnel to Detroit Data Center

ip address 172.28.49.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

interface Tunnel3

description tunnel to Detroit t1 router

ip address 172.28.50.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

router ospf 42

log-adjacency-changes

network 172.28.41.0 0.0.0.255 area 0

network 172.28.42.0 0.0.0.255 area 0

network 172.28.49.0 0.0.0.255 area 0

network 172.28.50.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

!

#sh ip route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 24.43.240.137 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets

O 10.87.1.0 [110/1001] via 172.28.42.1, 03:55:51, Tunnel0

O 10.87.2.0 [110/1001] via 172.28.49.2, 03:55:51, Tunnel2

172.28.0.0/16 is variably subnetted, 11 subnets, 2 masks

O 172.28.40.0/24 [110/2000] via 172.28.42.1, 03:55:51, Tunnel0

[110/2000] via 172.28.41.2, 03:55:51, Tunnel1

O 172.28.43.0/24 [110/2000] via 172.28.49.2, 03:55:51, Tunnel2

[110/2000] via 172.28.42.1, 03:55:51, Tunnel0

O 172.28.51.0/24 [110/2000] via 172.28.50.2, 03:55:51, Tunnel3

[110/2000] via 172.28.42.1, 03:55:51, Tunnel0

O 192.168.2.0/24 [110/1001] via 172.28.50.2, 03:55:51, Tunnel3

[110/1001] via 172.28.41.2, 03:55:51, Tunnel1

r2 is the route that r1 ends up using when connecting to 10.87.2.x

Any advice on one, how to fix this, and two on the general setup would be wonderful. I am new to ospf and feels like I could have done a better job here (maybe using an area per site)

Jennifer Halim · ‎05-26-2012

There doesn't seem to be a tunnel with

172.28.43.0/24 subnet configured on R2 and 172.28.43.0/24 is not advertised on R2 on OSPF. Looks like you might have been missing this particular tunnel on R2 hence the issue.

searchoptics_2011 · ‎05-26-2012

R2 is the router R1 is using to get to the destination that Tunnel 1 on R1 is connected to

Tunnel 1 on R3 is a VTI tunnel to Tunnel 3 on R1.

R1 is currently using tunnel 1 on R1 to hop to R2 and then uses tunnel 2 to get to R3

If that makes sense..

Here is the config for R3

!

interface Tunnel1

description tunnel to AIS San Diego

ip address 172.28.43.2 255.255.255.0

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel2

description tunnel to San Diego Main Office

ip address 172.28.49.2 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

router ospf 42

log-adjacency-changes

network 10.87.2.0 0.0.0.255 area 0

network 172.28.43.0 0.0.0.255 area 0

network 172.28.49.0 0.0.0.255 area 0

!

sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 199.16.189.209 to network 0.0.0.0

172.28.0.0/24 is subnetted, 7 subnets

C 172.28.49.0 is directly connected, Tunnel2

O 172.28.50.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2

O 172.28.51.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2

O 172.28.40.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2

O 172.28.41.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2

O 172.28.42.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2

C 172.28.43.0 is directly connected, Tunnel1

10.0.0.0/24 is subnetted, 2 subnets

O 10.87.1.0 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2

C 10.87.2.0 is directly connected, GigabitEthernet0/1

199.16.189.0/28 is subnetted, 1 subnets

C 199.16.189.208 is directly connected, GigabitEthernet0/0

O 192.168.1.0/24 [110/1001] via 172.28.49.1, 02:32:05, Tunnel2

O 192.168.2.0/24 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2

searchoptics_2011 · ‎05-26-2012

and got it, needed to put

ip ospf network broadcast

on tunnel 1

now the routes look correct.. damn that's embarassing.

Jennifer Halim · ‎05-27-2012

Ahh OK, got it, R3 wasn't in the picture earlier

Thanks for the update..

rahimbhamani · ‎01-17-2013

Ipsec profile VTI name applied to how many tunnels. In our case there are 500 + Branches. We created point to point tunnel at hub site for all Branches.Can we apply same ipsec profile VTI(same profile) to all the tunnels interfaces