Solved: Running two different Tunnels over 1 GRE: Issues

Kaushik Ray · ‎12-19-2013

Hello All

I am having an issue setting up two separate tunnels running over a single GRE; is this something that is possible?

Would be grateful to have you advice.

I am able to ping across the tunnel (120) using the VRF but as soon as i am adding tunnel 121 which is native (not using vrf) i can ping across the new tunnel 121 but cannot ping the original tunnel 120

Background of the setup.

R1 ------- Internet -------- R2

R1

!

crypto keyring IPsec-KEY vrf Internet

pre-shared-key address 0.0.0.0 0.0.0.0 key KEY

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp invalid-spi-recovery

crypto isakmp profile ISAKMP-profile

keyring IPsec-KEY

match identity address 0.0.0.0 Internet

!

crypto ipsec transform-set trans esp-aes esp-md5-hmac

mode transport

!

crypto ipsec profile IPSEC-profile

set security-association lifetime seconds 86400

set transform-set trans

set pfs group2

set isakmp-profile ISAKMP-profile

!

interface Tunnel120

vrf forwarding mgmt

bandwidth 256

ip address 10.169.9.81 255.255.255.252

ip mtu 1376

ip tcp adjust-mss 1360

tunnel source Loopback810

tunnel destination xxx.xxx.xxx.xxx

tunnel vrf Internet

tunnel protection ipsec profile IPSEC-profile shared

!

R2 mirrors this config but as soon as i add tun 121 with the following config i get connectivity to the 121

tunnel 121 i configured as follows:

interface Tunnel121

ip address 10.190.12.249 255.255.255.252

ip mtu 1376

ip tcp adjust-mss 1360

tunnel source Loopback810

tunnel destination xxx.xxx.xxx.xxx

tunnel vrf Internet

tunnel protection ipsec profile IPSEC-profile shared

!

Please advice if I am making some errors?

Also let me know if any more information is required on this.

Thanks in advance,

Karsten Iwen · ‎12-19-2013

no, I mean the following:

interface Tunnel120

tunnel key 120

interface Tunnel121

tunnel key 121

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎12-23-2013

With a config that uses VRFs like in your scenario I get the same result of UP-NO-IKE. But with the relevant show-commands you can see that the ISAKMP-SA is build and available. I also didn't see any negative impact on the function of the various tunnels so for me it seems that it works as it should.

Some more feedback on your config:

Group2 is more or less a DH-group that should phased out. Start to move to group5 or group 14 where possible.
You mtu/mss-settings are not conclusive. With an mss of 1360 the mtu of 1376 (and why are they set on the tunnel) doesn't make any sense with an ip/tcp-header of 40 bytes.
If you know your peers, it's better to avoid wildcard-PSKs. Better use one PSK only for one connection.

Happy X-Mas!

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎12-19-2013

I think in a scenario like this you need different tunnel-keys on both tunnels to make that work.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Kaushik Ray · ‎12-19-2013

Thanks a lot Karsten for your reply; by different tunnel key on each tunnel you mean

for tu 120

!

crypto keyring IPsec-KEY1 vrf Internet

pre-shared-key address 0.0.0.0 0.0.0.0 key KEY1

!

and for tu 121

!

crypto keyring IPsec-KEY2 vrf Internet

pre-shared-key address 0.0.0.0 0.0.0.0 key KEY2

!

and create separate isakmp profiles and the follow the whole process?

thanks again

Karsten Iwen · ‎12-19-2013

no, I mean the following:

interface Tunnel120

tunnel key 120

interface Tunnel121

tunnel key 121

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Kaushik Ray · ‎12-19-2013

Thanks a lot Karsten for your advice on this. this is working; do not know how to thank you!

Kaushik Ray · ‎12-20-2013

Karsten

one more thing I am seeing on this is the following; one of the tunnels stay "UP-NO-IKE" is it something that is normal?

I have added the command crypto isakmp invalid-spi-recovery either end but the VPN status stays like this.

Crypto session current status

Interface: Tunnel120 Tunnel121

Session status: UP-NO-IKE

Peer: xxx.xxx.xxx.xxx port 500

IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

Active SAs: 2, origin: crypto map

Interface: FastEthernet0/0

Profile: ISAKMP-profile

Session status: UP-IDLE

Peer: xxx.xxx.xxx.xxx port 500

IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Active

Karsten Iwen · ‎12-20-2013

Your "UP-NO-IKE" is caused by your quite uncommon lifetime-config. Your ISAKMP has a shorter lifetime then the IPsec-SAs. After 28800 seconds your ISAKMP gets deleted but your IPsec SA stay up. Thats what you see with UP-NO-IKE. The normal way to configure it is to have a longer lifetime for ISAKMP then for IPsec.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Kaushik Ray · ‎12-20-2013

thanks again i changed the config either end

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto ipsec profile IPSEC-profile

set security-association lifetime seconds 78800

set transform-set trans-hcc

set pfs group2

set isakmp-profile ISAKMP-profile

!

cleared crypto

and established the tunnel once more but it comes back

Interface: Tunnel120 Tunnel121

Session status: UP-NO-IKE

Karsten Iwen · ‎12-20-2013

how did you clear the crypto? And have checked that they were really gone?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Kaushik Ray · ‎12-20-2013

Did the following:

RTR#clear crypto ses

RTR#sh crypto session

Crypto session current status

Interface: Tunnel120 Tunnel121

Session status: DOWN

Peer: xxx.xxx.xxx.xxx port 500

IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0

Profile: ISAKMP-profile

Session status: DOWN-NEGOTIATING

Peer: xxx.xxx.xxx.xxx port 500

IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Inactive

RTR#ping 10.190.12.249 repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 10.190.12.249, timeout is 2 seconds:

.!!!!!!!!!

Success rate is 90 percent (9/10), round-trip min/avg/max = 1/3/4 ms

RTR#sh crypto session

Crypto session current status

Interface: Tunnel120 Tunnel121

Session status: UP-NO-IKE

Peer: xxx.xxx.xxx.xxx port 500

IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

Active SAs: 2, origin: crypto map

Interface: FastEthernet0/0

Profile: ISAKMP-profile

Session status: UP-IDLE

Peer: xxx.xxx.xxx.xxx port 500

IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Inactive

IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Active

Karsten Iwen · ‎12-20-2013

I can't reproduce that. What's your complete config and IOS-version?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Kaushik Ray · ‎12-20-2013

The Two Routers have the following IOS versions

c2800nm-adventerprisek9-mz.150-1.M9.bin

2800nm-advipservicesk9-mz.124-22.T5.bin

I will pass on the whole configs; could the fact be that since i am using version 15 on one which is normally for ISR G2 it could be causing problems?

Karsten Iwen · ‎12-20-2013

could the fact be that since i am using version 15 on one which is normally for ISR G2 it could be causing problems?

I don't think so. I'm also running nearly everywhere IOS 15.0/15.1/15.2 but some sites still have 12.4T and there are no problems.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Kaushik Ray · ‎12-20-2013

Thanks i have sent you the whole configs in a private message

Karsten Iwen · ‎12-23-2013

With a config that uses VRFs like in your scenario I get the same result of UP-NO-IKE. But with the relevant show-commands you can see that the ISAKMP-SA is build and available. I also didn't see any negative impact on the function of the various tunnels so for me it seems that it works as it should.

Some more feedback on your config:

Group2 is more or less a DH-group that should phased out. Start to move to group5 or group 14 where possible.
You mtu/mss-settings are not conclusive. With an mss of 1360 the mtu of 1376 (and why are they set on the tunnel) doesn't make any sense with an ip/tcp-header of 40 bytes.
If you know your peers, it's better to avoid wildcard-PSKs. Better use one PSK only for one connection.

Happy X-Mas!

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni