05-13-2014 02:07 AM - edited 02-21-2020 07:38 PM
Hi All,
I am trying to configure static IPsec tunnel between two routers. Router R1 has only global routing table [no VRF].
Router R2 has two routing tables:
* vrf INET - used for internet connectivity
* global routing table - used for VPN routes
Here are basic configs:
R1
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
set transform-set TRSET_AES-256_SHA
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ip address 192.168.255.34 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 203.0.0.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
ip address 102.0.0.1 255.255.255.0
!
ip route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2
#######################################################
R2
ip vrf INET
rd 1:1
!
crypto keyring test vrf INET
pre-shared-key address 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile test
keyring test
match identity address 102.0.0.1 255.255.255.255
!
crypto ipsec transform-set TRSET_AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile TUNNEL-IPSEC-PROTEC
set transform-set TRSET_AES-256_SHA
set isakmp-profile test
!
interface Loopback0
ip address 10.0.2.2 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel0
ip address 192.168.255.33 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 102.0.0.1
tunnel mode ipsec ipv4
tunnel vrf INET
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
interface FastEthernet0/0
ip vrf forwarding INET
ip address 203.0.0.3 255.255.255.0
!
ip route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
#######################################################
There is one router between R1 and R2, it is used only for connectivity:
interface FastEthernet0/0
ip address 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
ip address 203.0.0.2 255.255.255.0
The problem that tunnel is not comming UP, I can not pass through phase I.
IPsec VPNs are not my strength. So if someone could show me what mistake am I doing, I would really appreciate that.
I attached ouptup of #debug crypto isakmp from R2
Solved! Go to Solution.
05-13-2014 05:14 AM
As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.
ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
crypto isakmp profile test
vrf INET
keyring test
match identity address 102.0.0.1 255.255.255.255
05-13-2014 03:28 AM
Hi,
ragarding your configuration I don't see part of crypto map configuration. Also i don't see crypto map applied on interface and you have probably access-list missing which specifies traffic whic should go through tunnel.
Please check this nice tutorial how-to configura IPSEC tunnel between two routers.
Regards,
Jan
05-13-2014 03:38 AM
This is SVTI (Static Virtual Template Interface) protected by IPsec in transport mode and no need to configure crypto-map and traffic selector.
05-13-2014 03:39 AM
I encounter this issue in my lab, This issue was caused by VRF related mis-configuration.
interface Tunnel0
ip vrf forwarding INET
ip address 192.168.255.33 255.255.255.252
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel destination 102.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile TUNNEL-IPSEC-PROTEC
!
ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
if those configuration does not work, please check isakmp vrf related configuration.
05-13-2014 04:42 AM
Hi David,
Thanks for replay but I need interface Tunnel0 to be in global routing table. Source and Destination endpoints of tunnel are in vrf INET.
05-13-2014 05:14 AM
As tunnel0 source and destination is belong to VRF INET, the static route need to be updated.
ip route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2
crypto isakmp profile test
vrf INET
keyring test
match identity address 102.0.0.1 255.255.255.255
05-13-2014 06:12 AM
You are right David, I missed static route in VRF INET.
And vrf INET under isakmp profile solved the issue with ipsec.
Thanks a lot for help!
05-13-2014 07:53 AM
It is my pleasure and honor to know the solution can help.
Regards,
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide