Re: Unidirectional IPSec tunnel

pgalligan · ‎11-14-2007

I have 3 routers (2 x 2811, 1 x 1841 all with hardware encryption) on 12.4(17) code. Customer was using GRE tunnels inside IPSec tunnels (using crypto maps) for the purpose of enabling dynamic routing between the sites. The DR router was moved to a new location with a different Internet IP address. Since then we have had issues with the IPSec tunnels (which makes me suspect there were issues before, even though the customer claims it was working ok). IOS code was 12.4(4)T, we have upgraded due to the issues we had. Also configured PSK instead of certs to eliminate that as an issue. Will go back to using certs once we get it all working.

Now HO to DR and HO to MSt works fine. DR to MSt is a one way tunnel. Traffic from MSt is never received on the DR router. "Sh crypto ipsec sa" on the MSt router shows packets being encrypted and decrypted. On the DR router it only shows packets being encrypted, but zero packets being decrypted.

All services are DSL. On HO and MSt the DSL service is terminated on the router. At DR it is terminated on an ISP device and connected to the DR router via ethernet.

I reconfigured DR and MSt routers to use a GRE tunnel with the 'tunnel protection ipsec profile' feature and we have the same issue. The GRE tunnel works fine unencrypted, but is only one way when encrypted.

I have tried disabling NAT and access lists, though with these enabled the GRE tunnel works ok unencrypted. I have also tried disabling the hardware encryption.

I have done a lot of IOS IPSec work and never been unable to get things working so this one has me stumped.

Any suggestions would be appreciated.

mj11 · ‎11-15-2007

Hi

Could you try the following:

Remove the crypto map from the interface.

Create the tunnel interfaces.

int tunnel

ip address private_ip subnet_mask

tunnel source outside_interface_name

tunnel destination peer_address

Modify the crypto access list as shown below.

access-list acl_name permit gre host tunnel_source_ip host peer_address

Use routing protocol or configure a static route for the remote LAN with the next hop pointing to the tunnel interface.

Reapply the crypto map to the physical interface and the tunnel interface

Regards MJ

pgalligan · ‎11-15-2007

Hi,

Thanks for your input.

I have already tried the following between DR and MSt:

int tunnel

ip address private_ip subnet_mask

tunnel source outside_interface_name

tunnel destination peer_address

tunnel protection ipsec profile blah

We get the same symptoms as in the original config. If I remove the tunnel protection command, and leave the tunnel unencrypted, it works fine. In the original config the tunnel source and destination addresses are loopbacks on each router:

int tunnel

ip address private_ip subnet_mask

tunnel source loopback0

tunnel destination remote-router-loopback0

The crypto map was matching all traffic between the tunnel source/destination addresses. A static route for the remote loopback0 points out the interface with the crypto map. I wondered if I'd have trouble using a crypto map for HO to DR while using the tunnel protection feature for DR to MSt, but the symptoms are identical. Also, the IPSec SA's for the tunnel interface are created correctly.