03-15-2007 04:39 PM - edited 02-21-2020 02:55 PM
Using the configuration below I have created a VPN tunnel between 2 sites. The tunnel is up and passing traffic encrypted however, it doesn't look like ALL traffic between the two sites is being encrypted. I say this because the counters don't match up when comparing the multilink1 interface to the tunnel1 interface. Am I missing something? The only thing that I can think of is maybe the ACL. Any thoughts?
crypto isakmp policy 30
encr aes 256
authentication pre-share
crypto isakmp key mypassword address 10.129.150.30
!
!
crypto ipsec transform-set AES30 esp-aes 256 esp-sha-hmac
mode transport
!
crypto map GRE30 local-address Multilink1
crypto map GRE30 30 ipsec-isakmp
set peer 10.129.150.30
set transform-set AES30
match address HIDE-DATA30
interface Multilink1
ip address 10.129.150.29 255.255.255.252
ip pim sparse-dense-mode
ip multicast boundary 21
ppp multilink
ppp multilink links minimum 1
ppp multilink interleave
ppp multilink group 1
crypto map GRE30
!
interface Tunnel30
ip address 10.129.150.9 255.255.255.252
tunnel source 10.129.150.29
tunnel destination 10.129.150.30
service-policy output tunnel
ip access-list extended HIDE-DATA30
permit gre host 10.129.150.29 host 10.129.150.30
The other ends configuration is a mirror of this. Here is the output of show interfaces:
rtr-a#sh int tunnel30
Tunnel30 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.129.150.9/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.129.150.29, destination 10.129.150.30
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:04, output 00:00:02, output hang never
Last clearing of "show interface" counters 08:46:07
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 177
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
5741 packets input, 688798 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
6197 packets output, 653293 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
rtr-a#sh int multi1
Multilink1 is up, line protocol is up
Hardware is multilink group interface
Description: Texarkana => Multilink Bundle (Group1)
Internet address is 10.129.150.29/30
MTU 1500 bytes, BW 3088 Kbit, DLY 100000 usec,
reliability 255/255, txload 9/255, rxload 9/255
Encapsulation PPP, LCP Open, multilink Open
Open: CDPCP, IPCP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 2 seconds on reset
Last input 00:00:01, output never, output hang never
Last clearing of "show interface" counters 08:46:19
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 16892
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 114000 bits/sec, 174 packets/sec
5 minute output rate 116000 bits/sec, 173 packets/sec
6209837 packets input, 606049414 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
6245737 packets output, 818716133 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
03-17-2007 08:43 PM
Hi,
Did you clear the counters before doing the 'show interface'? If not do it and get the output again.
Regards,
Kamal
03-19-2007 03:02 PM
show crypto ipsec sa interface Multilink1 detail
interface Multilink1
ip route-cache flow
end
show ip cache Multilink1 flow
- Verify that your test traffic is not going around the tunnel.
- What version of IOS are you on? (We've seen some misreporting of "show int tunn" on some versions, but never zero).
- For the config that you have, I'd recomend turning on mss-adjust, gre keepalives, CDP and use unnumbered loopback. (Maybe even GTS)
- If you have GRE keepalives on, you'll know right away whether the tunnel is working or not. 99% of all GRE tunnels should have this in my opinion.
- Cisco has great features for GRE, you just have to know that they are there and use them.
Rob
Pulled and edited from one of our routers.
interface Tunnel1
description VPN mke-rtr97 to mke-rtr02-vpn
bandwidth 384
ip unnumbered Loopback0
ip access-group BlockServices in
ip access-group BlockServices out
ip mtu 1600
ip hello-interval eigrp 77 4
ip hold-time eigrp 77 16
ip pim sparse-mode
ip route-cache flow
ip tcp adjust-mss 1280
load-interval 30
delay 1140
keepalive 2 4
traffic-shape rate 288000 1536 1536 2048
cdp enable
tunnel source 10.1.1.1
tunnel destination 10.1.1.2
03-19-2007 05:32 PM
Thanks for the reply. I did as you suggested (except for the loopback interface configuration which I will do tomorrow). Looking at the Netflow information, it reveals that all traffic is going out of the Multilink 1 interface rather than the tunnel (which is what I suspected). The tunnel shows up and it is encrypting some traffic but not nearly everything.
See below:
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Mu1 10.129.153.252 Gi0/1 10.128.101.11 11 007B 007B 1
Mu1 10.129.153.50 Gi0/1 10.128.101.100 11 0089 0089 1
Tu30 10.129.150.33 Mu1 10.129.150.34 2F 0000 0000 49
Tu30 10.129.150.14 Null 224.0.0.10 58 0000 0000 21
interface Tunnel30
ip address 10.129.150.13 255.255.255.252
ip route-cache flow
ip tcp adjust-mss 1280
keepalive 2 4
cdp enable
tunnel source 10.129.150.33
tunnel destination 10.129.150.34
service-policy output tunnel
end
sh ip access-list HIDE-DATA30
Extended IP access list HIDE-DATA30
10 permit gre host 10.129.150.33 host 10.129.150.34 (975 matches)
Could it be the Access-list?
Thanks,
Brian
03-19-2007 05:50 PM
Just a wild guess... :-)
show ip route
conf t
ip route 0.0.0.0 0.0.0.0 10.129.150.14
end
wr mem
...probably you'll need to paraphrase it a bit.
Rob
03-19-2007 06:07 PM
Good thought but no luck:)
06-08-2007 01:04 PM
Brian,
Looking at the netflow output, the traffic going out of Mu1 is protocol 0x11, ie UDP.
It's probably your netflow export, since that's UDP and bypasses output features.
To work around this, configure netflow export to a destination that's reachable by a tunnel, and configure the features you want on the tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide