cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1913
Views
0
Helpful
5
Replies

VTI and EIGRP problem

peter.z.larsson
Level 1
Level 1

Have a lab setup to run IPSEC VPN with DVTI on Hub and SVTI on spoke. The goal is to have two tunnels from each spoke to two Hubs for redundancy. Eigrp is needed in order to get BGP up and running which will be used for routing policies.

The problem I phase is that eigrp is not established over the IPSEC tunnel (see neighbour details below). The spoke is configured with vrf on the public interface for security reasons. I have one spoke without vrf on the public interface and this connection works fine.

I can ping the physical interfaces and the ISAKMP SA and IPSEC SA are up. Doing debug eigrp packet shows that both mcast and ucast traffic is exchanged but no ack on both sides are transmitted (also indicated by Q > 0). feels like I have missed some basic stuff but can't find it.

Spoke1 (vrf with problem):

sesthcombox001#sh ip eigrp 1 neighbors detail

IP-EIGRP neighbors for process 1

H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq

                                            (sec)         (ms)       Cnt Num

0   172.16.0.1              Tu1               57 00:01:07    1  5000  2  0

   Version 10.0/2.0, Retrans: 14, Retries: 14, Waiting for Init, Waiting for Init Ack

    UPDATE seq 499 ser 0-0 Sent 67028 Init Sequenced

    UPDATE seq 500 ser 1-9 Sequenced

Spoke2)working fine):

sesthcombox002#sh ip eigrp 1 neighbors detail

EIGRP-IPv4 Neighbors for AS(1)

H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq

                                                   (sec)         (ms)       Cnt Num

0   172.16.0.1              Tu1                      59 04:21:46    4  1452  0  53

   Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 2

   Topology-ids from peer - 0

Hub:

sesthcg1rtr002#sh ip eigrp 1 neighbors detail

EIGRP-IPv4 Neighbors for AS(1)

H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq

                                                   (sec)         (ms)       Cnt Num

0   172.16.0.2              Vi1                      58 00:00:30    1  5000  1  509

   Version 12.4/1.2, Retrans: 7, Retries: 7, Waiting for Init Ack

   Topology-ids from peer - 0

    UPDATE seq 246 ser 0-0 Sent 30664 Init Sequenced

1   172.16.0.6              Vi2                      10 04:22:04    4   100  0  26

   Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 1

   Topology-ids from peer - 0

Relevant configuration:

Spoke1 (no working)

crypto keyring key-internet vrf internet

  pre-shared-key address 20.20.20.2 key cisco

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key cisco address 20.20.20.2

crypto isakmp profile ISA-PROP

   keyring key-internet

   match identity address 20.20.20.2 255.255.255.255 internet

crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac

crypto ipsec profile LAB

set transform-set aes256sha

set pfs group14

set isakmp-profile ISA-PROP

interface Tunnel1

ip address 172.16.0.2 255.255.255.0

ip mtu 1400

ip hold-time eigrp 1 60

ip virtual-reassembly

ip tcp adjust-mss 1400

tunnel source FastEthernet0/0.37

tunnel destination 20.20.20.2

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel vrf internet

tunnel protection ipsec profile LAB

interface FastEthernet0/0.37

description internet

encapsulation dot1Q 37

ip vrf forwarding internet

ip address 20.20.30.2 255.255.255.248

HUB:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key cisco address 0.0.0.0       

crypto isakmp profile lab-vti

   keyring default

   match identity address 0.0.0.0

   virtual-template 1

   local-address 20.20.20.2

crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec profile LAB

set transform-set aes256sha

set pfs group14

set isakmp-profile lab-vti

interface Virtual-Template1 type tunnel

ip unnumbered Loopback10

ip access-group shop-out out

ip mtu 1400

ip hold-time eigrp 1 60

ip virtual-reassembly in

ip tcp adjust-mss 1400

tunnel source GigabitEthernet0/0.800

tunnel mode ipsec ipv4

tunnel protection ipsec profile LAB

Spoke2:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key cisco address 20.20.20.2    

crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec profile LAB

set transform-set aes256sha

set pfs group14

interface Tunnel1

ip address 172.16.0.6 255.255.255.0

ip virtual-reassembly in

ip tcp adjust-mss 1400

tunnel source GigabitEthernet0/0.37

tunnel mode ipsec ipv4

tunnel destination 20.20.20.2

tunnel path-mtu-discovery

tunnel protection ipsec profile LAB

5 Replies 5

Andrew Phirsov
Level 7
Level 7

Did you use eigrp address-family command (address-family ipv4 vrf internet) to configure eigrp settings on spoke with VRF?

No the tunnel interface belongs to global. It is the phy interface that belongs to vrf internet.

But from config you provided,

Relevant configuration:

Spoke1 (no working)

crypto keyring key-internet vrf internet

  pre-shared-key address 20.20.20.2 key cisco

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key cisco address 20.20.20.2

crypto isakmp profile ISA-PROP

   keyring key-internet

   match identity address 20.20.20.2 255.255.255.255 internet

crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac

crypto ipsec profile LAB

set transform-set aes256sha

set pfs group14

set isakmp-profile ISA-PROP

interface Tunnel1

ip address 172.16.0.2 255.255.255.0

ip mtu 1400

ip hold-time eigrp 1 60

ip virtual-reassembly

ip tcp adjust-mss 1400

tunnel source FastEthernet0/0.37

tunnel destination 20.20.20.2

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel vrf internet

tunnel protection ipsec profile LAB

the tunnel itself is the part of internet routing table. So you should configure eigrp correspondingly, i assume.

My understanding is that the tunnel vrf specifies the FVRF IPSEC tunnel or?

Found the problem. Little bit embarrising since the cause was an old ios 12.4 on spoke 1. Uppgraded to 15.1.4 and know it works!