VTI and EIGRP problem

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2013 05:08 AM
Have a lab setup to run IPSEC VPN with DVTI on Hub and SVTI on spoke. The goal is to have two tunnels from each spoke to two Hubs for redundancy. Eigrp is needed in order to get BGP up and running which will be used for routing policies.
The problem I phase is that eigrp is not established over the IPSEC tunnel (see neighbour details below). The spoke is configured with vrf on the public interface for security reasons. I have one spoke without vrf on the public interface and this connection works fine.
I can ping the physical interfaces and the ISAKMP SA and IPSEC SA are up. Doing debug eigrp packet shows that both mcast and ucast traffic is exchanged but no ack on both sides are transmitted (also indicated by Q > 0). feels like I have missed some basic stuff but can't find it.
Spoke1 (vrf with problem):
sesthcombox001#sh ip eigrp 1 neighbors detail
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.1 Tu1 57 00:01:07 1 5000 2 0
Version 10.0/2.0, Retrans: 14, Retries: 14, Waiting for Init, Waiting for Init Ack
UPDATE seq 499 ser 0-0 Sent 67028 Init Sequenced
UPDATE seq 500 ser 1-9 Sequenced
Spoke2)working fine):
sesthcombox002#sh ip eigrp 1 neighbors detail
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.1 Tu1 59 04:21:46 4 1452 0 53
Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 2
Topology-ids from peer - 0
Hub:
sesthcg1rtr002#sh ip eigrp 1 neighbors detail
EIGRP-IPv4 Neighbors for AS(1)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 172.16.0.2 Vi1 58 00:00:30 1 5000 1 509
Version 12.4/1.2, Retrans: 7, Retries: 7, Waiting for Init Ack
Topology-ids from peer - 0
UPDATE seq 246 ser 0-0 Sent 30664 Init Sequenced
1 172.16.0.6 Vi2 10 04:22:04 4 100 0 26
Version 10.0/2.0, Retrans: 0, Retries: 0, Prefixes: 1
Topology-ids from peer - 0
Relevant configuration:
Spoke1 (no working)
crypto keyring key-internet vrf internet
pre-shared-key address 20.20.20.2 key cisco
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 20.20.20.2
crypto isakmp profile ISA-PROP
keyring key-internet
match identity address 20.20.20.2 255.255.255.255 internet
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
set isakmp-profile ISA-PROP
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip hold-time eigrp 1 60
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source FastEthernet0/0.37
tunnel destination 20.20.20.2
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel vrf internet
tunnel protection ipsec profile LAB
interface FastEthernet0/0.37
description internet
encapsulation dot1Q 37
ip vrf forwarding internet
ip address 20.20.30.2 255.255.255.248
HUB:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 0.0.0.0
crypto isakmp profile lab-vti
keyring default
match identity address 0.0.0.0
virtual-template 1
local-address 20.20.20.2
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
set isakmp-profile lab-vti
interface Virtual-Template1 type tunnel
ip unnumbered Loopback10
ip access-group shop-out out
ip mtu 1400
ip hold-time eigrp 1 60
ip virtual-reassembly in
ip tcp adjust-mss 1400
tunnel source GigabitEthernet0/0.800
tunnel mode ipsec ipv4
tunnel protection ipsec profile LAB
Spoke2:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 20.20.20.2
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
interface Tunnel1
ip address 172.16.0.6 255.255.255.0
ip virtual-reassembly in
ip tcp adjust-mss 1400
tunnel source GigabitEthernet0/0.37
tunnel mode ipsec ipv4
tunnel destination 20.20.20.2
tunnel path-mtu-discovery
tunnel protection ipsec profile LAB
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2013 05:51 AM
Did you use eigrp address-family command (address-family ipv4 vrf internet) to configure eigrp settings on spoke with VRF?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2013 05:57 AM
No the tunnel interface belongs to global. It is the phy interface that belongs to vrf internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2013 06:05 AM
But from config you provided,
Relevant configuration:
Spoke1 (no working)
crypto keyring key-internet vrf internet
pre-shared-key address 20.20.20.2 key cisco
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key cisco address 20.20.20.2
crypto isakmp profile ISA-PROP
keyring key-internet
match identity address 20.20.20.2 255.255.255.255 internet
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
crypto ipsec profile LAB
set transform-set aes256sha
set pfs group14
set isakmp-profile ISA-PROP
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip hold-time eigrp 1 60
ip virtual-reassembly
ip tcp adjust-mss 1400
tunnel source FastEthernet0/0.37
tunnel destination 20.20.20.2
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel vrf internet
tunnel protection ipsec profile LAB
the tunnel itself is the part of internet routing table. So you should configure eigrp correspondingly, i assume.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2013 06:21 AM
My understanding is that the tunnel vrf specifies the FVRF IPSEC tunnel or?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2013 07:46 AM
Found the problem. Little bit embarrising since the cause was an old ios 12.4 on spoke 1. Uppgraded to 15.1.4 and know it works!
