Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
6
Replies

VPN Tunnel Interface

vhashrjacksb2
Level 1
Level 1

‎03-15-2007 04:39 PM - edited ‎02-21-2020 02:55 PM

Using the configuration below I have created a VPN tunnel between 2 sites. The tunnel is up and passing traffic encrypted however, it doesn't look like ALL traffic between the two sites is being encrypted. I say this because the counters don't match up when comparing the multilink1 interface to the tunnel1 interface. Am I missing something? The only thing that I can think of is maybe the ACL. Any thoughts?

crypto isakmp policy 30

encr aes 256

authentication pre-share

crypto isakmp key mypassword address 10.129.150.30

!

!

crypto ipsec transform-set AES30 esp-aes 256 esp-sha-hmac

mode transport

!

crypto map GRE30 local-address Multilink1

crypto map GRE30 30 ipsec-isakmp

set peer 10.129.150.30

set transform-set AES30

match address HIDE-DATA30

interface Multilink1

ip address 10.129.150.29 255.255.255.252

ip pim sparse-dense-mode

ip multicast boundary 21

ppp multilink

ppp multilink links minimum 1

ppp multilink interleave

ppp multilink group 1

crypto map GRE30

!

interface Tunnel30

ip address 10.129.150.9 255.255.255.252

tunnel source 10.129.150.29

tunnel destination 10.129.150.30

service-policy output tunnel

ip access-list extended HIDE-DATA30

permit gre host 10.129.150.29 host 10.129.150.30

The other ends configuration is a mirror of this. Here is the output of show interfaces:

rtr-a#sh int tunnel30

Tunnel30 is up, line protocol is up

Hardware is Tunnel

Internet address is 10.129.150.9/30

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 10.129.150.29, destination 10.129.150.30

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Checksumming of packets disabled, fast tunneling enabled

Last input 00:00:04, output 00:00:02, output hang never

Last clearing of "show interface" counters 08:46:07

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 177

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5741 packets input, 688798 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

6197 packets output, 653293 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

rtr-a#sh int multi1

Multilink1 is up, line protocol is up

Hardware is multilink group interface

Description: Texarkana => Multilink Bundle (Group1)

Internet address is 10.129.150.29/30

MTU 1500 bytes, BW 3088 Kbit, DLY 100000 usec,

reliability 255/255, txload 9/255, rxload 9/255

Encapsulation PPP, LCP Open, multilink Open

Open: CDPCP, IPCP, loopback not set

Keepalive set (10 sec)

DTR is pulsed for 2 seconds on reset

Last input 00:00:01, output never, output hang never

Last clearing of "show interface" counters 08:46:19

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 16892

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 114000 bits/sec, 174 packets/sec

5 minute output rate 116000 bits/sec, 173 packets/sec

6209837 packets input, 606049414 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

6245737 packets output, 818716133 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

Labels:
0 Helpful
6 Replies 6

Kamal Malhotra
Cisco Employee
Cisco Employee

‎03-17-2007 08:43 PM

Hi,

Did you clear the counters before doing the 'show interface'? If not do it and get the output again.

Regards,

Kamal

0 Helpful

roluce
Level 1
Level 1

‎03-19-2007 03:02 PM

show crypto ipsec sa interface Multilink1 detail

interface Multilink1

ip route-cache flow

end

show ip cache Multilink1 flow

- Verify that your test traffic is not going around the tunnel.

- What version of IOS are you on? (We've seen some misreporting of "show int tunn" on some versions, but never zero).

- For the config that you have, I'd recomend turning on mss-adjust, gre keepalives, CDP and use unnumbered loopback. (Maybe even GTS)

- If you have GRE keepalives on, you'll know right away whether the tunnel is working or not. 99% of all GRE tunnels should have this in my opinion.

- Cisco has great features for GRE, you just have to know that they are there and use them.

Rob

Pulled and edited from one of our routers.

interface Tunnel1

description VPN mke-rtr97 to mke-rtr02-vpn

bandwidth 384

ip unnumbered Loopback0

ip access-group BlockServices in

ip access-group BlockServices out

ip mtu 1600

ip hello-interval eigrp 77 4

ip hold-time eigrp 77 16

ip pim sparse-mode

ip route-cache flow

ip tcp adjust-mss 1280

load-interval 30

delay 1140

keepalive 2 4

traffic-shape rate 288000 1536 1536 2048

cdp enable

tunnel source 10.1.1.1

tunnel destination 10.1.1.2

0 Helpful

vhashrjacksb2
Level 1
Level 1
In response to roluce

‎03-19-2007 05:32 PM

Thanks for the reply. I did as you suggested (except for the loopback interface configuration which I will do tomorrow). Looking at the Netflow information, it reveals that all traffic is going out of the Multilink 1 interface rather than the tunnel (which is what I suspected). The tunnel shows up and it is encrypting some traffic but not nearly everything.

See below:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Mu1 10.129.153.252 Gi0/1 10.128.101.11 11 007B 007B 1

Mu1 10.129.153.50 Gi0/1 10.128.101.100 11 0089 0089 1

Tu30 10.129.150.33 Mu1 10.129.150.34 2F 0000 0000 49

Tu30 10.129.150.14 Null 224.0.0.10 58 0000 0000 21

interface Tunnel30

ip address 10.129.150.13 255.255.255.252

ip route-cache flow

ip tcp adjust-mss 1280

keepalive 2 4

cdp enable

tunnel source 10.129.150.33

tunnel destination 10.129.150.34

service-policy output tunnel

end

sh ip access-list HIDE-DATA30

Extended IP access list HIDE-DATA30

10 permit gre host 10.129.150.33 host 10.129.150.34 (975 matches)

Could it be the Access-list?

Thanks,

Brian

0 Helpful

roluce
Level 1
Level 1
In response to vhashrjacksb2

‎03-19-2007 05:50 PM

Just a wild guess... :-)

show ip route

conf t

ip route 0.0.0.0 0.0.0.0 10.129.150.14

end

wr mem

...probably you'll need to paraphrase it a bit.

Rob

0 Helpful

vhashrjacksb2
Level 1
Level 1
In response to roluce

‎03-19-2007 06:07 PM

Good thought but no luck:)

0 Helpful

paitken
Level 1
Level 1
In response to vhashrjacksb2

‎06-08-2007 01:04 PM

Brian,

Looking at the netflow output, the traffic going out of Mu1 is protocol 0x11, ie UDP.

It's probably your netflow export, since that's UDP and bypasses output features.

To work around this, configure netflow export to a destination that's reachable by a tunnel, and configure the features you want on the tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents