tunnel mode ipsec

Unanswered Question
Sep 16th, 2008
User Badges:

Hi,


I would like to setup a site-to-site VPN between a 1720 and a 2600 series router. The IOS versions are:


c1700-advsecurityk9-mz.123-26.bin

c2600-advsecurityk9-mz.123-26.bin


Neither router accepts 'tunnel mode ipsec' under the Tunnel interface. Is this due to the release of the IOS? If so does anyone know what version I would need?


This is the example I've been working from:


http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html


Any help would be greatly appreciated.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
Marwan ALshawi Tue, 09/16/2008 - 05:49
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

alraycisco Tue, 09/16/2008 - 06:26
User Badges:

Hi,


I was originally looking to setup a GRE tunnel between 3 Cisco routers, so I can run OSPF over them. However, with my current test setup, I'm unable to get OSPF to work. Which is why I was looking at the sample config I mentioned above.


I've attached my configs.



Attachment: 
singhsaju Tue, 09/16/2008 - 08:50
User Badges:
  • Silver, 250 points or more

Hi

Your config looks ok except for tunnel destinations and tunnel destination routes.Do not learn tunnel destination through the tunnel.Also remember since this GRE over IPsec , Ipsec tunnel should first come up and then GRE tunnel connects.


To verify if IPsec is up , post results of "show crypto isakmp sa"


Do the following

Site A

Change the tunnel destination to 192.168.2.1


interface Tunnel0

ip address 192.168.100.2 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.2.1

crypto map mymap


no ip route 192.168.2.0 255.255.255.0 Tunnel0

ip route 192.168.2.0 255.255.255.0 FastEthernet0


Site B

Change the tunnel destination to 192.168.1.2


interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.1.2

crypto map mymap


no ip route 192.168.1.0 255.255.255.0 Tunnel0

ip route 192.168.1.0 255.255.255.0 FastEthernet0


Do above change and check and post results.


HTH

Saju

Pls rate helpful posts

alraycisco Thu, 09/18/2008 - 00:51
User Badges:

Hi,


Thanks for that. I've made the changes you mentioned, which does allow the OSPF neighbour relationship to form, but no routes to be exchanged. The reason for this is probably because the Tunnel is constantly going up and down with the following error:


*Mar 2 20:34:58.708: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing


There's a Cisco page on this, but I'm not sure what change I'd need to make.


http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml


Thanks


Farrukh Haroon Thu, 09/18/2008 - 02:05
User Badges:
  • Red, 2250 points or more

You need to make sure the tunnel destination is rechable (routable) directly over the wan and it should not be reachalbe THROUGH the tunnel itself. A simple solution is to run a different routing protocol over the WAN and on the Tunnel/LAN subnet. You can also add a static route for the tunnel destination pointing to the WAN IP of the peer.


Please rate if helpful.


Regards


Farrukh

alraycisco Thu, 09/18/2008 - 02:43
User Badges:

Hi,


I changed the route command to a 32-bit mask, which got the tunnel working and OSPF exchanging routes.


In my current config the tunnel destination is the inside interface of the other router, which obviously wouldn't be routable over the internet. Does this mean that in the live setup, the tunnel destination under 'Tunnel 0' will need to be the ip address of the outside interface? I've just tested this on my test setup, but the tunnel fails to come up:


interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 1.1.1.3

crypto map mymap

end


Thanks


alraycisco Thu, 09/18/2008 - 03:02
User Badges:

Just for info, the following config looks to do what I'm looking for. I'm just not sure whether this would work in a live setup i.e. is everything that needs to be routable over the internet routable.



crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 1.1.1.3

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.3

set transform-set myset

match address 101

!

!

!

interface Loopback0

ip address 192.168.2.1 255.255.255.0

!

interface Loopback1

ip address 10.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.1.2

crypto map mymap

!

!

interface FastEthernet0

ip address 1.1.1.1 255.255.255.0

speed auto

crypto map mymap

!


!

router ospf 1

log-adjacency-changes

redistribute connected

network 10.1.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 0

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 192.168.1.2 255.255.255.255 FastEthernet0


!

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!


alraycisco Thu, 09/18/2008 - 04:00
User Badges:

I've changed the config for the tunnel interface so the source is the outside interface and the destination is the outside ip address of the other router, which works. I'm assuming this will be ok for a live setup?


interface Tunnel0

ip address 192.168.100.2 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination 1.1.1.1

crypto map mymap


Farrukh Haroon Thu, 09/18/2008 - 08:07
User Badges:
  • Red, 2250 points or more

I havent gone through your config in detail, but yes your tunnel source should be routable in the transit path. Since this will be the source of all traffic that will be 'routed' to the tunnel. This is a common practice to borrow the WAN interface's IP.


Regards


Farrukh

Actions

This Discussion