VPN Tunnel between two ISR routers in WAN Network

Unanswered Question
Oct 6th, 2008
User Badges:


I trying to generate VPN Tunnel between every two routers in Tree type Wide area network in a project.I have done that but show crypto isakmp sa and show crypto ipsec sa are not showing results in previlege mode of router.I can ping other router and data is floowing smothly with out any problem.but i'm not sure i'm going right in VPN tunnel or not.Kindly help me as soon as possible.

Please find attachment for configuration.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Carlo Zaina Mon, 10/06/2008 - 07:13
User Badges:

The tunnel is set up if the router detects interesting traffic: if there are no SA active, probably the router doesn't detect interesting traffic.

I setup this scenario in lab between a C1721 and a C1841, with 2 middle 2600 XM.

The traffic was flowing tunneled only when the routers detected is was destinated to the other peer's LAN, otherwise it was simply natted and then transmitted unencrypted to the 2600XM's (this is done with route-maps).

I attached this sample config: hope it will help.

Finally: i have seen OSPF routing enabled. If you want to carry OSPF hello in the tunnel you need a GRE tunnel with IPSec.

siddindia Mon, 10/06/2008 - 21:22
User Badges:

Thanks for reply.

i have to flow data with ospf hello packet.In this condition is it mendatory that i can use GRE Tunnel?If i want same tunnel configuration what should i do to make it up to date on same senario.

Carlo Zaina Tue, 10/07/2008 - 01:54
User Badges:

If you wish to have your OSPF traffic carried across a WAN encrypted, you definetively need to use GRE tunnels: IPSec allows only unicast traffic, whereas GRE IPSec allows multicast and broadcast.

If i have understood well, from your router's configuration, you are trying to setup a tunnel L2L with IPSec on a WAN link. It will carry only unicast traffic. OSPF will not be carried.

However, you might decide to encrypt only the traffic from the LANs and leaving the OSPF traffic to travel unencrypted across the ISP network. This is definetively a design choice.

The config i have attached in my previous post achieves this: only traffic between LAN is encripted. Routing traffic would be sent across the ISP network unencripted (i used static routes, however routing interfaces belongs to different networks and their traffic is not considered interesting for the tunnel). In this way, without GRE, you can encrypt your LAN traffic (assuming you haven't appications requiring multicast) and at same time have your OSPF working. The drawback is that your routing traffic is flowing clear.

Hope this will help

siddindia Tue, 10/07/2008 - 20:58
User Badges:

Thank you carlozaina.

i hope i'll get right solution with your help.

Carlo Zaina Wed, 10/08/2008 - 00:42
User Badges:

Eventually, the SDM can make your life easier to configure your tunnel (L2L or GRE IPSec).


This Discussion