cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1499
Views
0
Helpful
12
Replies

Cisco1801+2 ISP+IPSec+VTI+PBR+'No default gateway'

Hello!

I have Cisco1801 connected to 2 ISPs. Each ISP connected with real IP address. Each WAN interface have associated VTI. Main role of Cisco1801 is IPSec hub for many ipsec clients to make secure link between subnets. Each ipsec client creates 2 IPSec tunnels: first via ISP1 and second via ISP2.

For example.

Cicso VTI1 device

192.168.1.0/24<------->192.168.40.0/24

Cisco VTI2 device

192.168.2.0/24<------->192.168.140.0/24

After ipsec is established we have two new interfaces Virtual-Access1 and Virtual-Access2 Also we have two new routes for subnets 192.168.40.0/24 and 192.168.140.0/24.

192.168.1.1 and 192.168.2.1 are addresses of Vlan2 interface.

If default gateway is set up all works perfectly. If default gateway is removed intercommunications between subnets are lost.

Could I use ipsec without default gateway?

12 Replies 12

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

If your remote sites are not learning the other sites subnets or a default route through the tunnel, it's expected that they can't communicate.

Also I'm not sure what 192.168.1.0 and 192.168.2.0 represent.

HTH

Laurent.

I have attached the network diagram.

Why do you have two subnets per LAN interface ?

Could you provide the config of both routers ?

Thanks

Laurent.

Client software on computer establishes two socket connections to server software(source:192.168.40.2 <--> dest:192.168.1.2 and source:192.168.140.2 <--> dest:192.168.2.2 ) and if one of providers go down the intercommunications will continue via second one. Router on the client side is GPRS/EDGE router ER75i with ucLinux onboard.

I could provide the config of Cisco 1801:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service sequence-numbers

aaa new-model

ip cef

interface Null0

no ip unreachables

interface FastEthernet0

ip address 62.165.xx.yy 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

zone-member security WAN

ip policy route-map FastEthernet0

duplex auto

speed auto

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0

ip mtu 1300

zone-member security MAU

tunnel mode ipsec ipv4

tunnel protection ipsec profile MAU_Profile

interface FastEthernet2

switchport access vlan 3

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 0/35

pppoe-client dial-pool-number 1

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip flow ingress

ip virtual-reassembly

encapsulation ppp

ip policy route-map Dialer0

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname name

ppp chap password 7 000090E0624

ppp pap sent-username name password 7 00000D2342

interface Virtual-Template2 type tunnel

ip unnumbered Dialer0

zone-member security MAU

tunnel mode ipsec ipv4

tunnel protection ipsec profile MAU_Profile2

interface Vlan2

ip address 192.168.2.1 255.255.255.0 secondary

ip address 192.168.1.1 255.255.255.0

ip virtual-reassembly

zone-member security CAU

route-map Dialer0 permit 10

match ip address Dialer0

set interface Dialer0

ip access-list extended Dialer0

permit ip host 77.233.xx.yy any

permit esp host 77.233.xx.yy any

permit ahp host 77.233.xx.yy any

deny ip any any

deny esp any any

deny ahp any any

route-map FastEthernet0 permit 10

match ip address FastEthernet0

set ip next-hop 62.165.xx.zz

ip access-list extended FastEthernet0

permit ip host 62.165.xx.yy any

permit esp host 62.165.xx.yy any

permit ahp host 62.165.xx.yy any

deny ip any any

deny esp any any

deny ahp any any

ip local policy route-map LOCAL

ip forward-protocol nd

route-map LOCAL permit 10

match ip address 150

set interface Dialer0

route-map LOCAL permit 20

match ip address 151

set ip next-hop 62.165.xx.zz

route-map LOCAL permit 30

match ip address 152

set global

access-list 150 permit ip host 77.233.xx.yy any

access-list 151 permit ip host 62.165.xx.yy any

access-list 152 permit ip any any

Hi,

I think I lost what was your original question ;-) Could you clarify it ?

From the configuration you provided, How do you route your traffic inside the tunnels ?

Also what the point of the PBR configured on the Dialer0 and FastEthernet0 ? PBR applies to incoming traffic so I don't see why you want to send back on the same interface the received IPSec traffic.

Laurent.

I'm using VTI. After ipsec tunnels are established we have two new interfaces Virtual-Access1 and Virtual-Access2. Also we have two new routes for subnets:

S 192.168.40.0/24 [1/0] via 83.220.xx.xx, Virtual-Access2

S 192.168.140.0/24 [1/0] via 83.220.xx.xx, Virtual-Access1

Cisco IOS automatically add this routes to general route table.

About PBR. You are right. PBR for Dialer0 and Fa0 is meaningless. Only "ip local policy route-map LOCAL" is needed for establish IPSec without default gateway.

If default gateway is set up all works perfectly. If default gateway is removed intercommunications between subnets are lost.

Main question. What should I do to make all working without default gateway?

Hi,

Could you post the working configuration with the default route configured ?

When you say "intercommunications between subnets are lost. ", you mean 192.168.40.2 <--> 192.168.1.2 and 192.168.140.2 <--> 192.168.2.2

Also is it working without the FW zones configured ?

Thanks

Laurent.

Hello Laurent,

I sent you an email with the working configuration.

>When you say "intercommunications between subnets are lost. ", you mean 192.168.40.2 <--> 192.168.1.2 and 192.168.140.2 <--> 192.168.2.2

Yes. Without default gateway I cant ping 192.168.40.2 from 192.168.1.2 and 192.168.140.2 from 192.168.2.2.

Regards

Aleksei.

Hi Aleksei,

I see some overlapping in your ISAKMP profile definition and also there is no tunnel source specified in yout DVTI interface.

I assume the ER75i is configured to open a tunnel with 1800 dialer 0 interface to reach 192.168.2.0 and to open a tunnel with 62.165.xx.yy to reach 192.168.1.0

To avoid any ambiguity I would add the following configuration:

crypto isakmp profile MAU_ISAKMP_Profile

local-address fast0

!

int virtual-template 1 tunnel

tunnel source fast0

!

crypto isakmp profile MAU_ISAKMP_Profile2

local-address dialer0

!

int virtual-template 2 tunnel

tunnel source dialer 0

!

HTH

Laurent.

Hello Laurent,

I have added above mentioned configuration but it have not helped me.

Hi,

I don't have access to any lab to try reproducing your issue.

What I would do is to track the packets received on the LAN side, see in which tunnel they are sent and on which interface the resulting IPSEC packet is forwarded.

Also you could try without any Zone configured to be sure there is no bad interaction.

HTH

Laurent.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco