Problem with IPSEC/GRE tunnel

Unanswered Question
Jan 7th, 2010
User Badges:

First, thank you in advance for help. I have a problem with setting up GRE over IPSEC tunnel. The goal is to allow GSM cards to access our internal network. The design is like that:

GSM cards are accessing provider network using private APN, each card have assigned static IP address 192.168.6.0/24. Then it should access GRE over IPSEC tunnel:

Provider IPSEC end:  212.2.102.235

Provider GRE end: 212.2.100.177

Our IPSEC End: 62.89.67.179

Our GRE End: 62.89.67.179


Internal network: 192.168.1.0/24

GSM card network: 192.168.6.0/24


I think that IPSec is setup correctly and there is an issue with routing, for Tunnel 0 iinterface I tried several ip addresses:

ip unnumbered fa/0

ip address 192.168.8.1/24


but nono worked


Current configuration : 9526 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname z
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$.QQW$xc3r0wg79QWApdTMfhmt21
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-2754222920
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2754222920
revocation-check none
rsakeypair TP-self-signed-2754222920
!
dot11 syslog
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name acte.local
ip port-map user-997 port tcp 997
ip port-map user-7080 port tcp 7080 description isztar
ip port-map user-26 port tcp 26
ip port-map user-2020 port tcp 2020
ip port-map user-3389 port tcp 3389 description rdp
ip port-map user-6667 port tcp 6667
ip port-map user-47 port tcp 47
!
multilink bundle-name authenticated
!
!
username mroot privilege 15 secret 5 $1$BtdH$8q1nsHWVvQUAU9mqoilRD/
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key secret address 212.2.102.235
!
!
crypto ipsec transform-set 3DESSET esp-3des esp-sha-hmac
!
crypto map 3DESMAP 10 ipsec-isakmp
set peer 212.2.102.235
set transform-set 3DESSET
set pfs group2
match address TUNNEL0
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any PRIVATE-INTERNET-L7-PORT
match protocol ftp
match protocol http
match protocol pptp
match protocol tftp
match protocol sip
match protocol sql-net
match protocol skinny
match protocol rtsp
match protocol h323
match protocol h225ras
match protocol dns
match protocol icmp
match protocol syslog
match protocol https
match protocol imap
match protocol user-26
match protocol user-3389
match protocol user-7080
match protocol ssh
match protocol user-997
match protocol user-2020
match protocol smtp extended
match protocol user-6667
class-map type inspect match-all PRIVATE-INTERNET-CLASS
match access-group name PRIVATE-INTERNET-ACL
match class-map PRIVATE-INTERNET-L7-PORT
class-map type inspect match-any INTERNET-PRIVATE-PORT
match protocol smtp
match protocol https
match protocol l2tp
match protocol http
match protocol tr-rsrb
match protocol telnet
match protocol icmp
match protocol user-3389
match protocol pptp
match protocol user-47
match protocol ftp
match protocol user-6667
class-map type inspect match-all INTERNET-PRIVATE-CLASS
match access-group name INTERNET-PRIVATE-ACL
match class-map INTERNET-PRIVATE-PORT
class-map type inspect match-all PPTP-PASS-CLASS
match access-group name PPTP-PASS-ACL
!
!
policy-map type inspect PRIVATE-INTERNET-POLICY
class type inspect PRIVATE-INTERNET-CLASS
  inspect
class type inspect PPTP-PASS-CLASS
  pass
class class-default
  drop
policy-map type inspect INTERNET-PRIVATE-POLICY
class type inspect INTERNET-PRIVATE-CLASS
  inspect
class type inspect PPTP-PASS-CLASS
  pass
class class-default
  drop
!
zone security INTERNET
zone security PRIVATE
zone-pair security PRIVATE-INTERNET source PRIVATE destination INTERNET
service-policy type inspect PRIVATE-INTERNET-POLICY
zone-pair security INTERNET-PRIVATE source INTERNET destination PRIVATE
service-policy type inspect INTERNET-PRIVATE-POLICY
!
!
!
interface Tunnel0
description APN PERIMETER
ip address 192.168.6.1 255.255.255.0
ip mtu 1300
keepalive 5 4
tunnel source FastEthernet0
tunnel destination 212.2.100.177
crypto map 3DESMAP
!
interface FastEthernet0
description INTERNET PERIMETER
ip address 62.89.67.179 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security INTERNET
ip route-cache flow
duplex auto
speed auto
crypto map 3DESMAP
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description PRIVATE PERIMETER
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security PRIVATE
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.7.1 255.255.255.0
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 62.89.67.177
ip route 192.168.6.0 255.255.255.0 Tunnel0 permanent
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list PRIVATE-NAT interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.19 21 62.89.67.179 21 extendable
ip nat inside source static tcp 192.168.1.2 25 62.89.67.179 25 extendable
ip nat inside source static tcp 192.168.1.2 80 62.89.67.179 80 extendable
ip nat inside source static tcp 192.168.1.2 443 62.89.67.179 443 extendable
ip nat inside source static tcp 192.168.1.2 987 62.89.67.179 987 extendable
ip nat inside source static tcp 192.168.1.2 1723 62.89.67.179 1723 extendable
ip nat inside source static tcp 192.168.1.2 3389 62.89.67.179 3389 extendable
!
ip access-list standard PRIVATE-NAT
permit 192.168.1.0 0.0.0.255
ip access-list standard SSH
permit 212.2.102.235
permit 192.168.1.0 0.0.0.255
!
ip access-list extended INTERNET-PRIVATE-ACL
permit ip any any
ip access-list extended PPTP-PASS-ACL
permit gre any any
ip access-list extended PRIVATE-INTERNET-ACL
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended TUNNEL0
permit ip host 62.89.67.179 host 212.2.100.177
!
logging trap debugging
no cdp run



show ip route
z-acte#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 62.89.67.177 to network 0.0.0.0

C    192.168.1.0/24 is directly connected, Vlan1
     62.0.0.0/29 is subnetted, 1 subnets
C       62.89.67.176 is directly connected, FastEthernet0
S*   0.0.0.0/0 [1/0] via 62.89.67.177

z-acte#ping
Protocol [ip]:
Target IP address: 192.168.6.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]: 5
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.2, timeout is 5 seconds:
Packet sent with a source address of 192.168.1.1

debug ip routing detail
108418: *Jan  8 03:18:49.307 PCTime: IP-Static:  192.168.6.0 255.255.255.0 Tunnel0 Path = 1, route table permanent route, no change, recursive flag clear
108419: *Jan  8 03:18:49.307 PCTime: IP-Static:  0.0.0.0 0.0.0.0 62.89.67.177 Path = 2 3 5 7, route table no change, recursive flag clear


z-acte#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
62.89.67.179    212.2.102.235   QM_IDLE           2045    0 ACTIVE

z-acte#show crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: 3DESMAP, local addr 62.89.67.179

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (62.89.67.179/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (212.2.100.177/255.255.255.255/0/0)
   current_peer 212.2.102.235 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 534606, #pkts encrypt: 534606, #pkts digest: 534606
    #pkts decaps: 89612, #pkts decrypt: 89612, #pkts verify: 89612
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 62.89.67.179, remote crypto endpt.: 212.2.102.235
     path mtu 1300, ip mtu 1300, ip mtu idb Tunnel0
     current outbound spi: 0xFD2882F7(4247290615)

     inbound esp sas:
      spi: 0xD07D7B87(3497884551)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 545, flow_id: Motorola SEC 2.0:545, crypto map: 3DESMAP
        sa timing: remaining key lifetime (k/sec): (4508865/2976)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFD2882F7(4247290615)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 546, flow_id: Motorola SEC 2.0:546, crypto map: 3DESMAP
        sa timing: remaining key lifetime (k/sec): (4508894/2976)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel0
    Crypto map tag: 3DESMAP, local addr 62.89.67.179

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (62.89.67.179/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (212.2.100.177/255.255.255.255/0/0)
   current_peer 212.2.102.235 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 534606, #pkts encrypt: 534606, #pkts digest: 534606
    #pkts decaps: 89612, #pkts decrypt: 89612, #pkts verify: 89612
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 62.89.67.179, remote crypto endpt.: 212.2.102.235
     path mtu 1300, ip mtu 1300, ip mtu idb Tunnel0
     current outbound spi: 0xFD2882F7(4247290615)

     inbound esp sas:
      spi: 0xD07D7B87(3497884551)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 545, flow_id: Motorola SEC 2.0:545, crypto map: 3DESMAP
        sa timing: remaining key lifetime (k/sec): (4508861/2938)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xFD2882F7(4247290615)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 546, flow_id: Motorola SEC 2.0:546, crypto map: 3DESMAP
        sa timing: remaining key lifetime (k/sec): (4508893/2938)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 01/07/2010 - 22:16
User Badges:
  • Gold, 750 points or more

1. tunnel interface ip should be in the subnet OTHER THAN your vpn traffic's source and destination network. Currently, it is configured as 192.168.6.1

Internal network: 192.168.1.0/24

GSM card network: 192.168.6.0/24


2. You need an entry in routing table to route the vpn traffic to tunnel interface


3. In general, ACL for IPSEC/GRE is configured as following

   permit gre host1 host2


In a summary, traffic between 192.168.1.0 and 192.168.6.0 need to be routed to tunnel interface so that they will be GRE-encapsulated. Since GRE traffic will be interested traffic for IPSec tunnel, they will be encrypted and sent via IPSec tunnel..


HTH

Actions

This Discussion