×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSEC VTI and OSPF

Unanswered Question
May 26th, 2012
User Badges:

I have 5 routers (soon to be 6) with tunnels (all VTI) between them.


I also have a basic OSPF setup running here (previously it was RIP), and all networks can talk to each other, however there is one routing issue, where it takes a longer path to the remote network.


The Configs:


R1:


interface Tunnel0

description tunnel to detroit office

ip address 172.28.40.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel1

description tunnel to San Diego Office

ip address 172.28.42.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel2

description tunnel to Detroit DC

ip address 172.28.43.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel3

description tunnel to detroit office - standby

ip address 172.28.51.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0/0

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!


router ospf 42

log-adjacency-changes

network 10.87.1.0 0.0.0.255 area 0

network 172.28.40.0 0.0.0.255 area 0

network 172.28.42.0 0.0.0.255 area 0

network 172.28.43.0 0.0.0.255 area 0

network 172.28.51.0 0.0.0.255 area 0

!


cerberus#sh ip route ospf

     172.28.0.0/24 is subnetted, 7 subnets

O       172.28.49.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1

O       172.28.50.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1

O       172.28.41.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1

                    [110/2000] via 172.28.40.2, 05:47:06, Tunnel0

     10.0.0.0/24 is subnetted, 2 subnets

O       10.87.2.0 [110/2001] via 172.28.42.2, 05:47:06, Tunnel1

O    192.168.1.0/24 [110/1001] via 172.28.42.2, 05:47:06, Tunnel1

O    192.168.2.0/24 [110/1001] via 172.28.40.2, 05:47:06, Tunnel0

cerberus#


As you can see for 10.87.2.x it is going through the 192 network, when it has a direct tunnel through tunnel 2



R2:


interface Tunnel0

description tunnel to AIS San Diego

ip address 172.28.42.2 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

!

interface Tunnel1

description tunnel to detroit office

ip address 172.28.41.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

!

interface Tunnel2

description tunnel to Detroit Data Center

ip address 172.28.49.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!

!

interface Tunnel3

description tunnel to Detroit t1 router

ip address 172.28.50.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx

tunnel protection ipsec profile VTI

!


router ospf 42

log-adjacency-changes

network 172.28.41.0 0.0.0.255 area 0

network 172.28.42.0 0.0.0.255 area 0

network 172.28.49.0 0.0.0.255 area 0

network 172.28.50.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

!


#sh ip route ospf

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route



Gateway of last resort is 24.43.240.137 to network 0.0.0.0



      10.0.0.0/24 is subnetted, 2 subnets

O        10.87.1.0 [110/1001] via 172.28.42.1, 03:55:51, Tunnel0

O        10.87.2.0 [110/1001] via 172.28.49.2, 03:55:51, Tunnel2

      172.28.0.0/16 is variably subnetted, 11 subnets, 2 masks

O        172.28.40.0/24 [110/2000] via 172.28.42.1, 03:55:51, Tunnel0

                        [110/2000] via 172.28.41.2, 03:55:51, Tunnel1

O        172.28.43.0/24 [110/2000] via 172.28.49.2, 03:55:51, Tunnel2

                        [110/2000] via 172.28.42.1, 03:55:51, Tunnel0

O        172.28.51.0/24 [110/2000] via 172.28.50.2, 03:55:51, Tunnel3

                        [110/2000] via 172.28.42.1, 03:55:51, Tunnel0

O     192.168.2.0/24 [110/1001] via 172.28.50.2, 03:55:51, Tunnel3

                     [110/1001] via 172.28.41.2, 03:55:51, Tunnel1



r2 is the route that r1 ends up using when connecting to 10.87.2.x


Any advice on one, how to fix this, and two on the general setup would be wonderful. I am new to ospf and feels like I could have done a better job here (maybe using an area per site)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 05/26/2012 - 20:18
User Badges:
  • Cisco Employee,

There doesn't seem to be a tunnel with

172.28.43.0/24 subnet configured on R2 and 172.28.43.0/24 is not advertised on R2 on OSPF. Looks like you might have been missing this particular tunnel on R2 hence the issue.

searchoptics_2011 Sat, 05/26/2012 - 20:26
User Badges:

R2 is the router R1 is using to get to the destination that Tunnel 1 on R1 is connected to


Tunnel 1 on R3 is a VTI tunnel to Tunnel 3 on R1.


R1 is currently using tunnel 1 on R1 to hop to R2 and then uses tunnel 2 to get to R3


If that makes sense.. 


Here is the config for R3


!

interface Tunnel1

description tunnel to AIS San Diego

ip address 172.28.43.2 255.255.255.0

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!

interface Tunnel2

description tunnel to San Diego Main Office

ip address 172.28.49.2 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source xxx

tunnel destination xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!


router ospf 42

log-adjacency-changes

network 10.87.2.0 0.0.0.255 area 0

network 172.28.43.0 0.0.0.255 area 0

network 172.28.49.0 0.0.0.255 area 0

!


sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route



Gateway of last resort is 199.16.189.209 to network 0.0.0.0



     172.28.0.0/24 is subnetted, 7 subnets

C       172.28.49.0 is directly connected, Tunnel2

O       172.28.50.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2

O       172.28.51.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2

O       172.28.40.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2

O       172.28.41.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2

O       172.28.42.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2

C       172.28.43.0 is directly connected, Tunnel1

     10.0.0.0/24 is subnetted, 2 subnets

O       10.87.1.0 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2

C       10.87.2.0 is directly connected, GigabitEthernet0/1

     199.16.189.0/28 is subnetted, 1 subnets

C       199.16.189.208 is directly connected, GigabitEthernet0/0

O    192.168.1.0/24 [110/1001] via 172.28.49.1, 02:32:05, Tunnel2

O    192.168.2.0/24 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2

searchoptics_2011 Sat, 05/26/2012 - 20:36
User Badges:

and got it, needed to put


ip ospf network broadcast


on tunnel 1


now the routes look correct.. damn that's embarassing.

Jennifer Halim Sun, 05/27/2012 - 01:55
User Badges:
  • Cisco Employee,

Ahh OK, got it, R3 wasn't in the picture earlier

Thanks for the update..

rahimbhamani Thu, 01/17/2013 - 22:19
User Badges:

Ipsec profile VTI name applied to how many tunnels. In our case there are 500 + Branches. We created point to point tunnel at hub site for all Branches.Can we apply same ipsec profile VTI(same profile) to all the tunnels interfaces

Actions

This Discussion

Related Content