Routing Issue - IPSEC Tunnel

Unanswered Question
Jun 29th, 2012
User Badges:

Hi All


Not sure if this is the right way of configuring IPSEC VPN Tunnel, I feel of having routing issue on IPSEC Tunnel. On stopping Tunnel and Internet interface all is OK.


My scenario is following


Sales Office 1  & Sales Office 2 are in same country and DataCenter in another country



Sales office 1 connect to Sales office 2 over local MPLS cloud provided  by in country telecom provider

Sales office 1 connects to DC over INTERNET via IPSEC VPN tunnel with Router at both ends



Sales office 2 reaches DC passing Sales office 1 MPLS


so far all is ok


As Sales office 2 had another new connection to DC over Internet via IPSEC VPN  - all problem started


Sales Office 2  has one Router where LAN, MPLS, Internet link are terminated.

Before adding new internet connection there was only static routes pointing to next MPLS Hop.


after adding Internet link the config has static routes, dynamic routes and Tunnel config



SALES Office 2 Router config

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key KIPT address 78.x.x.x

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set WORK esp-3des esp-md5-hmac

!

crypto map WORK 10 ipsec-isakmp

set peer 78.x.x.x

set transform-set WORK

match address IP123



interface Tunnel 1

ip address 10.0.0.2  255.255.255.252

tunnel source 65.84.x.x

tunnel destination 78.x.x.x



interface FastEthernet0/0

description MPLS

ip address 172.16.16.178 255.255.255.248

speed auto

duplex auto


interface FasthEthernet 0/1

description LAN

ip address 192.168.1.254 255.255.255.0


interface FastEthernet 3/0

description INTERNET

ip address 65.84.x.x 255.255.255.252

crypto map WORK



router ospf 1

network 192.168.1.254 0.0.0.255 area 0

network 10.0.0.2 0.0.0.3 area 0



ip route 0.0.0.0 0.0.0.0 FastEthernet 3/0

ip route 172.20.20.0 255.255.255.0 172.16.16.177

ip route 172.20.20.0 255.255.255.0 Tunnel 1

ip route 192.168.30.0 255.255.255.0 172.16.16.177

ip route 172.20.90.0 255.255.255.0 172.16.16.177



ip access-list extended IP123

permit 192.168.1.0 0.0.0.255 172.20.20.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 172.90.20.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255



I hope to get some idea on the issue

cheers

Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Fri, 06/29/2012 - 09:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The traffic you have marked for encryption is traversing an interface that has no crypto-map.

If your connection to DC is via F3/0 and then your next hop for 172.20.20.0, 172.20.90.0 and 192.168.30.0 should be F3/0 or preferably the IP address of the ISP internet router.


I also noticed you have a GRE tunnel. It's your intention to do IPSec over GRE or GRE over IPSec?



Regards,


Edison

paultim68 Fri, 06/29/2012 - 22:23
User Badges:

Hi Edison

I understood your point on F3/0. Simple IPSEC didnt work so we started testing with Tunnel config and keeping IPSEC.

Can you explain difference between IPSEC over GRE and GRE over IPSEC.


can you suggest possible solution to make this working


cheers

Paul

Edison Ortiz Mon, 07/02/2012 - 07:47
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

With IPSec over GRE, you first encrypt the packet with IPSec then forward it out onto the next hop via a GRE tunnel.

With GRE over IPSec, you forward the packet into a GRE tunnel then encrypt it with IPSec as it exit the router.


To correct your issue, you need to have "crypto map WORK" on F3/0.


Regards,


Edison

paultim68 Mon, 07/02/2012 - 22:32
User Badges:

I already got "crypto map WORK" on F3/0.


interface FastEthernet 3/0

description INTERNET

ip address 65.84.x.x 255.255.255.252

crypto map WORK

Edison Ortiz Fri, 07/06/2012 - 06:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Ok, I reviewed your config one more time and here are the things you should modify:


(Note: I'm asssuming subnets 172.20.20.0/24, 172.20.90.0/24 and 192.168.30.0/24 are located in HQ and must be encryped).


Remove these static routes:


ip route 172.20.20.0 255.255.255.0 172.16.16.177

ip route 172.20.20.0 255.255.255.0 Tunnel 1

ip route 192.168.30.0 255.255.255.0 172.16.16.177

ip route 172.20.90.0 255.255.255.0 172.16.16.177


You should only have the default pointing to F3/0


Remove your OSPF for now:


router ospf 1

network 192.168.1.254 0.0.0.255 area 0

network 10.0.0.2 0.0.0.3 area 0


Fix your ACL


ip access-list extended IP123

!

permit 192.168.1.0 0.0.0.255 172.90.20.0 0.0.0.255

!

should be:


permit 192.168.1.0 0.0.0.255 172.20.90.0 0.0.0.255

!

paul.tim681 Mon, 07/16/2012 - 01:23
User Badges:

Hi All

sorry for late reply, the above solution didnt work. We pushed provider to provide BGP config instead of static. We tested BGP config by shutdown the Internet interface FA 3/0 and all is working with no issues. As Interface fa 3/0 is up the connection goes up/down. Another test we did is stop MPLS Interface and noticed all is working fine.


When Both MPLS and Internet Link is up the issue comes up,  Our requirement is preferred MPLS path over IPSEC tunnel and fallback to IPSEC if MPLS is down


Appreicate feedback


cheers

Paul

cadet alain Mon, 07/16/2012 - 01:46
User Badges:
  • Purple, 4500 points or more

Hi,

if you're using BGP for primary and static for the secondary then you need to modify the AD of the static route to be greater than BGP( so > 20).


Regards.


Alain.



Don't forget to rate helpful posts.

paul.tim681 Mon, 07/16/2012 - 02:31
User Badges:

Hi Alain


Traffic flow should be MPLS (BGP) for primary path and IPSEC VPN as failover path.

if both interfaces are Up/UP then connection starts flapping, for now I stop MPLS Interface


Plz do look at config and feedback



** SALES Office 2 Router config **


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share


crypto isakmp key KIPT address 78.x.x.x

crypto isakmp keepalive 10


!


crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set WORK esp-3des esp-md5-hmac


!

crypto map WORK 10 ipsec-isakmp

set peer 78.x.x.x

set transform-set WORK

match address IP123



interface Tunnel 1

ip address 10.0.0.2  255.255.255.252

tunnel source 65.84.x.x

tunnel destination 78.x.x.x



interface FastEthernet0/0  --> Shutdown

description MPLS

ip address 172.16.16.178 255.255.255.248

speed auto

duplex auto



interface FasthEthernet 0/1

description LAN

ip address 192.168.1.254 255.255.255.0



interface FastEthernet 3/0

description INTERNET

ip address 65.84.x.x 255.255.255.252

crypto map WORK



router ospf 1

redistribute bgp 65000 subnets

network 192.168.1.254 0.0.0.255 area 0

network 10.0.0.2 0.0.0.3 area 0



router bgp 65000

no synchronization

bgp log-neighbor-changes

redistribute ospf 1

neighbor 172.16.16.177 remote-as 7542

no auto-summary



ip route 0.0.0.0 0.0.0.0 FastEthernet 3/0



ip access-list extended IP123

permit 192.168.1.0 0.0.0.255 172.20.20.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 172.20.90.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255

cadet alain Mon, 07/16/2012 - 03:06
User Badges:
  • Purple, 4500 points or more

Hi,


I would get rid of the tunnel interface and change the static route to point to the IP next hop and with an AD of 111.

if it stillisn't working then could you post output of sh ip route when both interfaces are UP/UP.


Regards.


Alain.


Don't forget to rate helpful posts.

paul.tim681 Tue, 07/17/2012 - 01:30
User Badges:

Hi Alain


removing the Tunnel config and adding static routes didnt help.

cadet alain Tue, 07/17/2012 - 10:25
User Badges:
  • Purple, 4500 points or more

Hi,


show us the new config and the sh ip route output.


Regards.


Alain



Don't forget to rate helpful posts.

phoenix3195 Fri, 07/06/2012 - 06:43
User Badges:

Hi Paul,


I recommend using IPSEC profiles for tunnel protection and use routing protocol (EIGRP) if possible which will save you a lot of troubles. Let me know if you need sample config.


HTH


Iyad

Actions

This Discussion

Related Content