Routing Issue - IPSEC Tunnel

Unanswered Question
Jun 29th, 2012

Hi All

Not sure if this is the right way of configuring IPSEC VPN Tunnel, I feel of having routing issue on IPSEC Tunnel. On stopping Tunnel and Internet interface all is OK.

My scenario is following

Sales Office 1  & Sales Office 2 are in same country and DataCenter in another country

Sales office 1 connect to Sales office 2 over local MPLS cloud provided  by in country telecom provider

Sales office 1 connects to DC over INTERNET via IPSEC VPN tunnel with Router at both ends

Sales office 2 reaches DC passing Sales office 1 MPLS

so far all is ok

As Sales office 2 had another new connection to DC over Internet via IPSEC VPN  - all problem started

Sales Office 2  has one Router where LAN, MPLS, Internet link are terminated.

Before adding new internet connection there was only static routes pointing to next MPLS Hop.

after adding Internet link the config has static routes, dynamic routes and Tunnel config

SALES Office 2 Router config

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key KIPT address 78.x.x.x

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set WORK esp-3des esp-md5-hmac

!

crypto map WORK 10 ipsec-isakmp

set peer 78.x.x.x

set transform-set WORK

match address IP123

interface Tunnel 1

ip address 10.0.0.2  255.255.255.252

tunnel source 65.84.x.x

tunnel destination 78.x.x.x

interface FastEthernet0/0

description MPLS

ip address 172.16.16.178 255.255.255.248

speed auto

duplex auto

interface FasthEthernet 0/1

description LAN

ip address 192.168.1.254 255.255.255.0

interface FastEthernet 3/0

description INTERNET

ip address 65.84.x.x 255.255.255.252

crypto map WORK

router ospf 1

network 192.168.1.254 0.0.0.255 area 0

network 10.0.0.2 0.0.0.3 area 0

ip route 0.0.0.0 0.0.0.0 FastEthernet 3/0

ip route 172.20.20.0 255.255.255.0 172.16.16.177

ip route 172.20.20.0 255.255.255.0 Tunnel 1

ip route 192.168.30.0 255.255.255.0 172.16.16.177

ip route 172.20.90.0 255.255.255.0 172.16.16.177

ip access-list extended IP123

permit 192.168.1.0 0.0.0.255 172.20.20.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 172.90.20.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255

I hope to get some idea on the issue

cheers

Paul

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Edison Ortiz Fri, 06/29/2012 - 09:14

The traffic you have marked for encryption is traversing an interface that has no crypto-map.

If your connection to DC is via F3/0 and then your next hop for 172.20.20.0, 172.20.90.0 and 192.168.30.0 should be F3/0 or preferably the IP address of the ISP internet router.

I also noticed you have a GRE tunnel. It's your intention to do IPSec over GRE or GRE over IPSec?

Regards,

Edison

paultim68 Fri, 06/29/2012 - 22:23

Hi Edison

I understood your point on F3/0. Simple IPSEC didnt work so we started testing with Tunnel config and keeping IPSEC.

Can you explain difference between IPSEC over GRE and GRE over IPSEC.

can you suggest possible solution to make this working

cheers

Paul

Edison Ortiz Mon, 07/02/2012 - 07:47

With IPSec over GRE, you first encrypt the packet with IPSec then forward it out onto the next hop via a GRE tunnel.

With GRE over IPSec, you forward the packet into a GRE tunnel then encrypt it with IPSec as it exit the router.

To correct your issue, you need to have "crypto map WORK" on F3/0.

Regards,

Edison

paultim68 Mon, 07/02/2012 - 22:32

I already got "crypto map WORK" on F3/0.

interface FastEthernet 3/0

description INTERNET

ip address 65.84.x.x 255.255.255.252

crypto map WORK

Edison Ortiz Fri, 07/06/2012 - 06:14

Ok, I reviewed your config one more time and here are the things you should modify:

(Note: I'm asssuming subnets 172.20.20.0/24, 172.20.90.0/24 and 192.168.30.0/24 are located in HQ and must be encryped).

Remove these static routes:

ip route 172.20.20.0 255.255.255.0 172.16.16.177

ip route 172.20.20.0 255.255.255.0 Tunnel 1

ip route 192.168.30.0 255.255.255.0 172.16.16.177

ip route 172.20.90.0 255.255.255.0 172.16.16.177

You should only have the default pointing to F3/0

Remove your OSPF for now:

router ospf 1

network 192.168.1.254 0.0.0.255 area 0

network 10.0.0.2 0.0.0.3 area 0

Fix your ACL

ip access-list extended IP123

!

permit 192.168.1.0 0.0.0.255 172.90.20.0 0.0.0.255

!

should be:

permit 192.168.1.0 0.0.0.255 172.20.90.0 0.0.0.255

!

paul.tim681 Mon, 07/16/2012 - 01:23

Hi All

sorry for late reply, the above solution didnt work. We pushed provider to provide BGP config instead of static. We tested BGP config by shutdown the Internet interface FA 3/0 and all is working with no issues. As Interface fa 3/0 is up the connection goes up/down. Another test we did is stop MPLS Interface and noticed all is working fine.

When Both MPLS and Internet Link is up the issue comes up,  Our requirement is preferred MPLS path over IPSEC tunnel and fallback to IPSEC if MPLS is down

Appreicate feedback

cheers

Paul

Cadet Alain Mon, 07/16/2012 - 01:46

Hi,

if you're using BGP for primary and static for the secondary then you need to modify the AD of the static route to be greater than BGP( so > 20).

Regards.

Alain.

Don't forget to rate helpful posts.

paul.tim681 Mon, 07/16/2012 - 02:31

Hi Alain

Traffic flow should be MPLS (BGP) for primary path and IPSEC VPN as failover path.

if both interfaces are Up/UP then connection starts flapping, for now I stop MPLS Interface

Plz do look at config and feedback

** SALES Office 2 Router config **

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key KIPT address 78.x.x.x

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set WORK esp-3des esp-md5-hmac

!

crypto map WORK 10 ipsec-isakmp

set peer 78.x.x.x

set transform-set WORK

match address IP123

interface Tunnel 1

ip address 10.0.0.2  255.255.255.252

tunnel source 65.84.x.x

tunnel destination 78.x.x.x

interface FastEthernet0/0  --> Shutdown

description MPLS

ip address 172.16.16.178 255.255.255.248

speed auto

duplex auto

interface FasthEthernet 0/1

description LAN

ip address 192.168.1.254 255.255.255.0

interface FastEthernet 3/0

description INTERNET

ip address 65.84.x.x 255.255.255.252

crypto map WORK

router ospf 1

redistribute bgp 65000 subnets

network 192.168.1.254 0.0.0.255 area 0

network 10.0.0.2 0.0.0.3 area 0

router bgp 65000

no synchronization

bgp log-neighbor-changes

redistribute ospf 1

neighbor 172.16.16.177 remote-as 7542

no auto-summary

ip route 0.0.0.0 0.0.0.0 FastEthernet 3/0

ip access-list extended IP123

permit 192.168.1.0 0.0.0.255 172.20.20.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 172.20.90.0 0.0.0.255

permit 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255

Cadet Alain Mon, 07/16/2012 - 03:06

Hi,

I would get rid of the tunnel interface and change the static route to point to the IP next hop and with an AD of 111.

if it stillisn't working then could you post output of sh ip route when both interfaces are UP/UP.

Regards.

Alain.

Don't forget to rate helpful posts.

paul.tim681 Tue, 07/17/2012 - 01:30

Hi Alain

removing the Tunnel config and adding static routes didnt help.

Cadet Alain Tue, 07/17/2012 - 10:25

Hi,

show us the new config and the sh ip route output.

Regards.

Alain

Don't forget to rate helpful posts.

phoenix3195 Fri, 07/06/2012 - 06:43

Hi Paul,

I recommend using IPSEC profiles for tunnel protection and use routing protocol (EIGRP) if possible which will save you a lot of troubles. Let me know if you need sample config.

HTH

Iyad

Actions

Login or Register to take actions

This Discussion

Posted June 29, 2012 at 8:50 AM
Stats:
Replies:12 Avg. Rating:
Views:793 Votes:0
Shares:0

Related Content

Discussions Leaderboard