×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Howto define a full tunnel cryptomap ipsec?

Answered Question
Aug 2nd, 2013
User Badges:

Hi out there
I am trying to do a full tunneling of all traffic - eg guide all traffic trough a crypto map based ipsec tunnel.
The crypto map acls defines my traffic pattern and as long as it is side to side it works fine - but if I try to do a f.ex:
Permit 10.14.35.0 0.0.0.255 any I cannot get the tunnel up - I could use a SVTI instead but I would prefer to do it through a cryptomap ipsec - is this not possibly?

Br ti


Sent from Cisco Technical Support Android App

Correct Answer by Lei Tian about 4 years 2 weeks ago

Hi, thanks for the update! Yes, a static default in VRF will do the trick.

Regards,
Lei Tian

Sent from Cisco Technical Support iPhone App

Correct Answer by Lei Tian about 4 years 2 weeks ago

Ok, now I understand it. I have never seen using RRI injects default route, and I think it is not supported.

HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Lei Tian Fri, 08/02/2013 - 15:33
User Badges:
  • Cisco Employee,

Hi,


What's the ACL on the other end? Are the ACL mirror image between both ends?


HTH,

Lei Tian

tiwang Sat, 08/03/2013 - 01:12
User Badges:

Hi again
Yes they are "mirrored" - ex:

Permit 10.144.38.0 0.0.0.255 172.17.4.0 0.0.0.255

And the other end:

Permit 172.17.4.0 0.0.0.255 10.144.38.0 0.0.0.255

This works ok - but if I use "any" :

Permit 10.144.38.0 0.0.0.256 any

Other end:

Permit any 10.144.38.0 0.0.0.255


Then I cannot get the tunnel up. At the headend I use rri for route adding and I can see that I don't get a "default" route added in that vrf neither

Ideas? Suggestions?

Best regards to


Sent from Cisco Technical Support Android App

Lei Tian Sat, 08/03/2013 - 04:23
User Badges:
  • Cisco Employee,

Is ISAKMP SA not up, or is IPSec SA not up?

Sent from Cisco Technical Support iPhone App

tiwang Sat, 08/03/2013 - 12:39
User Badges:

Hi again

It must be the ipsec part which fails . I have it in a gns3 lab which I could upload if interested?
Anyway - if I just extend my ACL with the any statements the tunnel comes fine up but I doesn't get a default route added in the i-vrf so there must be a trick somehow to get all traffic into the tunnel - hmmm ?

Sent from Cisco Technical Support Android App

Lei Tian Sun, 08/04/2013 - 10:55
User Badges:
  • Cisco Employee,

So the tunnel is up? Route injection will install the destination route in routing table, not the source. Yes, sharing your configs would help.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Correct Answer
Lei Tian Sun, 08/04/2013 - 19:02
User Badges:
  • Cisco Employee,

Ok, now I understand it. I have never seen using RRI injects default route, and I think it is not supported.

HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App

tiwang Sun, 08/04/2013 - 22:34
User Badges:

hi again

No you are completely right - got just confused because some of the setup did work (the "local" routing through RRI) and some not (the default gw through RRI) - when I tried to open the tunnel by pinging a remote destination it didn't open the tunnel becuase of the missing route - I didn't realised this and digged in the ipsec instead - where I couldn't find some errors but of course it is just a problem with that default gw. The ACL's work as expected if I add the default route to the vrf cvrf3881 and the packets are forwarded correctly - thanks

The only needed extra config line is


ip route vrf cvrf3881 0.0.0.0 0.0.0.0 195.41.38.10


on edge01


best regards /ti

Correct Answer
Lei Tian Mon, 08/05/2013 - 04:36
User Badges:
  • Cisco Employee,

Hi, thanks for the update! Yes, a static default in VRF will do the trick.

Regards,
Lei Tian

Sent from Cisco Technical Support iPhone App

Actions

This Discussion