GVPN and Site to Site IPSEC

Yunhua Li · ‎02-23-2017

I have a question on ASR9000 version 5.3.3:

I have three routers , I want to set R1 and R2 to be connected via GETVPN and R1 and R3 to be connected with normal Site to Site IPSECVPN.

R1, R2 and R3 are connected and routed via a same MPLS IP Core network, which means any interconnection between R1 , R2 and R3 must go through the MPLS IP Core network. Because each router has only one connection to MPLS core, on R1, the interface for GETVPN and Site to Site IPSec VPN is the same one. I find on R1, the GETVPN can be established normally but site to site IPsec VPN not. When I capture, I find only the ISAKMP Initiator package from R3 to R1, no reply from R1.

R2 and R3 are only single scenario on the interface connected to MPLS core, but R1 has two scenarios. Is there any limitation on this or there are some configuration needed to achieve such goal on R1?

I hope someone has understood my question and has some ideas on it.

Rahul Govindan · ‎02-23-2017

I have not seen such a deployment. What does your crypto config look like on R1? Do you have ipsec and gdoi as 2 different sequence numbers on the same crypto map?

Yunhua Li · ‎02-24-2017

Hi Rahul,hi Marius

thanks for your post. Actually it is a test now, but will be reasonable in real network. Because the R2 and R3 are at different location and only R1 and R2 support GET VPN, R3 does not support.

Here are the sample configuration:

!
interface TenGigE0/1/1/0.100
vrf test1
ipv4 address 10.1.1.85 255.255.255.252
encapsulation dot1q 100
!

interface tunnel-ip100
vrf app
ipv4 address 192.168.1.1 255.255.255.252
tunnel mode ipv4
tunnel source 10.1.1.85
tunnel vrf test1
tunnel destination 10.2.2.248
tunnel protection ipsec profile 1 ipsec-node VSM1

router bgp 65267
vrf test1
rd 65267:126
address-family ipv4 unicast
   redistribute connected
   redistribute static
!
neighbor 10.2.2.248
   remote-as 65268
   bfd fast-detect
   update-source TenGigE0/1/1/0.100
!

crypto isakmp profile 1
match identity address 10.2.2.248 255.255.255.255 vrf test1

crypto isakmp policy 10
hash sha256
group 14
encryption aes 256
lifetime 86400
authentication pre-share

crypto ipsec transform-set TS4 esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile 1
set pfs group2
set transform-set TS4
set isakmp-profile 1
set security-association lifetime seconds 3600

>>>>>>>>>>>>>>>>> here is GETVPN part for group member:

crypto map G-VPN-MAP-test1 10 gdoi
set group test1
match address G-test1
ipsec-node VSM1
interface TenGigE0/1/1/0.100 auto-shut

ipv4 access-list G-test1
1 remark **** DENY -> traffic will be forwarded unencrypted ****
10 deny ip any any

I already see GETVPN connection established, but not the Site to Site VPN.

Yunhua Li · ‎02-24-2017

there is one condition mentioned in document:

For encryption services (IPSec/GET VPN) in combination with the VSM the
following file is needed:
asr9k-vsm-mb-ipsec-fp-CCO-5.3.3.01.ova

But I have the

asr9k-vsm-mb-ipsec-fp-CCO-5.3.3.03.ova

a higher version, so should be no problem.

Marius Gunnerud · ‎02-24-2017

I agree with Rahul that this is a very unusual setup.

Is the tunnel being established at all? but traffic is not crossing? or no tunnel is being established?

How are you testing this? Are you trying to generate traffic from R3 to R2? or just between R1 and R2?

If R3 needs to reach R2 over the site to site VPN then you need to make sure that the R2 LAN is routed toward R1 in the MPLS network.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts