02-23-2017 03:55 AM - edited 02-21-2020 09:10 PM
I have a question on ASR9000 version 5.3.3:
I have three routers , I want to set R1 and R2 to be connected via GETVPN and R1 and R3 to be connected with normal Site to Site IPSECVPN.
R1, R2 and R3 are connected and routed via a same MPLS IP Core network, which means any interconnection between R1 , R2 and R3 must go through the MPLS IP Core network. Because each router has only one connection to MPLS core, on R1, the interface for GETVPN and Site to Site IPSec VPN is the same one. I find on R1, the GETVPN can be established normally but site to site IPsec VPN not. When I capture, I find only the ISAKMP Initiator package from R3 to R1, no reply from R1.
R2 and R3 are only single scenario on the interface connected to MPLS core, but R1 has two scenarios. Is there any limitation on this or there are some configuration needed to achieve such goal on R1?
I hope someone has understood my question and has some ideas on it.
02-23-2017 02:33 PM
I have not seen such a deployment. What does your crypto config look like on R1? Do you have ipsec and gdoi as 2 different sequence numbers on the same crypto map?
02-24-2017 05:18 AM
Hi Rahul,hi Marius
thanks for your post. Actually it is a test now, but will be reasonable in real network. Because the R2 and R3 are at different location and only R1 and R2 support GET VPN, R3 does not support.
Here are the sample configuration:
!
interface TenGigE0/1/1/0.100
vrf test1
ipv4 address 10.1.1.85 255.255.255.252
encapsulation dot1q 100
!
interface tunnel-ip100
vrf app
ipv4 address 192.168.1.1 255.255.255.252
tunnel mode ipv4
tunnel source 10.1.1.85
tunnel vrf test1
tunnel destination 10.2.2.248
tunnel protection ipsec profile 1 ipsec-node VSM1
router bgp 65267
vrf test1
rd 65267:126
address-family ipv4 unicast
redistribute connected
redistribute static
!
neighbor 10.2.2.248
remote-as 65268
bfd fast-detect
update-source TenGigE0/1/1/0.100
!
crypto isakmp profile 1
match identity address 10.2.2.248 255.255.255.255 vrf test1
crypto isakmp policy 10
hash sha256
group 14
encryption aes 256
lifetime 86400
authentication pre-share
crypto ipsec transform-set TS4 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile 1
set pfs group2
set transform-set TS4
set isakmp-profile 1
set security-association lifetime seconds 3600
>>>>>>>>>>>>>>>>> here is GETVPN part for group member:
crypto map G-VPN-MAP-test1 10 gdoi
set group test1
match address G-test1
ipsec-node VSM1
interface TenGigE0/1/1/0.100 auto-shut
ipv4 access-list G-test1
1 remark **** DENY -> traffic will be forwarded unencrypted ****
10 deny ip any any
I already see GETVPN connection established, but not the Site to Site VPN.
02-24-2017 05:54 AM
there is one condition mentioned in document:
For encryption services (IPSec/GET VPN) in combination with the VSM the
following file is needed:
asr9k-vsm-mb-ipsec-fp-CCO-5.3.3.01.ova
But I have the
asr9k-vsm-mb-ipsec-fp-CCO-5.3.3.03.ova
a higher version, so should be no problem.
02-24-2017 12:33 AM
I agree with Rahul that this is a very unusual setup.
Is the tunnel being established at all? but traffic is not crossing? or no tunnel is being established?
How are you testing this? Are you trying to generate traffic from R3 to R2? or just between R1 and R2?
If R3 needs to reach R2 over the site to site VPN then you need to make sure that the R2 LAN is routed toward R1 in the MPLS network.
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: