Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Easy VPN GRE

Hi folks,

My routers at two  different sites are connected through GRE tunnels. I want to configure  IPSec over it, but throug easy vpn server and client setup. Is it  possible???? Apparently the most reasonable configuration for the mentioned  scenario is site-to-site vpn, but I want to configure it through easy  vpn. I would also appreciate if some one can refer to any configuration  example of such kind of setup.The GRE tunnel is up and pings are successful but the traffic which passess through is not encryted.

Thanks

10 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Easy VPN GRE

"ADSL fails the dialer initiates and the async interface comes up and  point -to point links of async interface ping are successful"

You can introduce routing protocol on the remote-branch router and make each branch-routers as stub-zone and advertise local internal network, you must create GRE tunnel interface on branch router and hub-router, make your "async interface" as your tunnel's source address at branch office.

You also need to keep IP-SLA on branch router to push traffic via ADSL (as primary) and in the event ADSL goes down your GRE tunnel will kick in and will establish GRE-over-IPSec (i.e. IP-SLA will start to using dial-out async interface), when GRE tunnel is establish your hub-router will learn available routes via each respective GRE tunnel to push traffic accordingly, however your default-route at hub-router remain the same, it does not change, but hub-router will learn the routes via GRE tunnel and will be able to route to each branch offices.

Hope that make sense.

thanks

Message was edited by: Rizwan Mohamed

Easy VPN GRE

"which will not affect the routing becz the router was not using secondary  default route it was using eigrp route."

As I said above you can increase the delay on the tunnel interface (delay 500), so that when ADSL comes back online, ADSL route will be prefered.

"the route from the HUB router for the branch is not  removed it still  exist this is the reason eigrp routes of branches  were not installed in  the routing table of HO router"

You can force secruity assocation to be deleted at 60 second at lowest and set reverse-route distance to 100.

crypto ipsec security-association idle-time

set reverse-route distance 100

EIGRP default administrative distance 90.

Hope that helps.

thanks

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html

Easy VPN GRE

Hi Jack,

Please follow the config, I change below.

interface loopback0
ip address 192.168.255.1 255.255.255.252


interface Tunnel0
ip address 10.17.1.2 255.255.255.0
delay 16000000
tunnel source loopback0
tunnel destination 192.168.255.5


ip route 0.0.0.0 0.0.0.0 Dialer0 track 123
ip route 192.168.255.4 255.255.255.252 Dialer0 track 123


ip route 0.0.0.0 0.0.0.0 Async1 250
ip route 192.168.255.4 255.255.255.252 Async1 250

Please create a loopback0 at HO router and source the tunnel interface to loopback0 and ip address is:  192.168.255.4 255.255.255.252

Please update.

thanks

Easy VPN GRE

"means the async interface and internal LAN???"

To create a proof of concept, you can remove stub-zone EIGRP proccess ID for now.

adversties local inside network segment and loopback0 from both side.

thanks

Re: Easy VPN GRE

I hope you copied the these lines as well.

ip route 192.168.255.4 255.255.255.252 Dialer0 track 123

ip route 192.168.255.4 255.255.255.252 Async1 250

As per above two lines, the neighbor will com up, only when ASDL fails.

As you can see, tunnel source is being pushed to Dialer0 interface instead.

Re: Easy VPN GRE

"Please tell me do i shld advertise the async interface in eigrp" Answer is no.

However, you should adverties tunnel interface's ip segment in the EIGRP, that makes the peering.

I do not see, from neither side, the tunnel's ip segment is being adverties, which you should.

----------------------------------------------------------------------

I assume based your input that this config from HO.

HO

nterface Tunnel0

ip address 172.17.1.1 255.255.255.0

delay 16000000

tunnel source Loopback1

tunnel destination 192.168.10.1

end

router eigrp 10

network 10.1.1.26 0.0.0.0

network 192.168.10.5 0.0.0.0

no auto-summary

eigrp router-id 192.168.10.5

ip route 192.168.10.4 255.255.255.252 Dialer0 track 123

ip route 0.0.0.0 0.0.0.0 Dialer0 track 123

ip route 0.0.0.0 0.0.0.0 Async1 250

ip route 192.168.10.4 255.255.255.252 Async1 250

You do not need IP-SLA from HO side but rather from branch side only.

You say tunnel destination is: "192.168.10.1" from HO side, but your static route for remote-branch's local loopback is different IP.

Network address for this ip: 192.168.10.1, is 192.168.10.0/30

In correct network address in the static-route, beside you do not need IP-SLA on HO side.

"ip route 192.168.10.4 255.255.255.252 Async1 250"

Please adverstie tunnel's ip address on HO router.

router eigrp 10

172.17.1.1 0.0.0.0

----------------------------------------------------------------------

This is for Branch.

router eigrp 10

network 101.127.98.1 0.0.0.0

network 192.168.10.1 0.0.0.0

no auto-summary

eigrp router-id 192.168.10.1

interface Tunnel0

ip address 172.17.1.2 255.255.255.0

delay 16000000

tunnel source Loopback0

tunnel destination 192.168.10.5

end

TEST#sh ip eigrp neighbors

IP-EIGRP neighbors for process 10

Please adverties tunnel's interface on the EIGRP processor.

router eigrp 10

172.17.1.2 0.0.0.0

Here you have to incorprate tunnel destination address into IP SLA

----------------------------------------------------------------------

Let me know.

thanks

Re: Easy VPN GRE

Hi Jack,

"when dialer 0 come up again the async routes vanishes from the routing table"

When EIGRP peer is not reachable, routes will be delted from routing table, however it should be able to reache via ADSL connection.

"still the dial backup remains up and eigrp neighbor remains up."

On Dialer0 (i.e. for ADSL) interface please apply this command on branch router and  I assume Async1 interface modem is connectedd.

Interface Dialer0

backup interface tunnel0

backup delay 3 15

Now, on the Async1 interface please apply this two lines.

Interface Async1

  dialer idle-timeout 15

  dialer watch-disable 15

Let me know, how this coming along.

thanks


Re: Easy VPN GRE

"EVERYTHING IS OK IN ABSENCE OF TRACK COMMAND WITH STATIC ROUTE."

Try with different IOS on the branch router, I am not sure whether this particular IOS on your branch router has a bug related IP-SLA and tracking.

If that does not help, you have to go back to ISDN-style DDR (Demand Dial Routing), which you can use "watch-list" basically a way of tracking.

http://www.cisco.com/en/US/tech/tk801/tk379/technologies_configuration_example09186a0080094143.shtml

---------------------------------------------------------------

dialer map ip xxx.xxx.xxx.xx HeadOffic broadcast 5555555555
dialer map ip 0.0.0.0 HeadOffic broadcast 5555555555

dialer watch-list 100 ip 0.0.0.0 0.0.0.0

access-list 101 deny EIGRP any any
access-list 101 permit any any


dialer-list 1 protocol ip list 101


Interface Async1
dialer idle-timeout 30
dialer watch-disable 15
dialer map ip xxx.xxx.xxx.xxx HeadOffic broadcast 5555555555
dialer map ip 0.0.0.0 HeadOffic broadcast 5555555555
dialer watch-group 100
dialer-group 1

-------------------------------

In this setup you have to keep the each IP-SLA tracking for each remote-branch office on HO router, you would not need a dynamic-routing protocol.

Look forward to hear from you.

thanks

Message was edited by: Rizwan Mohamed

Re: Easy VPN GRE

Hi Jack,

Administrative Distance can be change and you can force to delete security-association idle-time to the least value of 60 seconds from both location HO and branch, when security-assocation is deleted, there is nothing left.

crypto ipsec security-association idle-time

set reverse-route distance

set reverse-route distance 90

--------------------------------------------

When you creat IP-SLA on HO router for each branch office, please use exact network and mask what is set at branch office.

ip route 0.0.0.0 0.0.0.0 BVI0

ip route 10.10.10.0 255.255.255.0 BVI0 track 123

ip route 10.10.10.0 255.255.255.0 172.16.1.2  20

when route fails for branch "A" at HO router, only the IP-SLA for branch "A" must failover to dial interface.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094823.shtml

Please update.

thanks

Re: Easy VPN GRE

Hi Jack,

"question :I have uploaded the latest IOS on the router c870-advipservicesk9-mz.124-24.T7.bin but still the situation is same for IP SLA ,"

Your IP-SLA config looks fine, there another option you may want to try, is by with different model cisco router.

"I think there is some different way to configure the ip sla on 800 sereis routers???" there is nothing much to it, as far as tracking object is concern.  It is tracking and IP-SLA definetion.

.

"i have not connected a ADSL interface back again. Is it normal????"

static-routes do not failover on their own, without incorporating with IP-SLA with it, otherwsie there would be no need for IP-SLA at first place.

--------------------------------

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Async1 89

these routers do not failover and failback on their own, without IP-SLA and tracking.

__________________

"what actually dialer watch does it removes the route from the routing table ????"

Yes, it watches given defined routes and it may well suit your setup need, because I reliazed you cannot use dyamic-protocol due to the reason, the routing-protocol keeps the Async interface up (hello packets).  Like I showed you above example, if you do have to use a routing-protocol for primary ADSL connection but yet you must deny routing-protocol's hello packets going via the Async interface, in order to Async interface to go down, when ADSL connection comes back online.

exampel: "dialer watch-list 100 ip 0.0.0.0 0.0.0.0"

"After the route failover to async interface it doesnt fails back again to BVI."

Just like I said above, the routes won't failover without IP-SLA configured.

"when i remove the cable from atm interface the dialer 0 line protocol remain up and i think that is the reason the default route is not been deleted  by the routing table"

Default idle-timeout is 300 seconds on ATM interface and "inarp" is 10 min by default you may check with your ISP.

http://www.cisco.com/en/US/docs/ios/12_2/wan/command/reference/wrfatmtx.html#wp1018694

Hope that answers your question.

thanks

47 REPLIES

Re: Easy VPN GRE

Look on cisco.com for document Id 41940 which describes gre over DMVPN. Extremely simple to setup.

Sent from Cisco Technical Support iPad App

Re: Easy VPN GRE

Hi Jack,

Please see the attached file.

It is for dynamic L2L tunnel, in your case you want to encrypt GRE traffic, therefore your crypto acl (i.e. interesting traffic for IPSec tunnel) will be your GRE tunnel's local address and destination address.

Hope that helps.

thanks

Rizwan Rafeek

New Member

Re: Easy VPN GRE

Hi folks,

router R2 (easy vpn Server)---internet-------R4(client)

It does'nt work. I really need help on this issue.

Below are the configs and sh outputs for crypto ipsec sa.

R4#  sh running-config

Building configuration...

Current configuration : 1539 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R4

!

!

crypto ipsec client ezvpn R4

connect auto

group easyvpn key cisco123

mode network-extension

peer 192.168.20.1

acl 102

username cisco password cisco

xauth userid mode local

!

!

interface Loopback0

ip address 4.4.4.4 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn R4 inside

!

interface Loopback1

ip address 40.40.40.1 255.255.255.0

!

interface Tunnel0

ip address 10.10.10.2 255.255.255.0

tunnel source FastEthernet0/1

tunnel destination 192.168.20.1

!

interface FastEthernet0/0

ip address 200.200.200.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.20.3 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn R4

!

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

network 4.4.4.4 0.0.0.0 area 0

network 10.10.10.2 0.0.0.0 area 0

network 200.200.200.200 0.0.0.0 area 0

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

access-list 101 permit ip any any

access-list 102 permit gre host 192.168.20.3 host 192.168.20.1

!

end

#################################################################################################

R2#sh run

R2#sh running-config

Building configuration...

Current configuration : 1940 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

!

!

aaa session-id common

memory-size iomem 5

ip cef

!

!

username cisco password 0 cisco

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local vpnpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group easyvpn

key cisco123

domain cisco.com

pool vpnpool

save-password

!

!

crypto ipsec transform-set mytransformset esp-3des esp-sha-hmac

!

crypto dynamic-map mydynmap 10

set transform-set mytransformset

reverse-route

!

!

crypto map cisco client authentication list vpnauthen

crypto map cisco isakmp authorization list vpnauthor

crypto map cisco client configuration address respond

crypto map cisco 10 ipsec-isakmp dynamic mydynmap

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.0

!

interface Tunnel0

ip address 10.10.10.1 255.255.255.0

tunnel source 192.168.20.1

tunnel destination 192.168.20.3

!

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.20.1 255.255.255.0

duplex auto

speed auto

crypto map cisco

!

router ospf 1

router-id 2.2.2.2

log-adjacency-changes

network 2.2.2.2 0.0.0.0 area 0

network 10.10.10.1 0.0.0.0 area 0

network 192.168.10.0 0.0.0.255 area 0

!

ip local pool vpnpool 172.16.1.1 172.16.1.254

ip forward-protocol nd

ip route 100.100.100.0 255.255.255.0 192.168.10.2

!

!

ip http server

no ip http secure-server

!

end

R2#

##########################################################################################

R4#

R4#sh crypto ipsec sa

interface: FastEthernet0/1

    Crypto map tag: FastEthernet0/1-head-0, local addr 192.168.20.3

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 192.168.20.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.20.3, remote crypto endpt.: 192.168.20.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0x84B4F50E(2226451726)

     inbound esp sas:

      spi: 0xAB91C4F1(2878457073)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 33, flow_id: SW:33, crypto map: FastEthernet0/1-head-0

        sa timing: remaining key lifetime (k/sec): (4572034/3535)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x84B4F50E(2226451726)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 34, flow_id: SW:34, crypto map: FastEthernet0/1-head-0

        sa timing: remaining key lifetime (k/sec): (4572034/3535)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

   current_peer 192.168.20.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.20.3, remote crypto endpt.: 192.168.20.1

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0x256A913C(627740988)

     inbound esp sas:

      spi: 0xAA76D1B1(2859913649)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 35, flow_id: SW:35, crypto map: FastEthernet0/1-head-0

        sa timing: remaining key lifetime (k/sec): (4592324/3536)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x256A913C(627740988)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 36, flow_id: SW:36, crypto map: FastEthernet0/1-head-0

        sa timing: remaining key lifetime (k/sec): (4592325/3536)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

#################################################################################

R4#ping 2.2.2.2 source 4.4.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 4.4.4.4

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/54/84 ms

New Member

Re: Easy VPN GRE

Anybody can put some shade on this thread.

Re: Easy VPN GRE

Hi Jack,

Please delete all vpn config from R1 and R4 spoke routers and follow the config below.

As you have mixed up with remote-vpn-client config on the routers with dynamic L2L tunnel for routers.

So, please delete them and start from scratch.

This goes on R1 Hub router.

crypto isakmp enable

crypto isakmp policy 99

encr aes

authentication pre-share

group 2

crypto ipsec transform-set Jack-ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto keyring Jacks-spoker-routers

pre−shared−key address 0.0.0.0 0.0.0.0 key jack-the-king-of-the-hill

crypto isakmp profile Jacks-L2L-routers

description LAN−to−LAN for spoke router(s) connection

keyring Jacks-spoker-routers

match identity address 0.0.0.0

crypto dynamic−map Jacks-dyna-map 100

set transform−set Jacks-ESP-AES-128-SHA

set isakmp−profile Jacks-L2L-routers

crypto map Jacks-Crypto 1 ipsec−isakmp dynamic Jacks-dyna-map

interface FastEthernet0/1

crypto map Jacks-Crypto

-------------------------------------------------------------------------------------------------------

On spoke router R4.

crypto isakmp enable

crypto isakmp policy 99

encr aes

authentication pre-share

group 2

crypto isakmp key jack-the-king-of-the-hill address 192.168.20.1

crypto ipsec transform-set Jack-ESP-AES-128-SHA esp-aes esp-sha-hmac

access−list 100 permit ip host 192.168.20.3 host 192.168.20.1

crypto map Jacks-Crypto 10 ipsec−isakmp

set peer 192.168.20.1

set transform−set Jack-ESP-AES-128-SHA

match address 100

interface FastEthernet0/1

crypto map Jacks-Crypto

---------------------------------

Please let me know, how this coming along.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

New Member

Re: Easy VPN GRE

Dear Rizwan,

Thanks for your reply and explanation , I appreciate ur replies.but my needs are something different which are  tied with easy vpn server and client setup.

I will explore more.

Current setup is Easy VPN SERVER - and Clients in Network Extension Mode.

I have 4 No's branch router's with ADSL link connecting to Internet  and also to HO (Cisco 3825) acting as Easy VPN Server. Now i am planing  for the backup of the ADSL i.e the async port on the branch router,  whenever the ADSL link fails the async should dial up and connectivity  to HO remains up,

Back link failover successful:

Whenever  the ADSL fails the async interface dials up and the async link between the HO  and branch comes up, point-to-point pings are successful between the async interfaces.

Problem:

The problem is No pings are successful from  branch  LAN to the HO LAN because the return traffic from HO is not  hitting to async interface of HO for the particular (ADSL failed) branch  ,it is choosing a default route which is pointing to Internet.

Now help me to achieve the goal.

I want to achieve the failover to async interface for a particular failed branch on the Easy VPN Server (HO) end.

Thanjks

Re: Easy VPN GRE

"the return traffic from HO is not  hitting to async interface of HO for  the particular (ADSL failed) branch  ,it is choosing a default route  which is pointing to Internet."

You can use IP-SLA to failover a particular static-route for particular branch office distination using IP-SLA, please read the thread below.

https://supportforums.cisco.com/message/3649158#3649158

thanks

New Member

Easy VPN GRE

Hello Rizwan

i can't put a static route on the Easy VPN Server to the branch router becz it will always use the async interface, and it will not use the default route which is the lease line with fixed public IP on which easy vpn server is negotiating an ipsec tunnel to branch routers . i need to use the async interface only at the time of branch ADSL links goes down.

Thanks

Re: Easy VPN GRE

"it will always use the async interface, and it will not use the default  route which is the lease line with fixed public IP on which easy vpn  server is negotiating an ipsec tunnel to branch routers ."

Hi Jack,

IP-SLA enable static-route is like floating route, in the event "lease line" goes down, only then second route will be used by the router.

Please read this above thread I sent you before and likewise one below and it will work like charm.

https://supportforums.cisco.com/thread/2034251

Beside, your remote-spoke router can use dual-peering address, one as a primary and second as failover.

Thanks

New Member

Re: Easy VPN GRE

Dear Rizwan,

I appreciate ur response,

Please find the attached topology diagram.

I dont have only 1 branch , I have many branches, If you say track a default route with an IP SLA to the remote branch IP and  when pings fails it will remove the default route and the traffic will flow to the async but what about other branches ??? their link is still up on their ADSL and they are communicating to HO through the HO primary interface.

If still i am missing from ur expierience please write a config for HO if 2 No's of branch routers failed.

Thanks

Re: Easy VPN GRE

"when pings fails it will remove the default route and the traffic will flow to the async but what about other branches ??? their link is still up on their ADSL and they are communicating to HO through the HO primary interface."

Hi Jack,

I understand you point now.  You do not need IP-SLA on HO router but maybe appliable on remote-branch office router.

Please let me understand your "dials up and the async link"  please show me your "dials up and the async link" config method, they maybe parameter within "dials up and the async link" interface as such "backup interface async"

Please update.

thanks

New Member

Re: Easy VPN GRE

Dear Rizwan,

Please let me understand your "dials up and the async link"  please show me your "dials up and the async link" config method, they maybe parameter within "dials up and the async link" interface as such "backup interface async"

I have configured the branch routers perfectly without any issues whenever the ADSL fails the dialer initiates and the async interface comes up and point -to point links of async interface ping are successful but what about the internal LAN in HO that i  m not able to ping,because the return traffic doen't come back to the async interface it goes according to the default route.....

It is good that that now we are in sync and in proper understanding that what is our goal.

Is it rizwan can we will be able to do by the attached file.???

Thanks

Re: Easy VPN GRE

"ADSL fails the dialer initiates and the async interface comes up and  point -to point links of async interface ping are successful"

You can introduce routing protocol on the remote-branch router and make each branch-routers as stub-zone and advertise local internal network, you must create GRE tunnel interface on branch router and hub-router, make your "async interface" as your tunnel's source address at branch office.

You also need to keep IP-SLA on branch router to push traffic via ADSL (as primary) and in the event ADSL goes down your GRE tunnel will kick in and will establish GRE-over-IPSec (i.e. IP-SLA will start to using dial-out async interface), when GRE tunnel is establish your hub-router will learn available routes via each respective GRE tunnel to push traffic accordingly, however your default-route at hub-router remain the same, it does not change, but hub-router will learn the routes via GRE tunnel and will be able to route to each branch offices.

Hope that make sense.

thanks

Message was edited by: Rizwan Mohamed

New Member

Re: Easy VPN GRE

rizwan,

I will apply live and i will update the thread but i have some doubt below please clear them.

  • solution looks to be perfect, but 1 thing i notice is that why i need to confiure gre tunnel with source and destination Ip of the async interface i can run directly routing protocols on the async interface.

  • can i send the traffic on async interface without encryption ????

  • or i have to configure the async interface as a backup easy vpn client ,, I mean to say,,

crypto ipsec client ezvpn EZ

connect auto

backup EZ_Backup track 20

group X.X key cisco

mode network-extension

peer X.X.X.X default

xauth userid mode interactive

crypto ipsec client ezvpn EZ_Backup

connect auto

group X.X key cisco

mode network-extension

peer (async interface ) default

xauth userid mode interactive

!

int e0

crypto ipsec client ezvpn EZ_Backup inside

crypto ipsec client ezvpn EZ inside

Int dialer0

crypto ipsec client ezvpn EZ outside

int async 1

crypto ipsec client ezvpn EZ_Backup outside

ON HO

int serial0 ( primary with fixed IP)

crypto map easyvpn

int group-async 0 (On which all branch async interface will hit)

crypto map easyvpn

Re: Easy VPN GRE

Hi Jack,

"i can run directly routing protocols on the async interface." Sure, if it works, go for it.

"can i send the traffic on async interface without encryption" Sure, if you are fine with it.

"or i have to configure the async interface as a backup easy vpn client ,, I mean to say,,"

VPN will burden your dialup connection, therefore none-encrypted traffic will suit with dialup and you may want to check your company policy.

thanks

Rizwan Rafeek

New Member

Re: Easy VPN GRE

Rizwan,

I facing strange issues i have configured eigrp on  branch and HO router,,  from branch router i advertise my LAN and from HO i m advertising his internal LAN, Both EIGRP Neighbors are up but when i do sh ip route eigrp on HO router there are no routes for eigrp, And on branch i m receiving the  routes of HO LAN.

  • when i do sh ip route on HO it shows me static route in the table for the branch router with a next hop of public IP which it learned automatically when a easy vpn client tried to create a tunnel with server,on ADSL connection this is the reason EIGRP routes are not included in the route table, How the static routes from HO router will be disappear when the branch ADSL fails.?????
  • I more strange issue i m facing is when i specifically put static route pointing to async interface on HO still i m not able to ping the branch LAN,,,the branch router has a eigrp route to HO router for HO LAN.

Thanks

Re: Easy VPN GRE

Hi Jack,

On your branch router and HO router have you disabled auto-summary?  as (no auto-summary) If you have not, please do so.

If you have put branch router on stub-zone, please make you have "eigrp stub connected" is being advertised.

If that did not help, please post your config from both ends, as an attachedment.

thanks

Rizwan Rafeek.

New Member

Re: Easy VPN GRE

Rizwan,

Thanks for being kind and for ur replies,

  • I found the problem ,it is with RRI, But i dont know why the route is not deleted when a SA is been deleted, It is taking too long time approximately 4 hrs to delete the static route from the routing table. Is it safe to execute command set reverse-route distance or from your exp any other hint.

  • On your branch router and HO router have you disabled auto-summary? as (no auto-summary) If you have not, please do so

YES

  • If you have put branch router on stub-zone, please make you have "eigrp stub connected" is being advertised

YES

I have 1 question on Eigrp routing protocol,the neighbor relation will be always up and the async interface will be always up though we have made the branch router stub, if i m not wrong the stub router advertises the connected route only and any other router does"nt queries the stub router for any active route but the neighbor hello will keep the link active.

Thanks

Re: Easy VPN GRE

"any other router does"nt queries the stub router for any active route but the neighbor hello will keep the link active."

Yes, your understanding is correct but remember you have to copy IP-SLA on the branch-router, which is one of the reason why you will be better off using plain text GRE tunnel, due to a reason, GRE needs tunnel source and destination, so this tunnel source and destination can be manipulated by IP-SLA default-route failover which will solve your problem the neighbor hello will keep the link active.

When GRE tunnel's source and destination address cannot be reache via active connection, your GRE tunnel will stay down which result keeping "async interface" in idle state and when IP-SLA fails over to "async interface" then GRE tunnel's destination address will be reachable as dialout kick in.

Hope that make sense.

thanks

Rizwan Rafeek.

New Member

Re: Easy VPN GRE

Hello Rizwan

thanks for replies which are helping me to get success.

I will eloborate more and also i have many doubt hope my thinknig may not be correct but i need an expert push for my success.

Step by Step i will elaborate packet flow by many options.

OPTION 1 (QUESTION 1)

  • packets are flowing through ADSL
  • ADSL links goes down and the backup async interface on GRE comes up due to ip sla tracking.
  • Interesting traffic defined on async interface will initiate a tunnel.
     access-list 101 permit ip any any
      dialer-list 1 protocol ip list 101
  • Eigrp neighbor relationship comes up and exchange of routes are done and packets continuous to flow.
  • Now the packets are flowing through EIGRP routes and not through the backup default route on the tunnel interface
  • ADSL links comes up and the primary default route comes back in the routing table.
  • Now the packets will continue to flow through the async interface through EIGRP routes they will not failover to default route becz of more specific route in the routing table and always the dialer backup interface will be active.

OPTION 2  (QUESTION 2)

If u have a look on the below link:

http://www.cisco.com/en/US/tech/tk801/tk379/technologies_configuration_example09186a0080094143.shtml

In the configuration example above they have disable OSPF to initiate a dialer backup connection in the dialer-list command then how the routes

are exchange when the dialer interface comes up ????

The same applies to us EIGRP hellos will initiate a connection without a back default route shifting to async interface because when we start

EIGRP process on the async interface it will start to find the neighbor through that interface and it will initiate a dialer and suppose if i

disable eigrp in the dialer list how the routes will be exchanged when it shifts to the async interface.

Question 3:

Any hints for the previous mail question regarding RRI, why the automatic static route are not deleted when the security

SA are terminated from the remote branch.




Re: Easy VPN GRE

Hi Jack,

"In the configuration example above they have disable OSPF to initiate a dialer backup connection in the dialer-list command then how the routes are exchange when the dialer interface comes up ????"

Yes, that is being taking cared by routing protocol, does exchange the routes.

 

"EIGRP process on the async interface it will start to find the neighbor through that interface and it will initiate a dialer and suppose if i disable eigrp in the dialer list how the routes will be exchanged when it shifts to the async interface."

If you create EIGRP peering over async-interface's IP address you will run into this issue, however if you create EIGRP peering with GRE tunnel interface's ip address, then routes will be exchange only when GRE tunnel interface's destination address is reachable.  Therefore your IP-SLA pushes default-route traffic to speific direction based on return echo-reply traffic.  As far as branch router is concern it will exchange routes via async interface when default-route IP-SLA fails upon itself.

"they will not failover to default route becz of more specific route in the routing table and always the dialer backup interface will be active."

not quite, it should and it must failback to default-route (primary) because your secondary-default-route has higher cost (lets say 250), beside as soon as your primary ADSL comes uponline, the IP-SLA will remove higher cost default-route from the routing table which will result in GRE tunnel to go down.

"Any hints for the previous mail question regarding RRI, why the automatic static route are not deleted when the security SA are terminated from the remote branch."

If a route learned dynamicly and then those routes will be deleted when they are no longer reachable from routing-table, but when it comes to static-route the only want to remove static-route from routing-table is by IP-SLA.

"specific route in the routing table and always the dialer backup interface" 

You can increase the GRE tunnel interface "delay to 250" that will be taken care, that particular issue.

Hope that answers your question.

thanks

Message was edited by: Rizwan Mohamed

New Member

Re: Easy VPN GRE

Rizwan,

not quite, it should and it must failback to default-route (primary)  because your secondary-default-route has higher cost (lets say 250),  beside as soon as your primary ADSL comes uponline, the IP-SLA will  remove higher cost default-route from the routing table which will  result in GRE tunnel to go down

All traffic hitting to router has no route except secondary default route to tunnel interface becz EIGRP has not been converged, once EIGRP is converged router will choose the eigrp route and not the default route becz the longest match is found in the routing table,when the ADSL comes online the IP-SLA will  remove higher cost default-route from the routing table which will not affect the routing becz the router was not using secondary default route it was using eigrp route and the async interface will be always active.

If a route learned dynamicly and then those routes will be deleted when  they are no longer reachable from routing-table, but when it comes to  static-route the only want to remove static-route from routing-table is  by IP-SLA.

The above paragraph is related to easy vpn and not related to GRE.Many branches are connected through easy vpn client when i execute sh ip route on HUB router it shows me remote braches local subnet with a next hop of remote branch ADSL public ip (this is becz reverse route injection RRI), But when i shut the ADSL interface on branch router the route from the HUB router for the branch is not  removed it still exist this is the reason eigrp routes of branches  were not installed in the routing table of HO router becz  router was choosing the ADSL public IP to forward the trafic with a AD of 1 and all traffic was dropped.

Thanks

Easy VPN GRE

"which will not affect the routing becz the router was not using secondary  default route it was using eigrp route."

As I said above you can increase the delay on the tunnel interface (delay 500), so that when ADSL comes back online, ADSL route will be prefered.

"the route from the HUB router for the branch is not  removed it still  exist this is the reason eigrp routes of branches  were not installed in  the routing table of HO router"

You can force secruity assocation to be deleted at 60 second at lowest and set reverse-route distance to 100.

crypto ipsec security-association idle-time

set reverse-route distance 100

EIGRP default administrative distance 90.

Hope that helps.

thanks

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s2.html

New Member

Re: Easy VPN GRE

Dear Rizwan,

The doubts which were raised before all came true. Attached is the sh run for the branch router.

  • Eigrp hello are keeping the Async link UP always though the default route switches over to the primary link ADSL
  • Eigrp routes are not removed once the default route is switched over to the primary
  • I have applied the highest delays on the tunnel interface but no effects .
  • Also the tunnel keepalive initiates the tunnel and keep them up

Thanks

Easy VPN GRE

Hi Jack,

Please explain the below, I am not sure, why this source and destination address are on the same network, how and why ?

what is interface on the branch router is being the source?  if it is one of your internal network on the branch router then, likewise GRE tunnel destination address must be local segment from HO router.

interface Tunnel0

ip address 10.17.1.2 255.255.255.0

delay 16000000

tunnel source 172.16.1.2

tunnel destination 172.16.1.1

FYI...

It is best pratice to keep tunnel interface at mask /30.

thanks

Please update.

Easy VPN GRE

Hi Jack,

Please follow the config, I change below.

interface loopback0
ip address 192.168.255.1 255.255.255.252


interface Tunnel0
ip address 10.17.1.2 255.255.255.0
delay 16000000
tunnel source loopback0
tunnel destination 192.168.255.5


ip route 0.0.0.0 0.0.0.0 Dialer0 track 123
ip route 192.168.255.4 255.255.255.252 Dialer0 track 123


ip route 0.0.0.0 0.0.0.0 Async1 250
ip route 192.168.255.4 255.255.255.252 Async1 250

Please create a loopback0 at HO router and source the tunnel interface to loopback0 and ip address is:  192.168.255.4 255.255.255.252

Please update.

thanks

New Member

Easy VPN GRE

Rizwan,

What IP address will be on async interface and which networks i shld advertised in EIGRP.????

Thanks

Easy VPN GRE

"What IP address will be on async interface and which networks i shld advertised in EIGRP.????"

You can keep existings IP on the async-interface, maybe just change mask to /30 since it is back-to-back connection, please adverties loopback0 and connected from both side, HO and branch.

thanks

New Member

Re: Easy VPN GRE

rizwan,

and connected from both side, HO and branch.

means the async interface and internal LAN??? i hope u mean this, As soon as i include async interface in eigrp  the backup link initiates becz of hello as i can see from debug eigrp packets and  though the default route is present in the routing table still the backup is initiated,

Thanks

2005
Views
0
Helpful
47
Replies
CreatePlease to create content