Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1239
Views
12
Helpful
15
Replies

GRE Tunnel doesn't work after protecting with IPSec

laloperez
Level 1
Level 1

‎11-03-2008 03:47 AM - edited ‎02-21-2020 04:01 PM

Hi all!

I have a problem puzzling me up for a long time now. I have a 800 series router connected to Internet through ADSL. This line is used as a backup link to our data center from our main office. To accomplish this in a secure and transparent way I builded up a GRE tunnel between the 800 and the edge router in the DC, with the intention of protecting it with IPSec.

So the tunnel is up and I can connect with every device and server in the DC from office, but at the very moment I put the protection in the tunnel, I can only reach the border router, but no any other downstream device anymore.

A diagram to illustrate:

GRE w/o IPSec

(Office):870:Tu0---->GRE through Internet----->Tu0:BorderRouter----->DistributionL3switch---->Servers; It works all the path long

GRE w IPSec (using tunnel protection ipsec)

(Office):870:Tu0---->GRE through Internet----->BorderRouter--X-->DistributionL3switch---->Servers; It works to the border router interfaces, but I get no responses from downstream devices. If I test from the servers upstream, I can only reach to the L3switch interfaces, but no further away.

I've checked configs, routing, changed to crypto maps... Nothing. Any idea?

Thanks in advance

Labels:
0 Helpful
15 Replies 15

dhananjoy chowdhury
Level 5
Level 5

‎11-03-2008 04:01 AM

Hi,

Please post the sanitized configs of both sides.

Also I would suggest to check the adrees and subnet masks in your crpto ACL.

0 Helpful

laloperez
Level 1
Level 1
In response to dhananjoy chowdhury

‎11-03-2008 05:09 AM

Here they are. Of course, there's much more in the configs, so I just post what I consider the relevant parts. As you can see, I'm not using crypto ACL, just protecting the tunnel directly with tunnel protection ipsec.

As I said, the tunnel is perfectly working without the IPSec protection.

24298-border_and_870-config
0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to laloperez

‎11-03-2008 06:56 AM

Your config seems ok.

Try switching to "mode tunnel" on both sides, instead of "mode transport".

One more thing, when you try to ping the servers in the DC, do you see packets getting encrypted / decrypted.

laloperez
Level 1
Level 1
In response to dhananjoy chowdhury

‎11-03-2008 07:04 AM

I've tried in mode tunnel yet, without success. How can I verify if packets are crypted/decrypted? sh crypto ipsec sa?

Thank you.

0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to laloperez

‎11-03-2008 07:13 AM

yes, do

sh crypto ipsec sa

0 Helpful

laloperez
Level 1
Level 1
In response to dhananjoy chowdhury

‎11-03-2008 07:39 AM

I've done it. I can see things like the attached to this post. It seems the counters increase according to the traffic issued. But I discovered one thing I don't know if it's important at all: on one side the path mtu is 1400, while on the other side is 1500. May I have a fragmentation problem here?

3 KB
0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to laloperez

‎11-03-2008 09:31 AM

yes, put mtu as 1416 on the tunnel interfaces on both sides.

interface Tunnel0

ip mtu 1416

And also use tunnel mode instead of transport mode.

0 Helpful

laloperez
Level 1
Level 1
In response to dhananjoy chowdhury

‎11-03-2008 09:48 AM

done, but I can't connect anyway. What I don't understand is that the sh crypto ipsec sa says that in the border router the tunnel mtu remains 1500, even after shutting down and up the tunnel interface. The 870 router shows the proper 1416 mtu in the tunnel interface after shutting it down and up. I cleared the crypto sa and se as well.

By the way, the border router is a 7604 with a Sup7203BXL, IOS 12.2(18)SXF11.

0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to laloperez

‎11-03-2008 10:30 AM

did u use "mode tunnel" instead of transport ?

laloperez
Level 1
Level 1
In response to dhananjoy chowdhury

‎11-04-2008 12:23 AM

Yes, I did, but nothing changes. I'm very confused with this situation. Can't be a routing issue, cause without IPSec everything works. Can't be an ACL issue, cause (I think) all the relevant ACL entries are made, IPSec as well as GRe and tunnel peers.

0 Helpful

Daniel Laden
Level 4
Level 4

‎11-09-2008 11:32 AM

I recall running into a very similiar issue. For me it was resolved by running 'clear local-host' on the ASA. It had something to do with the GRE tunnel already in the ASA connection table.

laloperez
Level 1
Level 1
In response to Daniel Laden

‎11-10-2008 04:15 AM

Thank you for the info, but unfortunately I'm not using an ASA; just two routers, one 870 and one 7600.

0 Helpful

Daniel Laden
Level 4
Level 4
In response to laloperez

‎11-10-2008 05:38 PM

try adding the following

interface Tunnel0

tunnel mode ipsec ipv4

laloperez
Level 1
Level 1
In response to Daniel Laden

‎11-11-2008 01:58 AM

Well, I think the 7600 has some limited VPN capabilities without the VPN SPA. I can't use the mode ipsec in the tunnel. It can do ipip, AppleTalk, ipv6ip, eon and mpls, but no ipsec.

I need a simple VPN between my office and the Central site, and buying a full VPN SPA just for that seems a bit excessive for me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents