11-03-2008 03:47 AM - edited 02-21-2020 04:01 PM
Hi all!
I have a problem puzzling me up for a long time now. I have a 800 series router connected to Internet through ADSL. This line is used as a backup link to our data center from our main office. To accomplish this in a secure and transparent way I builded up a GRE tunnel between the 800 and the edge router in the DC, with the intention of protecting it with IPSec.
So the tunnel is up and I can connect with every device and server in the DC from office, but at the very moment I put the protection in the tunnel, I can only reach the border router, but no any other downstream device anymore.
A diagram to illustrate:
GRE w/o IPSec
(Office):870:Tu0---->GRE through Internet----->Tu0:BorderRouter----->DistributionL3switch---->Servers; It works all the path long
GRE w IPSec (using tunnel protection ipsec)
(Office):870:Tu0---->GRE through Internet----->BorderRouter--X-->DistributionL3switch---->Servers; It works to the border router interfaces, but I get no responses from downstream devices. If I test from the servers upstream, I can only reach to the L3switch interfaces, but no further away.
I've checked configs, routing, changed to crypto maps... Nothing. Any idea?
Thanks in advance
11-03-2008 04:01 AM
Hi,
Please post the sanitized configs of both sides.
Also I would suggest to check the adrees and subnet masks in your crpto ACL.
11-03-2008 05:09 AM
Here they are. Of course, there's much more in the configs, so I just post what I consider the relevant parts. As you can see, I'm not using crypto ACL, just protecting the tunnel directly with tunnel protection ipsec.
As I said, the tunnel is perfectly working without the IPSec protection.
11-03-2008 06:56 AM
Your config seems ok.
Try switching to "mode tunnel" on both sides, instead of "mode transport".
One more thing, when you try to ping the servers in the DC, do you see packets getting encrypted / decrypted.
11-03-2008 07:04 AM
I've tried in mode tunnel yet, without success. How can I verify if packets are crypted/decrypted? sh crypto ipsec sa?
Thank you.
11-03-2008 07:13 AM
yes, do
sh crypto ipsec sa
11-03-2008 07:39 AM
I've done it. I can see things like the attached to this post. It seems the counters increase according to the traffic issued. But I discovered one thing I don't know if it's important at all: on one side the path mtu is 1400, while on the other side is 1500. May I have a fragmentation problem here?
11-03-2008 09:31 AM
yes, put mtu as 1416 on the tunnel interfaces on both sides.
interface Tunnel0
ip mtu 1416
And also use tunnel mode instead of transport mode.
11-03-2008 09:48 AM
done, but I can't connect anyway. What I don't understand is that the sh crypto ipsec sa says that in the border router the tunnel mtu remains 1500, even after shutting down and up the tunnel interface. The 870 router shows the proper 1416 mtu in the tunnel interface after shutting it down and up. I cleared the crypto sa and se as well.
By the way, the border router is a 7604 with a Sup7203BXL, IOS 12.2(18)SXF11.
11-03-2008 10:30 AM
did u use "mode tunnel" instead of transport ?
11-04-2008 12:23 AM
Yes, I did, but nothing changes. I'm very confused with this situation. Can't be a routing issue, cause without IPSec everything works. Can't be an ACL issue, cause (I think) all the relevant ACL entries are made, IPSec as well as GRe and tunnel peers.
11-09-2008 11:32 AM
I recall running into a very similiar issue. For me it was resolved by running 'clear local-host' on the ASA. It had something to do with the GRE tunnel already in the ASA connection table.
11-10-2008 04:15 AM
Thank you for the info, but unfortunately I'm not using an ASA; just two routers, one 870 and one 7600.
11-10-2008 05:38 PM
try adding the following
interface Tunnel0
tunnel mode ipsec ipv4
11-11-2008 01:58 AM
Well, I think the 7600 has some limited VPN capabilities without the VPN SPA. I can't use the mode ipsec in the tunnel. It can do ipip, AppleTalk, ipv6ip, eon and mpls, but no ipsec.
I need a simple VPN between my office and the Central site, and buying a full VPN SPA just for that seems a bit excessive for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide