Solved: DVTI

Thomas Schmitt · ‎10-17-2010

Hello

I don't understand why I can't connect to DVTI. I did the simplest configuration to build VPN connection between SVTI and DVTI and it doesn't work - could somebody please explain what the matter is?

I have Router R1 (IP 1.1.1.1) and Router R2 (IP 2.2.2.1)

R1 configuration:

crypto isakmp policy 10

encr aes 192

authentication pre-share

group 5

crypto isakmp key KEY address 0.0.0.0 0.0.0.0

crypto ipsec transform-set set2 ah-sha-hmac

crypto ipsec profile vi

set transform-set set2

interface Tunnel0

ip address 172.16.0.1 255.255.255.0

tunnel source Serial0/0

tunnel destination 2.2.2.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile vi

interface Serial0/0

ip address 1.1.1.1 255.255.255.252

ip route 0.0.0.0 0.0.0.0 Serial0/0 10

R2 configuration:

crypto isakmp policy 10

encr aes 192

authentication pre-share

group 5

crypto isakmp key KEY address 0.0.0.0 0.0.0.0

crypto isakmp profile vi

keyring default

match identity address 0.0.0.0

virtual-template 2

crypto ipsec transform-set set2 ah-sha-hmac

crypto ipsec profile vi

set transform-set set2

set isakmp-profile vi

interface Loopback0

ip address 172.16.0.2 255.255.255.0

interface Serial0/0

ip address 2.2.2.1 255.255.255.252

interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile vi

ip route 0.0.0.0 0.0.0.0 Serial0/0 10

SVTI tunnel comes up, virtaul-access Interface comes also up and has following configuration:

interface Virtual-Access2
mtu 1514
ip unnumbered Loopback0
tunnel source 2.2.2.1
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi

no tunnel protection ipsec initiate
end

R2 gets all the IPsec traffic from R1, but there is no response from R2. The only point I can see, is that R2 didn't create a reverse route to R1.

thx

Marcin Latosiewicz · ‎10-18-2010

Dmytro,

Somrthing like this works for me:

DVTI:

Peering2_961#sh run int virtual-template 1
Building configuration...

Current configuration : 158 bytes
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source Serial0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PRO
end

Peering2_961#sh run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp profile PRO
   keyring default
   match identity address 0.0.0.0
   virtual-template 1
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec profile PRO
set transform-set TRA
set isakmp-profile PRO
Peering2_961#sh run int se0/0
Building configuration...

Current configuration : 178 bytes
!
interface Serial0/0
ip address 172.16.0.2 255.255.255.252
ipv6 address 2001:DB8:BB::2/126
mpls bgp forwarding
mpls label protocol ldp
mpls ip
serial restart-delay 0
end

Peering2_961#sh run int l0
Building configuration...

Current configuration : 69 bytes
!
interface Loopback0
ip address 223.255.255.1 255.255.255.255
end

Peering2_961#sh run | s r r
Peering2_961#sh run | s r rip
router rip
version 2
network 11.0.0.0
network 223.255.255.0
no auto-summary

SVTI:

Peering1_960#sh run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec profile PRO
set transform-set TRA
Peering1_960#sh run int tu0
Building configuration...

Current configuration : 167 bytes
!
interface Tunnel0
ip unnumbered Loopback0
tunnel source Serial0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.0.2
tunnel protection ipsec profile PRO
end

Routing on DVTI:

Peering2_961#sh ip route
(...ommited...)

      11.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R        11.0.0.0/24 [120/1] via 223.255.255.0, 00:00:12, Virtual-Access2
C        11.1.1.0/24 is directly connected, Loopback100
L        11.1.1.1/32 is directly connected, Loopback100
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, Serial0/0
L        172.16.0.2/32 is directly connected, Serial0/0
      223.255.255.0/32 is subnetted, 2 subnets
R        223.255.255.0 [120/1] via 223.255.255.0, 00:00:12, Virtual-Access2
C        223.255.255.1 is directly connected, Loopback0

Ping test:

Peering2_961#sh crypto ipsec sa | i caps|ident
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    #pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
    #pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
Peering2_961#ping 223.255.255.0 re 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 223.255.255.0, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (525/526), round-trip min/avg/max = 20/36/52 ms
Peering2_961#sh crypto ipsec sa | i caps|ident
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    #pkts encaps: 569, #pkts encrypt: 569, #pkts digest: 569
    #pkts decaps: 561, #pkts decrypt: 561, #pkts verify: 561

View solution in original post

Marcin Latosiewicz · ‎10-17-2010

Dmytro,

There's a few bugs regarding installing routes in DVTI scenario, including:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCta53372

That being said, are you able to communicate between tunnel0 interface on R1 and virtual access (loop0) on R2? Does everything work OK if you add the route manually?

Marcin

Thomas Schmitt · ‎10-17-2010

No, I'm not able to ping the loop0 on R2- the traffic to from R1 to 172.16.0.2 get "lost" on R2 (R2 gets it, but there is no response from R2).

To be honest I don't know how I can add static route to virtaul-access interface. I tryed out "ip route 10.0.0.0 255.255.255.0 virtual-access2" but this command was not accepted by the Cisco IOS (10.0.0.0 /24 is the LAN interface on R1, 10.0.1.0 /24 on R2).

p.s. I have only "guest" account and can't follow your link

Marcin Latosiewicz · ‎10-18-2010

Dmytro,

Bug details:

RRI static route disappears from routing table on interface shut/no-shut

Symptoms: A VPN static route is not seen in the RIB after an interface is 
shut down and brought back up (shut/no shut). 

Conditions: Configure the crypto client and server routers in such a way that 
the session is up and RRI installs a static route on the server that is 
pointing to the client IP address. Now shut down the interface on the server 
router that is facing the client. The RRI static route disappears from the 
RIB and never reappears.

Workaround: Reset the RRI session.




What version are you running, I would be interested to check this out in the lab (if I find the time), since I've never seen one working :-)

Marcin

Marcin Latosiewicz · ‎10-18-2010

Dmytro,

Somrthing like this works for me:

DVTI:

Peering2_961#sh run int virtual-template 1
Building configuration...

Current configuration : 158 bytes
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source Serial0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PRO
end

Peering2_961#sh run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp profile PRO
   keyring default
   match identity address 0.0.0.0
   virtual-template 1
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec profile PRO
set transform-set TRA
set isakmp-profile PRO
Peering2_961#sh run int se0/0
Building configuration...

Current configuration : 178 bytes
!
interface Serial0/0
ip address 172.16.0.2 255.255.255.252
ipv6 address 2001:DB8:BB::2/126
mpls bgp forwarding
mpls label protocol ldp
mpls ip
serial restart-delay 0
end

Peering2_961#sh run int l0
Building configuration...

Current configuration : 69 bytes
!
interface Loopback0
ip address 223.255.255.1 255.255.255.255
end

Peering2_961#sh run | s r r
Peering2_961#sh run | s r rip
router rip
version 2
network 11.0.0.0
network 223.255.255.0
no auto-summary

SVTI:

Peering1_960#sh run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRA esp-aes esp-sha-hmac
crypto ipsec profile PRO
set transform-set TRA
Peering1_960#sh run int tu0
Building configuration...

Current configuration : 167 bytes
!
interface Tunnel0
ip unnumbered Loopback0
tunnel source Serial0/0
tunnel mode ipsec ipv4
tunnel destination 172.16.0.2
tunnel protection ipsec profile PRO
end

Routing on DVTI:

Peering2_961#sh ip route
(...ommited...)

      11.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R        11.0.0.0/24 [120/1] via 223.255.255.0, 00:00:12, Virtual-Access2
C        11.1.1.0/24 is directly connected, Loopback100
L        11.1.1.1/32 is directly connected, Loopback100
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, Serial0/0
L        172.16.0.2/32 is directly connected, Serial0/0
      223.255.255.0/32 is subnetted, 2 subnets
R        223.255.255.0 [120/1] via 223.255.255.0, 00:00:12, Virtual-Access2
C        223.255.255.1 is directly connected, Loopback0

Ping test:

Peering2_961#sh crypto ipsec sa | i caps|ident
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    #pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
    #pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
Peering2_961#ping 223.255.255.0 re 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 223.255.255.0, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (525/526), round-trip min/avg/max = 20/36/52 ms
Peering2_961#sh crypto ipsec sa | i caps|ident
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    #pkts encaps: 569, #pkts encrypt: 569, #pkts digest: 569
    #pkts decaps: 561, #pkts decrypt: 561, #pkts verify: 561

Thomas Schmitt · ‎10-18-2010

It is alive!

After all there are some strange things on the SVTI site:

-If you try “ip address A.B.C.D …” at tunnel interface, then it will not work (only "ip unnumbered interface" works).

-If you try static route “ip route 223.255.255.1 255.255.255.255 tunnel 0”, then it will not work, but at the same time if you try “ip route 11.0.0.0 255.255.255.0 tunnel 0”, then it will be OK.

I still don’t understand this thing completely, but for now, with unnumbered Interface and dynamic routing protocol, it is working.

Thanks

Marcin Latosiewicz · ‎10-19-2010

Dmyto,

Odd, I deconfigured RIP and configured EIGRP and I have no problem pinging the loopback interfaces, EIGRP is established via loopback interfaces.

I'm running 15.1.2.T, you?

Marcin

Thomas Schmitt · ‎10-23-2010

Hello

my verion: Cisco IOS Software, 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)

Marcin Latosiewicz · ‎10-23-2010

Dmytro,

That's considerably oldet than my version. :-)

Do you mind jumping to something with new cef code? either 12.4(2x)Ty or 15.0/1 ...

edit: Hold that thought, I need to check one thing in the lab ;-)

Marcin

Marcin Latosiewicz · ‎10-23-2010

Dmytro,

Regarding communicating with unnumbered IP on the other side.

Routing for me when it works - route installed via eigrp.

D 223.255.255.0
[90/27008000] via 223.255.255.0, 00:00:07, Virtual-Access2

Problem of adding this route manually is that you cannot sprecify a route manually via DVTI interface (template or access). :-)

If you're curious to pursue this behavior until explained I'd say open a TAC case. I'd say we have some reasonable doubts.

Marcin