Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
0
Helpful
21
Replies

Dynamic VTI VPN

Ashley Sahonta
Level 1
Level 1

‎09-03-2012 04:27 AM

Hi,

I am currently trying to setup DVTI VPN in GNS3. I am using loopback interfaces for the LAN interface. I can get the tunnel and virtual access interfaces to come up and can ping from the outside address but not from the LAN address on the spoke router. If I try and issue a ping from the hub router to the spoke's internal address, then I get U.U.U.U - as there is no route it can't reach the remote network.

I have done this following the guidance of Michael Shannon (CBT) and have found limited documentation on Cisco for the setup I am trying to accomplish.

Hub (R1) and Spoke (R2) config attached.

Labels:
134641-DVTI.zip
134332-Hub.txt.zip
134331-Spoke.txt.zip
0 Helpful
21 Replies 21

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Ashley Sahonta

‎09-06-2012 04:42 PM

Hello Ashley,

I will run a VTI lab tonight with this setup.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Ashley Sahonta

‎09-06-2012 10:12 PM

Hello Ashley,

There is only one way to do it and that is by using a dynamic routing protocols on both ( hub and spoke) as the problem is the spoke router encrypts the traffic, the hub received and decyrpt it but as he cannot send it to the Spoke (no route to the device) the returning traffic will fail.

So to make it work create a Dynamic routing instance on both devices and just announce the loopback ip subnet.

Then on both interfaces change the config to Ip unnumber loopbacl #

As soon as the adjancy comes up it will work.

There is no way you could send traffic staticaly to a DVTI. That is the key part.

Remember to rate all the answers, that is more important for us that a thanks

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to Julio Carvajal

‎09-07-2012 02:07 AM

I just realised I didnt attach a zip file. Will do that now. It is the full GNS3 topology.

Could you also share you GNS3 lab topology?

0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to Julio Carvajal

‎09-07-2012 02:37 AM

Okay, so I have created the loopback interface on all of the routers and advertised all networks across the hub and spokes and it now works - when I advertised only the loopback network it still didn't work.

The issue I have now is that this goes against my understanding of the whole concept. You said that tunnels are bought up on an on-demand basis and are initiated by the spokes, however with a dynamic routing protocol running over the network the tunnels will always be up and any of the sites can initiate the tunnel.

I would really like to get this to work using static routes, but will continue to do more research on the topic

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Ashley Sahonta

‎09-07-2012 09:18 AM

Hello Ashley,

Yes, the thing is that at least the DVTI is used for a different deployment like ( Easy VPN) not on this particular desing as you cannot route through a DVTI....

There is no way it can be done using a static route because you cannot use it, so you are looking for a different VPN desing, I ensure you that.

Julio

Rate all the answers, for the community that is more important that a thanks

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

juaherre
Level 1
Level 1

‎09-07-2012 12:30 PM

I have a configuration template for this setup probably you will find it useful:

<><><><><><><><> Server <><><><><><><><>

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set VTI esp-3des esp-sha-hmac

aaa new-model

aaa authentication login default local

aaa authorization network author local

ip local pool mypool 172.16.1.1 172.16.1.50

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

crypto isakmp client configuration group cisco

  key cisco

  dns 10.50.1.1

  wins 10.60.1.1

  domain cisco.com

  pool mypool

  acl 101

crypto isakmp profile VTI

   match identity group cisco

   isakmp authorization list author

   client configuration address respond

   virtual-template 1

crypto ipsec profile VTI

  set transform-set VTI

  set isakmp-profile VTI

interface Virtual-Template1 type tunnel

   ip unnumbered Ethernet0/0

   tunnel source Ethernet0/0

   tunnel mode ipsec ipv4

   tunnel protection ipsec profile VTI

***************************************************************************************

hub#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.1.1.0 is directly connected, Ethernet0/0

C    192.168.1.0/24 is directly connected, Ethernet1/0

S    192.168.2.0/24 [1/0] via 0.0.0.0, Virtual-Access2

S*   0.0.0.0/0 [1/0] via 10.1.1.1

hub#sh crypto ipsec sa

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr 10.1.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 10.2.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed

***************************************************************************************

<><><><><><><><> Client <><><><><><><><>

crypto isakmp keepalive 10

interface Virtual-Template1 type tunnel

  no ip address

  tunnel mode ipsec ipv4

exit

crypto ipsec client ezvpn ez

   connect manual

   group cisco key cisco

   mode network-extension

   peer 10.1.1.2

   virtual-interface 1

   xauth userid mode interactive

interface e1/0

  crypto ipsec client ezvpn ez inside

interface e0/0

   crypto ipsec client ezvpn ez

***************************************************************************************

spoke1#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.2.1.1 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

S       10.1.1.2/32 [1/0] via 10.2.1.1

C       10.2.1.0/24 is directly connected, Ethernet0/0

S    192.168.1.0/24 [1/0] via 0.0.0.0, Virtual-Access2

C    192.168.2.0/24 is directly connected, Ethernet1/0

S*   0.0.0.0/0 [1/0] via 10.2.1.1

spoke1#sh crypto ipsec sa

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr 10.2.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 10.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.2.1.2, remote crypto endpt.: 10.1.1.2

***************************************************************************************

0 Helpful

sergey_sazhin
Level 1
Level 1

‎09-07-2012 02:18 PM

I have 2 remarks regarding configuration template (configuration part of the hub):

crypto isakmp key cisco address 0.0.0.0 0.0.0.0 <- is not needed on hub since remote is authenticated using group password

also, I think, it's worth to add this command in hub's isakmp profile:

crypto isakmp profile VTI

  client configuration group

Which "accepts the name of a group that will be assigned to a peer when the peer is assigned this crypto ISAKMP profile". Also configuration would work without this command, I think there might be some complex scenarious when this command must be applied so it's better include it in template.

Share your mention please.

0 Helpful
Customers Also Viewed These Support Documents