Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

GRE IPSEC TUNNEL with VRF's and NAT PROBLEM

Hi all,

 

I have a problem with an implementation about GRE IPSEC Tunnels working with vrf's.

I explain you the situation from the begining.

I have two 2921 ( c2900-universalk9-mz.SPA.152-4.M5.bin )  routers which I want to implement a GRE IPSEC tunnel between them. I need one of them to work with vrf's, because I have other vpn's in and i need to be done like this.

The Outside interfaces of them have private IP's, but I have a FW in front of each one that they make NAT to public IP's. I attach a simple diagram for you to understand it.

Without vrf's, the solution is working fine, but the problem starts when I configure it with vrf's.

The vpn comes up, I'm able to reach the other site ( I've created one loopback in each router and permit the simple access between them) by loopbacks, the tunnels are up, but I can't reach the other side of the tunnel (ping), and logically the ospf that I configured doesn't come up. I don't really know what's wrong and it's been more than a week trying to solve it, but no success.

Look that the vpn is up:

ROUTER A (with vrf):

ROUTERA#sh crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.19.208.101  PEER_PUBLIC_ADDRESS QM_IDLE           7799 ACTIVE
!
ROUTERA#SH CRYpto IPSec SA


interface: Port-channel7.55
    Crypto map tag: vpn_provider, local addr 172.19.208.101

   protected vrf: prova
   local  ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/0/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
    #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.19.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0x390A97F8(956995576)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9B68F445(2607346757)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2949, flow_id: Onboard VPN:949, sibling_flags 80004040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4608000/1539)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x390A97F8(956995576)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2950, flow_id: Onboard VPN:950, sibling_flags 80004040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4608000/1539)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: prova
   local  ident (addr/mask/prot/port): (172.19.208.101/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.25.208.101/255.255.255.255/47/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 ---> Don't know why it doesn't encrypt
    #pkts decaps: 585, #pkts decrypt: 585, #pkts verify: 585
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.19.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0x843F9D9F(2218761631)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD27130F3(3530633459)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2951, flow_id: Onboard VPN:951, sibling_flags 80000040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4249959/1591)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x843F9D9F(2218761631)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2952, flow_id: Onboard VPN:952, sibling_flags 80000040, crypto map: vpn_provider
        sa timing: remaining key lifetime (k/sec): (4249996/1591)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 

ROUTER B (without vrf):

ROUTERB#sh crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
PEER_PUBLIC_ADDRESS 172.25.208.101  QM_IDLE           1106 ACTIVE
!
ROUTERB#sh crypto ipsec sa

interface: Port-channel7.55
    Crypto map tag: mymap, local addr 172.25.208.101

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (20.20.20.20/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34
    #pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.25.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0x9B68F445(2607346757)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x390A97F8(956995576)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2087, flow_id: Onboard VPN:87, sibling_flags 80000040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4164051/1332)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9B68F445(2607346757)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2088, flow_id: Onboard VPN:88, sibling_flags 80000040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4164051/1332)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.25.208.101/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.19.208.101/255.255.255.255/47/0)
   current_peer PEER_PUBLIC_ADDRESS port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 656, #pkts encrypt: 656, #pkts digest: 656
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0  ---> Don't know why it doesn't decrypt
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.25.208.101, remote crypto endpt.: PEER_PUBLIC_ADDRESS
     path mtu 1500, ip mtu 1500, ip mtu idb Port-channel7.55
     current outbound spi: 0xD27130F3(3530633459)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x843F9D9F(2218761631)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: Onboard VPN:89, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4188983/1384)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD27130F3(3530633459)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: Onboard VPN:90, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4188942/1384)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 


Can somebody help me please??

I attach the network diagram above.

I put below the config of the routers:

 

ROUTER A:

......
!
vrf definition prova
 rd 65501:2
 !
 address-family ipv4
 exit-address-family

......
!
crypto keyring prova  
  pre-shared-key address PEER_PUBLIC_ADDRESS key XXXXXXXXX
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp profile prova
   vrf prova
   keyring prova
   match identity address 172.25.208.101 255.255.255.255 
!
crypto ipsec transform-set esp-aes-sha1 esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map vpn_provider 200 ipsec-isakmp 
 set peer PEER_PUBLIC_ADDRESS
 set transform-set esp-aes-sha1 
 set isakmp-profile prova
 match address 120
!         
interface Loopback0
 vrf forwarding prova
 ip address 10.10.10.10 255.255.255.255
!
interface Tunnel200
 vrf forwarding prova
 ip address 192.168.90.1 255.255.255.252
 ip mtu 1420
 ip ospf mtu-ignore
 ip ospf cost 200
 tunnel source Port-channel7.55
 tunnel destination 172.25.208.101
!
interface Port-channel7
 no ip address
 hold-queue 150 in
!
interface Port-channel7.55
 encapsulation dot1Q 55 native
 ip address 172.19.208.101 255.255.255.128
 crypto map vpn_provider
!
router ospf 20 vrf prova
 router-id 192.168.90.1
 network 10.10.10.10 0.0.0.0 area 0
 network 192.168.90.0 0.0.0.3 area 0
!
ip route vrf prova 0.0.0.0 0.0.0.0 172.19.208.126 global
!
access-list 120 permit gre host 172.19.208.101 host PEER_PUBLIC_ADDRESS
access-list 120 permit gre host 172.19.208.101 host 172.25.208.101
access-list 120 permit ip host 10.10.10.10 host 20.20.20.20
!
.....

ROUTER B:

 

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXX address PEER_PUBLIC_ADDRESS
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac 
 mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp 
 set peer PEER_PUBLIC_ADDRESS
 set transform-set esp-aes-sha1 
 match address 198
!
interface Loopback0
 ip address 20.20.20.20 255.255.255.255
!
interface Tunnel100
 ip address 192.168.90.2 255.255.255.252
 ip mtu 1420
 ip virtual-reassembly in
 ip ospf mtu-ignore
 ip ospf cost 200
 tunnel source Port-channel7.55
 tunnel destination 172.19.208.101
!
interface Port-channel7
 description to_r-coresc
 no ip address
!
interface Port-channel7.55
 encapsulation dot1Q 55 native
 ip address 172.25.208.101 255.255.255.128
 crypto map mymap
!
router ospf 20
 router-id 192.168.90.2
 network 20.20.20.20 0.0.0.0 area 0
 network 192.168.90.0 0.0.0.3 area 0
!
!
ip route 0.0.0.0 0.0.0.0 172.25.208.126
!
access-list 198 permit gre host 172.25.208.101 host PEER_PUBLIC_ADDRESS
access-list 198 permit gre host 172.25.208.101 host 172.19.208.101
access-list 198 permit ip host 20.20.20.20 host 10.10.10.10

 

Thank you in advance and I wish someone can help me.

Regards

Everyone's tags (5)
401
Views
0
Helpful
0
Replies
CreatePlease to create content