Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Howto define a full tunnel cryptomap ipsec?

Hi out there
I am trying to do a full tunneling of all traffic - eg guide all traffic trough a crypto map based ipsec tunnel.
The crypto map acls defines my traffic pattern and as long as it is side to side it works fine - but if I try to do a f.ex:
Permit 10.14.35.0 0.0.0.255 any I cannot get the tunnel up - I could use a SVTI instead but I would prefer to do it through a cryptomap ipsec - is this not possibly?

Br ti


Sent from Cisco Technical Support Android App

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Howto define a full tunnel cryptomap ipsec?

Ok, now I understand it. I have never seen using RRI injects default route, and I think it is not supported.

HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App

Cisco Employee

Re: Howto define a full tunnel cryptomap ipsec?

Hi, thanks for the update! Yes, a static default in VRF will do the trick.

Regards,
Lei Tian

Sent from Cisco Technical Support iPhone App

9 REPLIES
Cisco Employee

Howto define a full tunnel cryptomap ipsec?

Hi,

What's the ACL on the other end? Are the ACL mirror image between both ends?

HTH,

Lei Tian

Community Member

Re:Howto define a full tunnel cryptomap ipsec?

Hi again
Yes they are "mirrored" - ex:

Permit 10.144.38.0 0.0.0.255 172.17.4.0 0.0.0.255

And the other end:

Permit 172.17.4.0 0.0.0.255 10.144.38.0 0.0.0.255

This works ok - but if I use "any" :

Permit 10.144.38.0 0.0.0.256 any

Other end:

Permit any 10.144.38.0 0.0.0.255


Then I cannot get the tunnel up. At the headend I use rri for route adding and I can see that I don't get a "default" route added in that vrf neither

Ideas? Suggestions?

Best regards to


Sent from Cisco Technical Support Android App

Cisco Employee

Re: Howto define a full tunnel cryptomap ipsec?

Is ISAKMP SA not up, or is IPSec SA not up?

Sent from Cisco Technical Support iPhone App

Community Member

Re:Howto define a full tunnel cryptomap ipsec?

Hi again

It must be the ipsec part which fails . I have it in a gns3 lab which I could upload if interested?
Anyway - if I just extend my ACL with the any statements the tunnel comes fine up but I doesn't get a default route added in the i-vrf so there must be a trick somehow to get all traffic into the tunnel - hmmm ?

Sent from Cisco Technical Support Android App

Cisco Employee

Re: Howto define a full tunnel cryptomap ipsec?

So the tunnel is up? Route injection will install the destination route in routing table, not the source. Yes, sharing your configs would help.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Community Member

Re: Howto define a full tunnel cryptomap ipsec?

a topology drawing

Cisco Employee

Re: Howto define a full tunnel cryptomap ipsec?

Ok, now I understand it. I have never seen using RRI injects default route, and I think it is not supported.

HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App

Community Member

Re: Howto define a full tunnel cryptomap ipsec?

hi again

No you are completely right - got just confused because some of the setup did work (the "local" routing through RRI) and some not (the default gw through RRI) - when I tried to open the tunnel by pinging a remote destination it didn't open the tunnel becuase of the missing route - I didn't realised this and digged in the ipsec instead - where I couldn't find some errors but of course it is just a problem with that default gw. The ACL's work as expected if I add the default route to the vrf cvrf3881 and the packets are forwarded correctly - thanks

The only needed extra config line is

ip route vrf cvrf3881 0.0.0.0 0.0.0.0 195.41.38.10

on edge01

best regards /ti

Cisco Employee

Re: Howto define a full tunnel cryptomap ipsec?

Hi, thanks for the update! Yes, a static default in VRF will do the trick.

Regards,
Lei Tian

Sent from Cisco Technical Support iPhone App

306
Views
0
Helpful
9
Replies
CreatePlease to create content