Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec over GRE (DMVPN)

Hi guys,

 

I have a problem with the following topology (just focus on R12 and ASR1K, SPOKE and HUB)

 

R12 (spoke) has two tricks:

 

1) Dynamic IP on WAN interface (to the HUB), given by a Internet Service Provider

2) port forwarding is needed on port udp 500 and 4500 because behind it some remote sites (i.e. R10) could connect via IPSec

 

 

Since the objective is to manage the R12 site via IPSec (from the HUB, ASR1k), what I want is to reach from CDG a "management" loopback configured on R12, and I want this traffic to be encrypted (IPSec). To do this, (always by allowing the port forwarding working on R12), a mGRE is built between ASR1k and R12 with public loopbacks. Hence, on ASR1k another loopback (within a customer vrf) is used for the IPSec part.

 

The config for R12 (SPOKE):

R12#sh run
Building configuration...

Current configuration : 3562 bytes
!

ip tcp synwait-time 5
!
crypto keyring KEY
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2

crypto isakmp keepalive 60 3

crypto isakmp profile DMVPN
   keyring KEY
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set transformada esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 20.20.20.1
 set transform-set transformada
 set isakmp-profile DMVPN
 match address 100
!
!
!
interface Loopback100
 description loopback GRE
 ip address 10.10.10.2 255.255.255.255
!
interface Loopback200
 description Loopback IPSec
 ip address 20.20.20.2 255.255.255.255
 crypto map mymap
!
interface Loopback800
 ip address 30.30.30.1 255.255.255.255
!
interface Tunnel1
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp map 192.168.1.1 10.10.10.1
 ip nhrp map multicast 10.10.10.1
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.1.1
 no ip split-horizon eigrp 10
 tunnel source Loopback100
 tunnel mode gre multipoint
 tunnel key 1

!

interface FastEthernet1/0
 ip address 172.16.30.1 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 20.20.20.1 remote-as 1234
 neighbor 20.20.20.1 ebgp-multihop 3
 !
 address-family ipv4
  redistribute connected
  neighbor 20.20.20.1 activate
  neighbor 20.20.20.1 route-map ONLY_MGMT out
  no auto-summary
  no synchronization
 exit-address-family
!

ip route 10.10.10.1 255.255.255.255 FastEthernet1/0 172.16.30.2
ip route 20.20.20.1 255.255.255.255 Tunnel1 192.168.1.1

...

ip nat inside source route-map NAV interface FastEthernet1/0 overload
ip nat inside source static udp 192.168.10.200 500 interface FastEthernet1/0 500
ip nat inside source static udp 192.168.10.200 4500 interface FastEthernet1/0 4500
!

ip access-list extended NAVEGACION
 deny   udp any eq isakmp any
 deny   udp any eq non500-isakmp any
 deny   udp any any eq isakmp
 deny   udp any any eq non500-isakmp
 permit ip any any
!
!
ip prefix-list loopback_gestion seq 5 permit 30.30.30.1/32

access-list 100 permit ip any any
!
route-map ONLY_MGMT permit 5
 match ip address prefix-list loopback_gestion
!
route-map NAV permit 10
 match ip address NAVEGACION
!
!

 

The config for ASR1k (HUB):


! Last configuration change at 03:30:45 UTC Fri Oct 31 2014

!
hostname ASR1K

!
ip vrf vpn_1234_1
 description VPN
 rd 213.140.32.1:1
 route-target export 1234:1
 route-target import 1234:1
!

!
ip tcp synwait-time 5

crypto keyring KEY vrf vpn_1234_1 
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2


crypto isakmp keepalive 60 3


crypto isakmp profile DMVPN
   keyring KEY
   match identity address 0.0.0.0 
!
!
crypto ipsec transform-set transformada esp-3des esp-md5-hmac 
 mode tunnel
!
crypto ipsec profile cisco
 set security-association lifetime seconds 86400
 set transform-set transformada 
 set isakmp-profile DMVPN
!
!
!
crypto map mymap 10 ipsec-isakmp 
 set peer 20.20.20.2
 set transform-set transformada 
 set isakmp-profile DMVPN
 match address 100
!

interface Loopback0
 ip address 213.140.32.1 255.255.255.255
!
interface Loopback1
 ip address 213.140.42.1 255.255.255.255
!
interface Loopback100
 description IP Loopback GRE
 ip address 10.10.10.1 255.255.255.255
!
interface Loopback200
 description IPSec Loopback
 ip vrf forwarding vpn_1234_1
 ip address 20.20.20.1 255.255.255.255
 crypto map mymap
!
interface Tunnel1
 ip vrf forwarding vpn_1234_1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 300
 tunnel source Loopback100
 tunnel mode gre multipoint
 tunnel key 1
!

!
router bgp 1234
...
 !
 address-family ipv4 vrf vpn_1234_1
  neighbor 20.20.20.2 remote-as 65000
  neighbor 20.20.20.2 ebgp-multihop 3
  neighbor 20.20.20.2 update-source Loopback200
  neighbor 20.20.20.2 activate
  neighbor 20.20.20.2 send-community
  neighbor 20.20.20.2 as-override
 exit-address-family
!

ip route 10.10.10.2 255.255.255.255 GigabitEthernet1/0 172.16.30.1


ip route vrf vpn_1234_1 20.20.20.2 255.255.255.255 Tunnel1 192.168.1.2 254
ip route vrf vpn_1234_1 30.30.30.1 255.255.255.255 20.20.20.2
!
!
ip prefix-list MGMT seq 5 permit 30.30.30.1/32
!
access-list 100 permit ip any any
!

 

The problem is that the crypto session is UP:

 

ASR1K#sh crypto session
Crypto session current status

Interface: Loopback200
Profile: DMVPN
Session status: UP-ACTIVE
Peer: 20.20.20.2 port 500
  IKEv1 SA: local 20.20.20.1/500 remote 20.20.20.2/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

 

But no encryptio no occurs while a continue ping is running from CDG:

 

ASR1K#sh crypto ipsec sa vrf vpn_1234_1

interface: Loopback200
    Crypto map tag: mymap, local addr 20.20.20.1

   protected vrf: vpn_1234_1
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 20.20.20.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 20.20.20.1, remote crypto endpt.: 20.20.20.2
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback200
     current outbound spi: 0x79DE049C(2044593308)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x1A4BE601(441181697)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: 11, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4259340/1007)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x79DE049C(2044593308)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: 12, sibling_flags 80004040, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4259339/1007)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 

Packets are going through the GRE, and arrives to destination, but without encryption...anyone has an idea?I'm missimg something??

 

Thanks a lot for your support!

 

Greats,

 

1 REPLY

It looks like the problem is

It looks like the problem is in where you're putting your crypto map. The crypto map needs to be assigned to the egress interface for your traffic, so in this case it should be on the forwarding interface used to reach 20.20.20.1.

However, your ACL defining the IPv4 addresses to be tunnelled cover all IPv4 sources and destinations, so all communications to and from your router will be halted as soon as you apply it. Best to narrow down the ACL to cover only the traffic you want to send across the tunnel.

For DMVPN, the best practice is to avoid using crypto maps at all. By defining your IPSec in the DMVPN tunnel definition itself, you get a lot more flexibility and a lot less configuration management.

263
Views
0
Helpful
1
Replies
CreatePlease login to create content