Re: RIP over IPSEC-GRE VPN?

kclark · ‎10-11-2006

I am deploying many Cisco 851 routers to various sites, and connecting these back to my network via GRE over IPSEC VPNs. The 851's will have dynamic IPs (as you can see via the config below). I'm also NATing remotely at the 851. Works great. However, I'd like to use dynamic routing to simply administration and keep from having to add tons of static routes to my hub router.

I've tried various configurations, none of which work. Each time I add the 10.0.0.0 network to the RIP configuration, I receive "Tunnel0 state set to DOWN due to recursive routing" (paraphrased). The tunnel just flaps after that. My configurations are below. Please let me know if I've missed something simple (I've looked at it so long I may just be overlooking the obvious). BTW, I was really disappointed that Cisco disabled EIGRP in the 851. Great box overall, but hate to use RIP. TIA!

HUB:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set STRONG

!

crypto map TUNNELMAP 10 ipsec-isakmp dynamic DYNMAP

!

interface Loopback0

ip address 10.219.1.2 255.255.255.255

!

interface Tunnel0

ip address 10.88.88.2 255.255.255.252

keepalive 10 3

tunnel source Loopback0

tunnel destination 10.219.1.1

!

interface FastEthernet0/0

ip address 1.2.x.x.255.255.248

ip route-cache flow

duplex auto

speed auto

crypto map TUNNELMAP

interface FastEthernet0/1

ip address 192.168.99.201 255.255.255.0

duplex auto

speed auto

!

router rip

version 2

network 10.0.0.0

network 192.168.99.0

neighbor 10.88.88.1

no auto-summary

!

ip route 0.0.0.x.x.0.0 1.2.3.5

REMOTE 851:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 6 ********** address 1.x.x.4

crypto isakmp keepalive 600 60

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set STRONG

reverse-route

!

crypto map GREMAP 10 ipsec-isakmp

description IPSEC DEFINTION

set peer 1.x.x.4

set transform-set STRONG

match address GRE-TO-HUB

interface Tunnel0

ip address 10.88.88.1 255.255.255.252

ip nat outside

ip virtual-reassembly

keepalive 10 3

tunnel source Loopback0

tunnel destination 10.219.1.2

crypto map GREMAP

!

interface Loopback0

ip address 10.219.1.1 255.255.255.255

interface FastEthernet4

ip address 172.17.x.x.255.255.0 secondary

ip address 172.16.x.x.255.255.0

ip verify unicast reverse-path

no ip unreachables

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

crypto map GREMAP

router rip

version 2

network 10.0.0.0

network 172.17.0.0

neighbor 10.88.88.2

no auto-summary

ip nat inside source static 172.16.231.122 172.17.1.2

!

ip access-list extended GRE-TO-HUB

permit gre host 10.219.1.1 host 10.219.1.2

martindesrosiers · ‎10-12-2006

You need to put the following command in your tunnel interface

tunnel mode gre ip

or tunnel mode gre multipoint (check this out, cause you talked about dynamic assigment, and the multipoint will permit you to create dynamic tunnel between to two spokes with dynamic IP)

Also you'll have to permit gre on both side if your have ACL on both wan interface. You better add the ACL like this "permit gre any any" and put some security on your tunnel instead, like "tunnel key".

But for troubleshooting, you always better remove those ACLs to exclude that kind of issue.

kclark · ‎10-12-2006

Thanks, but "tunnel mode gre ip" is the default setting for tunnel intefaces. It will not show up in the configuration unless it is set to another value (such as multipoint). I do not want remote sites to communicate with each other, so multipoint is not an option.

The tunnels are working fine. Using static routes I can route between sites without a problem. It's just that RIP does not seem to propogate across the tunnel interfaces. And when I add the IP's of the tunnel to the RIP config (network 10.0.0.0), the tunnels begin to flap.

kclark · ‎10-12-2006

I've made progress and now see RIP routes at least going one way. The "hub" is receiving routers from the remote 851 without issue. The 851 is now receiving "%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing." RIP routes from the Hub never make it into the 851's routing table.

This issue occured on the Hub, but was resolved by placing a distribute-list on the RIP process to exclude the Tunnel interfaces from the advertisement. For some reason the same fix did not work on the 851. Ideas?

johnnylingo · ‎10-16-2006

This might help:

http://www.cisco.com/warp/public/105/gre_flap.html

I have a similar setup, but using OSPF. I turned off OSPF and turned on RIPv2 in my test lab, but could not reproduce the error on 3600s running 12.2

What IOS version is this? 12.4?

johnnylingo · ‎10-30-2006

If it helps, the following config works for me. Granted, this on an 871 with no NAT but it might be a good standing point. I'd take a close look at "tunnel source", as I think using the loopback could be the problem.

crypto map HOMEOFFICE 1 ipsec-isakmp

set peer 1.2.3.4

set transform-set ESP-3DES

match address 101

!

interface Tunnel831

ip address 10.88.88.1 255.255.255.252

ip mtu 1400

keepalive 10 3

tunnel source FastEthernet4

tunnel destination 1.2.3.4

crypto map HOMEOFFICE

!

interface Loopback0

ip address 10.10.8.71 255.255.255.255

!

router rip

version 2

redistribute connected

network 10.0.0.0

no auto-summary

!

access-list 101 permit ip 172.16.231.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 101 permit ip 172.17.1.0 0.0.0.255 172.16.0.0 0.15.255.255