Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Running two different Tunnels over 1 GRE: Issues

Hello All

I am having an issue setting up two separate tunnels running over a single GRE; is this something that is possible?

Would be grateful to have you advice.

I am able to ping across the tunnel (120) using the VRF but as soon as i am adding tunnel 121 which is native (not using vrf) i can ping across the new tunnel 121 but cannot ping the original tunnel 120

Background of the setup.

R1  ------- Internet -------- R2

R1

!

crypto keyring IPsec-KEY vrf Internet

  pre-shared-key address 0.0.0.0 0.0.0.0 key KEY

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp invalid-spi-recovery

crypto isakmp profile ISAKMP-profile

   keyring IPsec-KEY

   match identity address 0.0.0.0 Internet

!

crypto ipsec transform-set trans esp-aes esp-md5-hmac

mode transport

!

crypto ipsec profile IPSEC-profile

set security-association lifetime seconds 86400

set transform-set trans

set pfs group2

set isakmp-profile ISAKMP-profile

!

!

interface Tunnel120

vrf forwarding mgmt

bandwidth 256

ip address 10.169.9.81 255.255.255.252

ip mtu 1376

ip tcp adjust-mss 1360

tunnel source Loopback810

tunnel destination xxx.xxx.xxx.xxx

tunnel vrf Internet

tunnel protection ipsec profile IPSEC-profile shared

!

R2 mirrors this config but as soon as i add tun 121 with the following config i get connectivity to the 121

tunnel 121 i configured as follows:

interface Tunnel121

ip address 10.190.12.249 255.255.255.252

ip mtu 1376

ip tcp adjust-mss 1360

tunnel source Loopback810

tunnel destination xxx.xxx.xxx.xxx

tunnel vrf Internet

tunnel protection ipsec profile IPSEC-profile shared

!

Please advice if I am making some errors?

Also let me know if any more information is required on this.

Thanks in advance,

  • VPN
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

Re: Running two different Tunnels over 1 GRE: Issues

no, I mean the following:

interface Tunnel120

  tunnel key 120

interface Tunnel121

  tunnel key 121

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

Running two different Tunnels over 1 GRE: Issues

With a config that uses VRFs like in your scenario I get the same result of UP-NO-IKE. But with the relevant show-commands you can see that the ISAKMP-SA is build and available. I also didn't see any negative impact on the function of the various tunnels so for me it seems that it works as it should.

Some more feedback on your config:

  1. Group2 is more or less a DH-group that should phased out. Start to move to group5 or group 14 where possible.
  2. You mtu/mss-settings are not conclusive. With an mss of 1360 the mtu of 1376 (and why are they set on the tunnel) doesn't make any sense with an ip/tcp-header of 40 bytes.
  3. If you know your peers, it's better to avoid wildcard-PSKs. Better use one PSK only for one connection.

Happy X-Mas!

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
15 REPLIES
VIP Purple

Re: Running two different Tunnels over 1 GRE: Issues

I think in a scenario like this you need different tunnel-keys on both tunnels to make that work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Running two different Tunnels over 1 GRE: Issues

Thanks a lot Karsten for your reply; by different tunnel key on each tunnel you mean

for tu 120

!

crypto keyring IPsec-KEY1 vrf Internet

  pre-shared-key address 0.0.0.0 0.0.0.0 key KEY1

!

and  for tu 121

!

crypto keyring IPsec-KEY2 vrf Internet

  pre-shared-key address 0.0.0.0 0.0.0.0 key KEY2

!

and create separate isakmp profiles and the follow the whole process?

thanks again

VIP Purple

Re: Running two different Tunnels over 1 GRE: Issues

no, I mean the following:

interface Tunnel120

  tunnel key 120

interface Tunnel121

  tunnel key 121

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Running two different Tunnels over 1 GRE: Issues

Thanks a lot Karsten for your advice on this. this is working; do not know how to thank you!

New Member

Re: Running two different Tunnels over 1 GRE: Issues

Karsten

one more thing I am seeing on this is the following; one of the tunnels stay "UP-NO-IKE" is it something that is normal?

I have added the command crypto isakmp invalid-spi-recovery either end but the VPN status stays like this.

Crypto session current status

Interface: Tunnel120 Tunnel121

Session status: UP-NO-IKE

Peer: xxx.xxx.xxx.xxx port 500

  IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

        Active SAs: 2, origin: crypto map

Interface: FastEthernet0/0

Profile: ISAKMP-profile

Session status: UP-IDLE

Peer: xxx.xxx.xxx.xxx port 500

  IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Active

VIP Purple

Re: Running two different Tunnels over 1 GRE: Issues

Your "UP-NO-IKE" is caused by your quite uncommon lifetime-config. Your ISAKMP has a shorter lifetime then the IPsec-SAs. After 28800 seconds your ISAKMP gets deleted but your IPsec SA stay up. Thats what you see with UP-NO-IKE. The normal way to configure it is to have a longer lifetime for ISAKMP then for IPsec.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Running two different Tunnels over 1 GRE: Issues

thanks again i changed the config either end

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto ipsec profile IPSEC-profile

set security-association lifetime seconds 78800

set transform-set trans-hcc

set pfs group2

set isakmp-profile ISAKMP-profile

!

cleared crypto

and established the tunnel once more but it comes back

Interface: Tunnel120 Tunnel121

Session status: UP-NO-IKE

VIP Purple

Running two different Tunnels over 1 GRE: Issues

how did you clear the crypto? And have checked that they were really gone?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Running two different Tunnels over 1 GRE: Issues

Did the following:

RTR#clear crypto ses

RTR#sh crypto session

Crypto session current status

Interface: Tunnel120 Tunnel121

Session status: DOWN

Peer: xxx.xxx.xxx.xxx port 500

  IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0

Profile: ISAKMP-profile

Session status: DOWN-NEGOTIATING

Peer: xxx.xxx.xxx.xxx port 500

  IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Inactive

RTR#ping 10.190.12.249 repeat 10

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 10.190.12.249, timeout is 2 seconds:

.!!!!!!!!!

Success rate is 90 percent (9/10), round-trip min/avg/max = 1/3/4 ms

RTR#sh crypto session

Crypto session current status

Interface: Tunnel120 Tunnel121

Session status: UP-NO-IKE

Peer: xxx.xxx.xxx.xxx port 500

  IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

        Active SAs: 2, origin: crypto map

Interface: FastEthernet0/0

Profile: ISAKMP-profile

Session status: UP-IDLE

Peer: xxx.xxx.xxx.xxx port 500

  IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Inactive

  IKE SA: local xxx.xxx.xxx.xxx/500 remote xxx.xxx.xxx.xxx/500 Active

402
Views
10
Helpful
15
Replies