cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
807
Views
19
Helpful
9
Replies

tunnel mode ipsec

alraycisco
Level 1
Level 1

Hi,

I would like to setup a site-to-site VPN between a 1720 and a 2600 series router. The IOS versions are:

c1700-advsecurityk9-mz.123-26.bin

c2600-advsecurityk9-mz.123-26.bin

Neither router accepts 'tunnel mode ipsec' under the Tunnel interface. Is this due to the release of the IOS? If so does anyone know what version I would need?

This is the example I've been working from:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

Any help would be greatly appreciated.

Thanks

9 Replies 9

Hi,

I was originally looking to setup a GRE tunnel between 3 Cisco routers, so I can run OSPF over them. However, with my current test setup, I'm unable to get OSPF to work. Which is why I was looking at the sample config I mentioned above.

I've attached my configs.

Hi

Your config looks ok except for tunnel destinations and tunnel destination routes.Do not learn tunnel destination through the tunnel.Also remember since this GRE over IPsec , Ipsec tunnel should first come up and then GRE tunnel connects.

To verify if IPsec is up , post results of "show crypto isakmp sa"

Do the following

Site A

Change the tunnel destination to 192.168.2.1

interface Tunnel0

ip address 192.168.100.2 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.2.1

crypto map mymap

no ip route 192.168.2.0 255.255.255.0 Tunnel0

ip route 192.168.2.0 255.255.255.0 FastEthernet0

Site B

Change the tunnel destination to 192.168.1.2

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.1.2

crypto map mymap

no ip route 192.168.1.0 255.255.255.0 Tunnel0

ip route 192.168.1.0 255.255.255.0 FastEthernet0

Do above change and check and post results.

HTH

Saju

Pls rate helpful posts

Hi,

Thanks for that. I've made the changes you mentioned, which does allow the OSPF neighbour relationship to form, but no routes to be exchanged. The reason for this is probably because the Tunnel is constantly going up and down with the following error:

*Mar 2 20:34:58.708: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

There's a Cisco page on this, but I'm not sure what change I'd need to make.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml

Thanks

You need to make sure the tunnel destination is rechable (routable) directly over the wan and it should not be reachalbe THROUGH the tunnel itself. A simple solution is to run a different routing protocol over the WAN and on the Tunnel/LAN subnet. You can also add a static route for the tunnel destination pointing to the WAN IP of the peer.

Please rate if helpful.

Regards

Farrukh

Hi,

I changed the route command to a 32-bit mask, which got the tunnel working and OSPF exchanging routes.

In my current config the tunnel destination is the inside interface of the other router, which obviously wouldn't be routable over the internet. Does this mean that in the live setup, the tunnel destination under 'Tunnel 0' will need to be the ip address of the outside interface? I've just tested this on my test setup, but the tunnel fails to come up:

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 1.1.1.3

crypto map mymap

end

Thanks

Just for info, the following config looks to do what I'm looking for. I'm just not sure whether this would work in a live setup i.e. is everything that needs to be routable over the internet routable.

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 1.1.1.3

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.3

set transform-set myset

match address 101

!

!

!

interface Loopback0

ip address 192.168.2.1 255.255.255.0

!

interface Loopback1

ip address 10.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.1.2

crypto map mymap

!

!

interface FastEthernet0

ip address 1.1.1.1 255.255.255.0

speed auto

crypto map mymap

!

!

router ospf 1

log-adjacency-changes

redistribute connected

network 10.1.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 0

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 192.168.1.2 255.255.255.255 FastEthernet0

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

I've changed the config for the tunnel interface so the source is the outside interface and the destination is the outside ip address of the other router, which works. I'm assuming this will be ok for a live setup?

interface Tunnel0

ip address 192.168.100.2 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination 1.1.1.1

crypto map mymap

I havent gone through your config in detail, but yes your tunnel source should be routable in the transit path. Since this will be the source of all traffic that will be 'routed' to the tunnel. This is a common practice to borrow the WAN interface's IP.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: