09-16-2008 05:41 AM - edited 02-21-2020 03:56 PM
Hi,
I would like to setup a site-to-site VPN between a 1720 and a 2600 series router. The IOS versions are:
c1700-advsecurityk9-mz.123-26.bin
c2600-advsecurityk9-mz.123-26.bin
Neither router accepts 'tunnel mode ipsec' under the Tunnel interface. Is this due to the release of the IOS? If so does anyone know what version I would need?
This is the example I've been working from:
Any help would be greatly appreciated.
Thanks
09-16-2008 05:49 AM
ok if the vpn through VTI no supported in ur routers use one of the following links to configure ur VPN tunnel:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
good luck
if helpful Rate
09-16-2008 06:26 AM
09-16-2008 08:50 AM
Hi
Your config looks ok except for tunnel destinations and tunnel destination routes.Do not learn tunnel destination through the tunnel.Also remember since this GRE over IPsec , Ipsec tunnel should first come up and then GRE tunnel connects.
To verify if IPsec is up , post results of "show crypto isakmp sa"
Do the following
Site A
Change the tunnel destination to 192.168.2.1
interface Tunnel0
ip address 192.168.100.2 255.255.255.252
ip ospf network broadcast
keepalive 10 3
tunnel source Loopback0
tunnel destination 192.168.2.1
crypto map mymap
no ip route 192.168.2.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 FastEthernet0
Site B
Change the tunnel destination to 192.168.1.2
interface Tunnel0
ip address 192.168.100.1 255.255.255.252
ip ospf network broadcast
keepalive 10 3
tunnel source Loopback0
tunnel destination 192.168.1.2
crypto map mymap
no ip route 192.168.1.0 255.255.255.0 Tunnel0
ip route 192.168.1.0 255.255.255.0 FastEthernet0
Do above change and check and post results.
HTH
Saju
Pls rate helpful posts
09-18-2008 12:51 AM
Hi,
Thanks for that. I've made the changes you mentioned, which does allow the OSPF neighbour relationship to form, but no routes to be exchanged. The reason for this is probably because the Tunnel is constantly going up and down with the following error:
*Mar 2 20:34:58.708: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
There's a Cisco page on this, but I'm not sure what change I'd need to make.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml
Thanks
09-18-2008 02:05 AM
You need to make sure the tunnel destination is rechable (routable) directly over the wan and it should not be reachalbe THROUGH the tunnel itself. A simple solution is to run a different routing protocol over the WAN and on the Tunnel/LAN subnet. You can also add a static route for the tunnel destination pointing to the WAN IP of the peer.
Please rate if helpful.
Regards
Farrukh
09-18-2008 02:43 AM
Hi,
I changed the route command to a 32-bit mask, which got the tunnel working and OSPF exchanging routes.
In my current config the tunnel destination is the inside interface of the other router, which obviously wouldn't be routable over the internet. Does this mean that in the live setup, the tunnel destination under 'Tunnel 0' will need to be the ip address of the outside interface? I've just tested this on my test setup, but the tunnel fails to come up:
interface Tunnel0
ip address 192.168.100.1 255.255.255.252
ip ospf network broadcast
keepalive 10 3
tunnel source Loopback0
tunnel destination 1.1.1.3
crypto map mymap
end
Thanks
09-18-2008 03:02 AM
Just for info, the following config looks to do what I'm looking for. I'm just not sure whether this would work in a live setup i.e. is everything that needs to be routable over the internet routable.
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.3
set transform-set myset
match address 101
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface Tunnel0
ip address 192.168.100.1 255.255.255.252
ip ospf network broadcast
keepalive 10 3
tunnel source Loopback0
tunnel destination 192.168.1.2
crypto map mymap
!
!
interface FastEthernet0
ip address 1.1.1.1 255.255.255.0
speed auto
crypto map mymap
!
!
router ospf 1
log-adjacency-changes
redistribute connected
network 10.1.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
ip route 192.168.1.2 255.255.255.255 FastEthernet0
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
09-18-2008 04:00 AM
I've changed the config for the tunnel interface so the source is the outside interface and the destination is the outside ip address of the other router, which works. I'm assuming this will be ok for a live setup?
interface Tunnel0
ip address 192.168.100.2 255.255.255.252
ip ospf network broadcast
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 1.1.1.1
crypto map mymap
09-18-2008 08:07 AM
I havent gone through your config in detail, but yes your tunnel source should be routable in the transit path. Since this will be the source of all traffic that will be 'routed' to the tunnel. This is a common practice to borrow the WAN interface's IP.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: