Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

tunnel mode ipsec

Hi,

I would like to setup a site-to-site VPN between a 1720 and a 2600 series router. The IOS versions are:

c1700-advsecurityk9-mz.123-26.bin

c2600-advsecurityk9-mz.123-26.bin

Neither router accepts 'tunnel mode ipsec' under the Tunnel interface. Is this due to the release of the IOS? If so does anyone know what version I would need?

This is the example I've been working from:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

Any help would be greatly appreciated.

Thanks

9 REPLIES
New Member

Re: tunnel mode ipsec

Hi,

I was originally looking to setup a GRE tunnel between 3 Cisco routers, so I can run OSPF over them. However, with my current test setup, I'm unable to get OSPF to work. Which is why I was looking at the sample config I mentioned above.

I've attached my configs.

Silver

Re: tunnel mode ipsec

Hi

Your config looks ok except for tunnel destinations and tunnel destination routes.Do not learn tunnel destination through the tunnel.Also remember since this GRE over IPsec , Ipsec tunnel should first come up and then GRE tunnel connects.

To verify if IPsec is up , post results of "show crypto isakmp sa"

Do the following

Site A

Change the tunnel destination to 192.168.2.1

interface Tunnel0

ip address 192.168.100.2 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.2.1

crypto map mymap

no ip route 192.168.2.0 255.255.255.0 Tunnel0

ip route 192.168.2.0 255.255.255.0 FastEthernet0

Site B

Change the tunnel destination to 192.168.1.2

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.1.2

crypto map mymap

no ip route 192.168.1.0 255.255.255.0 Tunnel0

ip route 192.168.1.0 255.255.255.0 FastEthernet0

Do above change and check and post results.

HTH

Saju

Pls rate helpful posts

New Member

Re: tunnel mode ipsec

Hi,

Thanks for that. I've made the changes you mentioned, which does allow the OSPF neighbour relationship to form, but no routes to be exchanged. The reason for this is probably because the Tunnel is constantly going up and down with the following error:

*Mar 2 20:34:58.708: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

There's a Cisco page on this, but I'm not sure what change I'd need to make.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml

Thanks

Re: tunnel mode ipsec

You need to make sure the tunnel destination is rechable (routable) directly over the wan and it should not be reachalbe THROUGH the tunnel itself. A simple solution is to run a different routing protocol over the WAN and on the Tunnel/LAN subnet. You can also add a static route for the tunnel destination pointing to the WAN IP of the peer.

Please rate if helpful.

Regards

Farrukh

New Member

Re: tunnel mode ipsec

Hi,

I changed the route command to a 32-bit mask, which got the tunnel working and OSPF exchanging routes.

In my current config the tunnel destination is the inside interface of the other router, which obviously wouldn't be routable over the internet. Does this mean that in the live setup, the tunnel destination under 'Tunnel 0' will need to be the ip address of the outside interface? I've just tested this on my test setup, but the tunnel fails to come up:

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 1.1.1.3

crypto map mymap

end

Thanks

New Member

Re: tunnel mode ipsec

Just for info, the following config looks to do what I'm looking for. I'm just not sure whether this would work in a live setup i.e. is everything that needs to be routable over the internet routable.

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 1.1.1.3

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.3

set transform-set myset

match address 101

!

!

!

interface Loopback0

ip address 192.168.2.1 255.255.255.0

!

interface Loopback1

ip address 10.1.1.1 255.255.255.0

!

interface Tunnel0

ip address 192.168.100.1 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source Loopback0

tunnel destination 192.168.1.2

crypto map mymap

!

!

interface FastEthernet0

ip address 1.1.1.1 255.255.255.0

speed auto

crypto map mymap

!

!

router ospf 1

log-adjacency-changes

redistribute connected

network 10.1.1.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

network 192.168.100.0 0.0.0.255 area 0

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0

ip route 192.168.1.2 255.255.255.255 FastEthernet0

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

New Member

Re: tunnel mode ipsec

I've changed the config for the tunnel interface so the source is the outside interface and the destination is the outside ip address of the other router, which works. I'm assuming this will be ok for a live setup?

interface Tunnel0

ip address 192.168.100.2 255.255.255.252

ip ospf network broadcast

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination 1.1.1.1

crypto map mymap

Re: tunnel mode ipsec

I havent gone through your config in detail, but yes your tunnel source should be routable in the transit path. Since this will be the source of all traffic that will be 'routed' to the tunnel. This is a common practice to borrow the WAN interface's IP.

Regards

Farrukh

295
Views
19
Helpful
9
Replies