Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnel drops routes out of routing table

Hello all;

I've been studying like mad to take my CCNA Security exam in the next couple weeks. I've posted on several various bulletins here with various topics. My main issue was trying to connect virtuelly via GNS3 and my router setup on it. Scratch that...

I have three Cisco 2621 XM routers set up. They all came with 2 FastEthernet ports. However, only one of them has a Serial port. So, what I'm doing is connecting the routers together with the fast ethernet ports using crossover cables.

So, I baselined two routers to start with. Very simple AAA, set up IP HTTP server, IP HTTP Secure Server, etc. Privledge lvl 15 access, etc.

I then set my Router A's inside Fa0/1 port with a 192.168.1.0/24 network. The outside port Fa0/0 is 10.0.0.0/30 network.

Router B is set up similar, 192.168.2.0/24 insice Fa0/1, Fa0/0 is 10.0.0.0/30 network outside. So, three networks 192.168.1.0, 192.168.2.0, 10.0.0.0 network.

Then, I set up OSPF routing. Very simple...

Router A

router ospf 1

network 192.168.1.0 0.0.0.255 area 0

network 10.0.0.0 0.0.0.3 area 0

On the other router:

Router B

router ospf 1

network 192.168.2.0 0.0.0.255 area 0

network 10.0.0.0 0.0.0.3 area 0

Initially, routing worked. B's 2.0 network propagated into A's routing table, and vice versa with A's 1.0 network. I was able to ping acoss each other.

Now, I had a PC attached to a switch (set up as default, no acls, no nothing just bare bones default) which was attached to Fa0/1. The PC is 192.168.1.2. Subnet mask 255.255.255.0 Default gateway is the IP address of Fa0/1 which is 192.168.1.254 255.255.255.0

Similar on Router B, except 2.0 network.

So far, so good.

I then used SDM to connect from PC-A onto Router A via 192.168.1.254. It connected. SDM worked, brought up the router, interfaces, and showed OSPF routing. This is where it fell apart....

I attempted to create a Site to Site VPN via the wizard. Heres what I specified:

Inside interface fa0/1

Outside interface fa0/0

Network with interesting traffic 192.168.1.0/24

Peer 10.0.0.3 (that is the address of the outside facing interface f0/0 on Router B)

I then repeated the same on Router B, just transposing 2.0 network for interesting traffic, and Peer 10.0.0.2 for the Fa0/0 interface on Router A.

Everything else was defaulted.

When I "test" the tunnel, I get an error message. So, since I'm connected to Router B (which was working, had routing, and had Router A's network 1.0 in it's routing table), the error msg says that I need to add a route into the routing table (192.168.1.0). It was there up until I attempted to put the VPN in place. It's like it stopped the routing.

Where am I going wrong? At face value, it looks like this should be working! But when I debug the ospf process, it looks like hello packets aren't tranversing across to the other side. Is it because I just have the 192.xxx.xxx.xxx networks as "interesting" traffic? Can I have multiple networks marked as "interesting"? I thought that's what the peer statements were doing to allow the tunnel to be established.

6 REPLIES

Re: VPN tunnel drops routes out of routing table

Interesting traffic is defined with an acl. I personally have never used the sdm, so cannot comment. Look at the below urls for some guidance, there are plenty of examples.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_configuration_examples_list.html

Sent from Cisco Technical Support iPad App

Cisco Employee

Re: VPN tunnel drops routes out of routing table

Static routes must be used when the Native IPSEC tunnels are deployed via ACLS for the crypto proxies and a virtual tunnel interface (VTI or GRE) is not being used.

Dynamic routing can be used when VPNS are deployed with virtual interfaces (GRE or VTI).  

- Dan

New Member

Re: VPN tunnel drops routes out of routing table

Wow, that's interesting. I have not read ANYWHERE in the books I"ve been reviewing that you have to use static routes for tunnel configuration in a site to site VPN. It kinda makes sense, but I find it a little confusing that routing tables get shot down for this. I'll have to refer to some of the links mentioned above, and review my reading/notes.

Cisco Employee

Re: VPN tunnel drops routes out of routing table

The books may mention that multicast is not supported over IPSEC (no multicast is bad for IGPs).  Thats true if there is not a virtual tunnel interface.    The tunnel interface creates another routed interface and it populates the table accordingly.   The attachment shows a virtual tunnel interface and how it creates overlay routing through the tunnel using EIGRP (routing the packet twice).    Without a tunnel interface the packet gets routed once (LAN to WAN) and encrypted at the wan interface (crypto map) so there is no way to create overlay routing.  

Traffic going over IPSEC without a virtual tunnel interface must use static routes.   Dynamic routing is still supported with the ISP or downstream routers , ect....  just not over native IPSEC.

Dan

New Member

Re: VPN tunnel drops routes out of routing table

So, in my lab setup..I have two routers. I should skip OSPF routing, and just put in static routes. Then my VPN "should" come up? Don't route the wan links per se?

And if I add a third router...a to b to c. I want to have a VPN from A to C. Let's say C is going to be 192.168.3.0 network on the LAN side. THe WAN is going to be 10.0.0.4/30. I would do what with routing? Still static? No EIGRP or OSPF?

Almost got it figured out...

Cisco Employee

Re: VPN tunnel drops routes out of routing table

I would skip the ospf routing.  Your routers are directly connected so thats good enough for the WAN links.   Static routes can be put in on each router for the remote lan networks.

See the branch office config at this link .... good place for reference.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

This type of vpn also needs interesting traffic for the vpn to come up.  Once you have both sides provisioned and do a "show crypto ipsec sa" and show crypto isakmp sa there will not be any output.   Once you have initiated Lan-to-Lan traffic the vpn will come up and have output for those two commands.

Dan

1785
Views
0
Helpful
6
Replies