Hi all,
I am trying to configure MPLS and IPSec in the following fashion
Bern(3640, MPLS+IPSec
Image)------------------Prague(3620)------------------Torino(3620, IPSec
Image).
I want to have IPSec connection from Torino to Bern. I also want to run
ospf as the PE-CE Routing protocol. Hence i
Used GRE to do so. It seems that OSPF work well over GRE if there is no
VRF configuration in Bern. Once i configure
VRF on Bern, OSPF state goes down. I tried configuring "ip vrf
forwarding" on GRE tunnel interface too. That too doesn't
help.
Do i need to enable "ip vrf forwarding" on the tunnel interface ?
My VPN routed are getting to Bern from other PE routers. but they are
not getting re-distributed to OSPF, because OSPF is down.
I have attached the config files of Bern and Torino.
-Thanks in Advance.
Manpreet
torino#sh run
Building configuration...
Current configuration : 1924 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname torino
!
boot system flash c3620-js-mz.122-2.T.bin
boot system flash c3620-jk9s-mz.122-2.T.bin
logging rate-limit console 10 except errors
enable password rtrConfig
!
!
!
ip subnet-zero
!
!
ip name-server 192.168.12.200
!
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
tag-switching ip default-route
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key F6BDD41FDFC48EACD9806921A7E9C3E0 address 150.13.0.1
!
!
crypto ipsec transform-set DESMD5-HMAC esp-des esp-md5-hmac
!
crypto map ethernet1/1Map 10 ipsec-isakmp
set peer 150.13.0.1
set security-association lifetime kilobytes 2560
set security-association lifetime seconds 86400
set transform-set DESMD5-HMAC
match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback1
ip address 172.33.10.1 255.255.255.255
!
interface Tunnel0
ip address 11.101.0.2 255.255.255.252
ip ospf network point-to-point
tunnel source Ethernet1/1
tunnel destination 150.13.0.1
crypto map ethernet1/1Map
!
interface Ethernet1/0
ip address 192.168.10.30 255.255.255.0
half-duplex
!
interface Serial1/0
no ip address
encapsulation frame-relay
no keepalive
!
interface Ethernet1/1
ip address 150.10.0.2 255.255.255.252
half-duplex
crypto map ethernet1/1Map
!
router ospf 10
domain-id 6.6.6.6
log-adjacency-changes
network 11.101.0.0 0.0.0.3 area 0
network 172.33.10.0 0.0.0.255 area 0
!
ip classless
ip route 150.13.0.1 255.255.255.255 150.10.0.1
ip route 192.168.0.0 255.255.0.0 192.168.10.1
ip http server
!
access-list 100 permit gre host 150.10.0.2 host 150.13.0.1
!
!
!
snmp-server manager
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password rtrconfig
login
!
!
end
sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, Ethernet1/0
172.33.0.0/32 is subnetted, 1 subnets
C 172.33.10.1 is directly connected, Loopback1
11.0.0.0/30 is subnetted, 1 subnets
C 11.101.0.0 is directly connected, Tunnel0
150.10.0.0/30 is subnetted, 1 subnets
C 150.10.0.0 is directly connected, Ethernet1/1
150.13.0.0/32 is subnetted, 1 subnets
S 150.13.0.1 [1/0] via 150.10.0.1
S 192.168.0.0/16 [1/0] via 192.168.10.1
Bern#sh run
Building configuration...
Current configuration : 2959 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname Bern
!
boot system flash c3640-js-mz.122-8.T.bin
boot system flash c3640-jk9s-mz.122-2.T.bin
logging rate-limit console 10 except errors
enable secret level 1 5 $1$6jbP$HZ7TwMJMkybcExKjzcRnf/
enable secret 5 $1$sDpE$d5kTX2xLPwZOf7.YlDegP1
enable password ***
!
!
!
ip subnet-zero
!
!
!
!
ip vrf Hub-1
rd 100:10
route-target export 100:5308
route-target import 100:5308
route-target import 100:5309
ip cef
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key F6BDD41FDFC48EACD9806921A7E9C3E0 address 150.10.0.2
!
!
crypto ipsec transform-set DESMD5-HMAC esp-des esp-md5-hmac
!
crypto map serial1/0.1Map 10 ipsec-isakmp
set peer 150.10.0.2
set security-association lifetime kilobytes 2560
set security-association lifetime seconds 86400
set transform-set DESMD5-HMAC
match address 100
!
call rsvp-sync
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 210.0.0.9 255.255.255.255
!
interface Tunnel0
ip vrf forwarding Hub-1
ip address 11.101.0.1 255.255.255.252
ip ospf network point-to-point
tunnel source Serial1/0.1
tunnel destination 150.10.0.2
crypto map serial1/0.1Map
!
interface Ethernet1/0
ip address 192.168.10.47 255.255.255.0
half-duplex
no mop enabled
!
interface Serial1/0
no ip address
encapsulation frame-relay
no keepalive
clockrate 1300000
!
interface Serial1/0.1 point-to-point
ip vrf forwarding Hub-1
ip address 150.13.0.1 255.255.255.252
frame-relay interface-dlci 300
crypto map serial1/0.1Map
!
interface Ethernet1/1
description denver
ip address 120.0.0.1 255.255.255.0
half-duplex
tag-switching ip
!
interface Serial1/1
no ip address
shutdown
!
router ospf 20
log-adjacency-changes
network 120.0.0.0 0.255.255.255 area 0
network 210.0.0.0 0.255.255.255 area 0
!
router ospf 10 vrf Hub-1
log-adjacency-changes
redistribute bgp 2 subnets
network 11.101.0.0 0.0.0.255 area 0
!
router bgp 2
no synchronization
bgp log-neighbor-changes
neighbor 210.0.0.8 remote-as 2
neighbor 210.0.0.8 update-source Loopback0
no auto-summary
!
address-family ipv4 vrf Hub-1
redistribute ospf 10
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 210.0.0.8 activate
neighbor 210.0.0.8 send-community extended
no auto-summary
exit-address-family
!
ip classless
ip route 150.10.0.2 255.255.255.255 150.13.0.2
ip route 192.168.0.0 255.255.0.0 192.168.10.1
ip route vrf Hub-1 150.10.0.2 255.255.255.255 Serial1/0.1
no ip http server
!
access-list 100 permit gre host 150.13.0.1 host 150.10.0.2
!
!
!
snmp-server community public RO
snmp-server manager
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password rtrconfig
login
!
!
end
sh ip route vrf Hub-1
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
2.0.0.0/30 is subnetted, 1 subnets
B 2.6.2.0 [200/0] via 210.0.0.3, 00:11:04
150.10.0.0/32 is subnetted, 1 subnets
S 150.10.0.2 is directly connected, Serial1/0.1
150.13.0.0/30 is subnetted, 1 subnets
C 150.13.0.0 is directly connected, Serial1/0.1
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:46 EDT