[c-nsp] gre to ipsec inside the vrf (keepalives problem)

zarenks zarenks at aster.pl
Fri Oct 29 20:32:27 EDT 2004 

Hi 

 

My problem of course concerns the IPSec and security aspects here is the
scenario I have.

 

This is a tipical example of remote access to VPN network with IPSec over
GRE model.

 

At the CPE side I created 2 GRE tunnels (the same tunel source with 2
different destination) to two IPSec tunnels aggregators

Both tunel source and tunel destination addreses are a public ones of
course.

 

At the CPE side I put both interface tunnel into single VRF table (external
tunnel addreses are still in global table) 

Inside the VRF I configured static route to loopbacks created on both
aggregators (those loopbacks in lab envifonment pretend to be a customer's
server inside its VPN network)

 

At both aggregators sides I put the end og GRE tunnels and mentioneg
loopbacks into one vrf (I mean one per aggregator).

And I provide correct (i think it is correct static routing to remote CPE
side).

 

And here my problem starts.

I over lost my hair, but everything works fine until I ran GRE keepalives
!!!!

Than it stops, and crypto debug indicates "... missconfig of crypto map.."..
sth like that 

 

First thing I did, was disabling IPSEc at both ends. It did not helped.

After investigating how the GRE keepalive packet is constructed, I realize,
that I have to /security policy is broken here/  create at the vrf level the
route to global routing table in order to show the vrf routing engine how to
send back the keepalive back to the sender.

(Keepalive answer is already send in request. So the receiving side have to
only decapsulate it and send it back to the sender. Problem is, that the
reciver side does not know the way to remote end of the GRE, because it is
only in global)

 

It helped 100% GRE with or without keepalives works excellent.

 

I really do not think it is the way it should work, but it works !!!

No docs on the CCO about that problem.

 

Then I turn of the keepalives and put IPSec into work.

Perfect....until I ran the GRE keepalives.

It is been 2 days I am fighting with that without resultes.

 

I see that the sender sends the keepalives packet, it comes at the  reciver
side, but it is not able to send it back.

 

I attach the config from IPSec-CPE and one (primaty) aggregator for better
understanding.

 

I really couldn not find any tips on the both CCO and even int the Internet.

 

I would be greatfull for help.

 

Best regards

Sebastian

More information about the cisco-nsp mailing list