[c-nsp] gre to ipsec inside the vrf (keepalives problem)

Luan Nguyen luan.m.nguyen at gmail.com
Fri Oct 29 23:13:12 EDT 2004 

what ios are you running?
there is a bug with 12.3.11T where ipsec couldn't process gre keep alive.

Luan



On Sat, 30 Oct 2004 02:32:27 +0200, zarenks <zarenks at aster.pl> wrote:
> Hi
> 
> My problem of course concerns the IPSec and security aspects here is the
> scenario I have.
> 
> This is a tipical example of remote access to VPN network with IPSec over
> GRE model.
> 
> At the CPE side I created 2 GRE tunnels (the same tunel source with 2
> different destination) to two IPSec tunnels aggregators
> 
> Both tunel source and tunel destination addreses are a public ones of
> course.
> 
> At the CPE side I put both interface tunnel into single VRF table (external
> tunnel addreses are still in global table)
> 
> Inside the VRF I configured static route to loopbacks created on both
> aggregators (those loopbacks in lab envifonment pretend to be a customer's
> server inside its VPN network)
> 
> At both aggregators sides I put the end og GRE tunnels and mentioneg
> loopbacks into one vrf (I mean one per aggregator).
> 
> And I provide correct (i think it is correct static routing to remote CPE
> side).
> 
> And here my problem starts.
> 
> I over lost my hair, but everything works fine until I ran GRE keepalives
> !!!!
> 
> Than it stops, and crypto debug indicates "... missconfig of crypto map.."..
> sth like that
> 
> First thing I did, was disabling IPSEc at both ends. It did not helped.
> 
> After investigating how the GRE keepalive packet is constructed, I realize,
> that I have to /security policy is broken here/  create at the vrf level the
> route to global routing table in order to show the vrf routing engine how to
> send back the keepalive back to the sender.
> 
> (Keepalive answer is already send in request. So the receiving side have to
> only decapsulate it and send it back to the sender. Problem is, that the
> reciver side does not know the way to remote end of the GRE, because it is
> only in global)
> 
> It helped 100% GRE with or without keepalives works excellent.
> 
> I really do not think it is the way it should work, but it works !!!
> 
> No docs on the CCO about that problem.
> 
> Then I turn of the keepalives and put IPSec into work.
> 
> Perfect....until I ran the GRE keepalives.
> 
> It is been 2 days I am fighting with that without resultes.
> 
> I see that the sender sends the keepalives packet, it comes at the  reciver
> side, but it is not able to send it back.
> 
> I attach the config from IPSec-CPE and one (primaty) aggregator for better
> understanding.
> 
> I really couldn not find any tips on the both CCO and even int the Internet.
> 
> I would be greatfull for help.
> 
> Best regards
> 
> Sebastian
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list