[c-nsp] ip local policy route and tunnels

Denis V. Schapov dschapov at dsi.ru
Mon May 29 23:52:28 EDT 2006 

Hi,

look at CSCef95982, CSCef66719, CSCds24740 and a lot of others similar .. 

CSCef95982: GRE: Cant control which exit interface tunnel packets use

Release Notes
 
Symptom: GRE tunnel packets are getting dropped.

Condition: When configuring GRE tunnels where there are two output 
interfaces via two different ISPs _and_ packets going out each 
interface must use an address from that interface's subnet as the 
source. You can configure the GRE tunnel to have a tunnel source 
of one of the outbound interfaces, but the GRE packets with this 
tunnel source may go out either interface. The GRE packets going 
out the other interface (wrong source IP address) will get dropped 
by the ISP.

Workaround: You must configure the routing so that the 
tunnel destination address is only
routed via the correct interface. You cannot use Policy Based
Routing (PBR). This workaround may hamper configuring primary/backup
redundancy types of configurations. 

----
Denis V. Schapov
JSC "DSI"
Irkutsk, Russia
dschapov at dsi.ru
+7 3952 510506



----- Original Message ----- 
From: "Joe Maimon" <jmaimon at ttec.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, May 24, 2006 9:15 AM
Subject: [c-nsp] ip local policy route and tunnels


> Anyone see any issues trying to run gre and or ipsec tunnels on a router 
> through different interfaces by using local policy routing?
> 
> I can get the tunnels up and ipsec sa are established, but tunnel 
> packets encapsulating payload traffic do not appear to be properly 
> policy routed.
> 
> In the past I have worked around this, but it is starting to get annoying.
> 
> (yes I have a tac case open)
> 
> Here is an example
> 
> crypto keyring spokes
>    pre-shared-key address 64.xx.xx.212 key <key>
> !
> crypto isakmp policy 1
>   hash md5
>   authentication pre-share
> !
> crypto isakmp policy 2
>   encr 3des
>   hash md5
>   authentication pre-share
>   group 2
> !
> crypto isakmp policy 3
>   encr 3des
>   authentication pre-share
>   group 2
> 
> !
> crypto ipsec transform-set stdenc.set ah-md5-hmac esp-3des esp-md5-hmac
>   mode transport
> crypto ipsec transform-set stdenc.noah.set esp-3des esp-md5-hmac
>   mode transport
> !
> crypto ipsec profile encrypted-inet-links
>   set security-association lifetime seconds 120
>   set transform-set stdenc.noah.set stdenc.set
>   set pfs group2
> !
> !
> interface Tunnel0
>   ip address 10.10.36.2 255.255.255.252
>   ip nat inside
>   ip virtual-reassembly
>   keepalive 10 3
>   tunnel source Dialer1
>   tunnel destination 64.xx.xx.212
> !
> interface Tunnel1
>   ip address 10.10.37.1 255.255.255.0
>   no ip redirects
>   ip mtu 1400
>   ip nat inside
>   ip nhrp authentication ulthef
>   ip nhrp map multicast dynamic
>   ip nhrp map multicast 64.xx.xx.212
>   ip nhrp map 10.10.37.2 64.xx.xx.212
>   ip nhrp map multicast 67.yy.yy.198
>   ip nhrp network-id 16770544
>   ip nhrp nhs 10.10.37.2
>   ip virtual-reassembly
>   ip tcp adjust-mss 1360
>   no ip split-horizon eigrp 4535
>   delay 1000
>   keepalive 10 3
>   tunnel source Serial0/2/0
>   tunnel mode gre multipoint
>   tunnel key 16770544
>   tunnel path-mtu-discovery
>   tunnel protection ipsec profile encrypted-inet-links
> !
> interface Serial0/2/0
>   ip address 67.yy.yy.198 255.255.255.252
>   no ip redirects
>   ip nat outside
>   ip virtual-reassembly
>   no ip mroute-cache
>   service-module t1 timeslots 1-12
> !
> interface Dialer1
>   ip address negotiated
>   ip nat outside
>   ip virtual-reassembly
>   encapsulation ppp
>   ip tcp adjust-mss 1452
>   dialer pool 1
>   dialer-group 1
>   no cdp enable
>   ppp authentication pap callin
>   ppp chap hostname user at domain
>   ppp chap password apassword
>   ppp pap sent-username user at domain password apassword
> !
> ip local policy route-map local-policy-route
> ip route 0.0.0.0 0.0.0.0 67.yy.yy.197
> !
> ip access-list extended pyyyy-exit
>   permit ip host 67.yy.yy.198 host 64.xx.xx.212
> !
> ip access-list extended chl-exit
>   !this is the static ip bound to the Dialer1 interface by the ISP
>   permit ip host 64.xx.xx.44 any
> !
> route-map local-policy-route permit 20
>   match ip address pyyyy-exit
>   set interface Serial0/2/0
>   set ip next-hop 67.yy.yy.197
> !
> route-map local-policy-route permit 30
>   match ip address cxxxx-exit
>   set interface Dialer1
>   set ip next-hop 69.xx.xx.226
> !
> route-map local-policy-route permit 200
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list