[c-nsp] ip local policy route and tunnels

Joe Maimon jmaimon at ttec.com
Tue May 30 05:21:20 EDT 2006 

Thank you.

Denis V. Schapov wrote:

> Hi,
> 
> look at CSCef95982, CSCef66719, CSCds24740 and a lot of others similar .. 
> 
> CSCef95982: GRE: Cant control which exit interface tunnel packets use
> 
> Release Notes
>  
> Symptom: GRE tunnel packets are getting dropped.
> 
> Condition: When configuring GRE tunnels where there are two output 
> interfaces via two different ISPs _and_ packets going out each 
> interface must use an address from that interface's subnet as the 
> source. You can configure the GRE tunnel to have a tunnel source 
> of one of the outbound interfaces, but the GRE packets with this 
> tunnel source may go out either interface. The GRE packets going 
> out the other interface (wrong source IP address) will get dropped 
> by the ISP.
> 
> Workaround: You must configure the routing so that the 
> tunnel destination address is only
> routed via the correct interface. You cannot use Policy Based
> Routing (PBR). This workaround may hamper configuring primary/backup
> redundancy types of configurations. 
> 
> ----
> Denis V. Schapov
> JSC "DSI"
> Irkutsk, Russia
> dschapov at dsi.ru
> +7 3952 510506
> 
> 
> 
> ----- Original Message ----- 
> From: "Joe Maimon" <jmaimon at ttec.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, May 24, 2006 9:15 AM
> Subject: [c-nsp] ip local policy route and tunnels
> 
> 
> 
>>Anyone see any issues trying to run gre and or ipsec tunnels on a router 
>>through different interfaces by using local policy routing?
>>
>>I can get the tunnels up and ipsec sa are established, but tunnel 
>>packets encapsulating payload traffic do not appear to be properly 
>>policy routed.
>>
>>In the past I have worked around this, but it is starting to get annoying.
>>
>>(yes I have a tac case open)
>>
>>Here is an example
>>
>>crypto keyring spokes
>>   pre-shared-key address 64.xx.xx.212 key <key>
>>!
>>crypto isakmp policy 1
>>  hash md5
>>  authentication pre-share
>>!
>>crypto isakmp policy 2
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>>!
>>crypto isakmp policy 3
>>  encr 3des
>>  authentication pre-share
>>  group 2
>>
>>!
>>crypto ipsec transform-set stdenc.set ah-md5-hmac esp-3des esp-md5-hmac
>>  mode transport
>>crypto ipsec transform-set stdenc.noah.set esp-3des esp-md5-hmac
>>  mode transport
>>!
>>crypto ipsec profile encrypted-inet-links
>>  set security-association lifetime seconds 120
>>  set transform-set stdenc.noah.set stdenc.set
>>  set pfs group2
>>!
>>!
>>interface Tunnel0
>>  ip address 10.10.36.2 255.255.255.252
>>  ip nat inside
>>  ip virtual-reassembly
>>  keepalive 10 3
>>  tunnel source Dialer1
>>  tunnel destination 64.xx.xx.212
>>!
>>interface Tunnel1
>>  ip address 10.10.37.1 255.255.255.0
>>  no ip redirects
>>  ip mtu 1400
>>  ip nat inside
>>  ip nhrp authentication ulthef
>>  ip nhrp map multicast dynamic
>>  ip nhrp map multicast 64.xx.xx.212
>>  ip nhrp map 10.10.37.2 64.xx.xx.212
>>  ip nhrp map multicast 67.yy.yy.198
>>  ip nhrp network-id 16770544
>>  ip nhrp nhs 10.10.37.2
>>  ip virtual-reassembly
>>  ip tcp adjust-mss 1360
>>  no ip split-horizon eigrp 4535
>>  delay 1000
>>  keepalive 10 3
>>  tunnel source Serial0/2/0
>>  tunnel mode gre multipoint
>>  tunnel key 16770544
>>  tunnel path-mtu-discovery
>>  tunnel protection ipsec profile encrypted-inet-links
>>!
>>interface Serial0/2/0
>>  ip address 67.yy.yy.198 255.255.255.252
>>  no ip redirects
>>  ip nat outside
>>  ip virtual-reassembly
>>  no ip mroute-cache
>>  service-module t1 timeslots 1-12
>>!
>>interface Dialer1
>>  ip address negotiated
>>  ip nat outside
>>  ip virtual-reassembly
>>  encapsulation ppp
>>  ip tcp adjust-mss 1452
>>  dialer pool 1
>>  dialer-group 1
>>  no cdp enable
>>  ppp authentication pap callin
>>  ppp chap hostname user at domain
>>  ppp chap password apassword
>>  ppp pap sent-username user at domain password apassword
>>!
>>ip local policy route-map local-policy-route
>>ip route 0.0.0.0 0.0.0.0 67.yy.yy.197
>>!
>>ip access-list extended pyyyy-exit
>>  permit ip host 67.yy.yy.198 host 64.xx.xx.212
>>!
>>ip access-list extended chl-exit
>>  !this is the static ip bound to the Dialer1 interface by the ISP
>>  permit ip host 64.xx.xx.44 any
>>!
>>route-map local-policy-route permit 20
>>  match ip address pyyyy-exit
>>  set interface Serial0/2/0
>>  set ip next-hop 67.yy.yy.197
>>!
>>route-map local-policy-route permit 30
>>  match ip address cxxxx-exit
>>  set interface Dialer1
>>  set ip next-hop 69.xx.xx.226
>>!
>>route-map local-policy-route permit 200
>>
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> 
> 
>

More information about the cisco-nsp mailing list