[c-nsp] Crypto map + traffic via "ip route vrf ... global"

Stig Johansen stig.johansen at ementor.no
Tue Jul 15 06:38:23 EDT 2008 

Make sure the traffic enters the VRF correctly via a ISAKMP-profile.
Check the following quickly hacked example:

Given that the peers are directly connected at outside interfaces with a
192.0.2.0/24-network. If not, adjust peer-ip's and add default route in
global routingtable. No routing *into* VRF's are needed, just outgoing
for the network-destination to be routed out into global-table,
encrypted or not.

Given that 10.10.10.0/24 is behind the 7200 and 10.20.20.0/24 is behind
the ASA/other peer.

!
ip vrf A-vrf
 rd 1:1
!
crypto keyring A-keyring
 pre-shared-key address 192.0.2.2 key very-private-key
!
crypto isakmp policy 25
 encr 3des
 hash sha
 authentication pre-share
!
crypto isakmp profile A-profile
   vrf A-vrf
   keyring A-keyring
   match identity address 192.0.2.2 255.255.255.255
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
!
crypto map vamtest 25 ipsec-isakmp 
 set peer 192.0.2.2
 set transform-set 3dessha 
 set isakmp-profile A-profile
 match address A-acl
!
interface GigabitEthernet0/1
 description OUTSIDE interface
 ip address 192.0.2.1 255.255.255.0
 crypto map vamtest
!
interface GigabitEthernet0/2.2081
 description INSIDE VRF interface
 encapsulation dot1Q 2081
 ip vrf forwarding A-vrf
 ip address 172.16.10.1 255.255.255.0
!
ip route vrf A-vrf 10.10.10.0 255.255.255.0 172.16.10.2
ip route vrf A-vrf 10.20.20.0 255.255.255.0 GigabitEthernet0/1 192.0.2.2
global
!
ip access-list extended A-acl
 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255


mvh,
Stig Meireles Johansen
Seniorkonsulent
______________________________
Ementor Norge AS, Brynsalleen 2, BOX 6472 Etterstad, N-0605 Oslo 
Tel +47 22 09 50 00, Direkte +47 24 09 96 94
stig.johansen at ementor.no
www.ementor.no


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: 15. juli 2008 02:46
To: cisco-nsp
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"

Hi,

I have a strange-ish problem. I've configured an IPSec tunnel between a
7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
reason traffic only gets encrypted ASA->7200, not the other way.

The traffic that doesn't get encrypted comes from a VRF Lite
subinterface on the "back" of the 7200. This VRF has a static 0/0 route
with a global next hop, and the global table has a static route pointing
the other way.

Traffic can go from behind ASA to behind 7200 with no problems. Traffic
from behind the 7200 doesn't get encrypted for some reason, including
replies from ICMP echos that came encrypted. And the 7200 doesn't
initiate a tunnel either.

Could it be because I can't make the crypto map work for the "ip route
vrf ... global" traffic? The configuration works fine when the host
behind the 7200 isn't in a VRF, but the 7200 being software based I
thought this wouldn't be a problem.

Configuration at the bottom, with Host X behind the 7200 and Host Y
behind the ASA. Host X is not directly connected to the 7200, but behind
another router. Traffic is routed with not problems, so it's only the
encryption that's missing. (The ASA complains about it in logs and I can
see it with tcpdump.)

The 7200 creates the IPSec SA, but only the "decaps" counter goes up:

vamtest#sh cry ips sa

interface: GigabitEthernet0/1
    Crypto map tag: vamtest, local addr [7200-outside]

   protected vrf: (none)
   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
   current_peer [ASA-outside] port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [7200-outside], remote crypto endpt.:
[ASA-outside]
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0xA9F53FD7(2851422167)
          
     inbound esp sas:
      spi: 0x4FC8A681(1338549889)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511451/1957)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xA9F53FD7(2851422167)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511454/1955)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     outbound ah sas:
          
     outbound pcp sas:
          
vamtest#

Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
nothing at all for traffic coming from inside. It's just routed, as if
the crypto map didn't exist.

And now the configuration:

! *** 7200 ***
ip vrf A
 rd 64512:1
!
crypto isakmp policy 25
 encr 3des
 hash sha
 authentication pre-share
!
crypto isakmp key <bla> address [ASA-outside]
!
crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac 
!
crypto map vamtest 25 ipsec-isakmp
 description SAVAM2test -> ASA Horsens
 set peer [ASA-outside]
 set transform-set sha-3des 
 match address SAVAM2test
!
interface GigabitEthernet0/1
 description Outside
 ip address [7200-outside]
 crypto map vamtest
!
interface GigabitEthernet0/2.2081
 description Inside, VRF
 encapsulation dot1Q 2081
 ip vrf forwarding A
 ip address [inside net]
 ip tcp adjust-mss 1355
!
ip route 0.0.0.0 0.0.0.0 [Outside next hop]
ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
ip route vrf A [Host Y] [Outside next hop] global
!
ip access-list extended SAVAM2test
 permit ip host [Host X] host [Host Y]
!

! *** ASA ***
access-list SAVAM2test permit ip host [Host Y] host [Host X]
!
crypto map asaoutside_map 60 match address SAVAM2test
crypto map asaoutside_map 60 set peer [7200-outside]
crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
!
tunnel-group [7200-outside] type ipsec-l2l
tunnel-group [7200-outside] ipsec-attributes
 pre-shared-key <bla>
!
static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
!


Thank you,
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list