[c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!

false jctx09 at yahoo.com
Mon Jan 14 09:59:30 EST 2013 

I have an issue where I can get traffic to pass from HDQ to two branch offices over our ipsec/gre tunnels even though the tunnels appear to be UP. The HDQ is a 2811, branch 1 is a home office using an 871W and branch 2 runs a 2801 router. 
I initially had HDQ working fine with the 871W (Branch-1) but when I configured branch2 (2801), they both broke. The tunnels appear to be up but traffic is not routing across them. The two 2801 routers run 12.4 (c2800nm-adventerprisek9-mz.124-24.T2.bin). These are gre over ipsec tunnels. Currently traffic flows over an exsting MPLS network that we are getting away from due to cost. As soon as I change the routes to point to the Tunnels, it breaks. Traffic doesn't appear to pass through the tunnel. BTW, the tunnels do appear up and sessions established. I have attached my sanitized configs. Any assistance would be VERY, VERY much appreciated.


HDQ#sh crypto sess
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 205.205.205.21 port 500
  IKE SA: local 204.204.204.66/500 remote 205.205.205.21/500 Active
  IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 4, origin: crypto map
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.41.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/1
Session status: UP-IDLE
Peer: 206.206.206.1 port 500
  IKE SA: local 204.204.204.66/500 remote 206.206.206.1/500 Active
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0
        Active SAs: 0, origin: crypto map

HDQ#

HDQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src               state          conn-id status
204.204.204.66   206.206.206..1   QM_IDLE           1003 ACTIVE
205.205.205.21   204.204.204.66   QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

 sh ip int br:
Tunnel31                   172.16.31.33    YES NVRAM  up                    up  
Tunnel41                   172.16.31.41    YES NVRAM  up                    up  

Configs:
HDQ
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network vpnauth local 
!
!

!
!
username admin privilege 15 view root pass
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key secret address 205.205.205.21
crypto isakmp key secret address 206.206.206.1
crypto isakmp keepalive 10 5 periodic
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac 
!
crypto map vpnmap 10 ipsec-isakmp 
 set peer 205.205.205.21
 set transform-set vpn_set 
 match address 141
crypto map vpnmap 31 ipsec-isakmp 
 set peer 206.206.206.1
 set transform-set vpn_set 
 match address 131
!
!
!
interface Tunnel31
 ip address 172.16.31.33 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 204.204.204.66
 tunnel destination 206.206.206.1
!
interface Tunnel41
 ip address 172.16.31.41 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 204.204.204.66
 tunnel destination 205.205.205.21
!
!
interface FastEthernet0/1
 ip address 204.204.204.66 255.255.255.0
 ip access-group 101 in
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect ISP2-cbac out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface FastEthernet1/0
 description ***To MPLS***
 switchport access vlan 10
 switchport voice vlan 1
 mls qos trust dscp
 auto qos voip trust 
 auto discovery qos 
 spanning-tree portfast
!

!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip virtual-reassembly
 no peer default ip address
 ppp encrypt mppe auto passive
 ppp authentication pap chap ms-chap
!
!
interface Vlan10
 ip address 192.168.1.30 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 204.204.204.254
ip route 10.255.1.0 255.255.255.0 192.168.1.254
ip route 172.18.2.0 255.255.255.0 192.168.1.254
ip route 172.18.3.0 255.255.255.0 192.168.1.254
ip route 192.168.1.0 255.255.255.0 192.168.3.254
ip route 192.168.1.0 255.255.255.0 192.168.1.254
ip route 192.168.1.2 255.255.255.255 Service-Engine0/0
ip route 192.168.3.0 255.255.255.0 192.168.1.254
ip route 192.168.10.0 255.255.255.0 192.168.1.157
ip route 192.168.41.0 255.255.255.0 Tunnel41
!
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.157 204.204.204.27
ip nat inside source static 192.168.1.31 204.204.204.67
!
logging 192.168.2.53
logging 192.168.2.28
access-list 20 permit 192.168.0.0 0.0.255.255
access-list 20 permit 172.18.0.0 0.0.255.255
access-list 101 permit udp host 205.205.205.21 any eq isakmp
access-list 101 permit udp host 205.205.205.21 eq isakmp any
access-list 101 permit esp host 205.205.205.21 any
access-list 101 permit udp host 205.205.205.22 any eq isakmp
access-list 101 permit udp host 205.205.205.22 eq isakmp any
access-list 101 permit esp host 205.205.205.22 any
access-list 101 permit tcp any host 204.204.204.27 eq 443
access-list 101 permit udp host 206.206.206.1 any eq isakmp
access-list 101 permit udp host 206.206.206.1 eq isakmp any
access-list 101 permit esp host 206.206.206.1 any
access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 131 permit gre any any
access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 141 permit gre any any
access-list 141 permit ip 192.168.1.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 141 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 41
 match ip address 175
!
!

Branch-1

Current configuration : 5625 bytes
!
version 12.3

!
username cisco privilege 15 
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa session-id common
ip subnet-zero
ip cef
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key M1bius77 address 204.204.204.66
crypto isakmp keepalive 10 5 periodic
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac 
!
crypto map xxx_To_yyy 41 ipsec-isakmp 
 set peer 204.204.204.66
 set transform-set vpn_set 
 match address 141
!
bridge irb
!
!
interface Tunnel41
 ip address 172.16.31.42 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 205.205.205.21
 tunnel destination 204.204.204.66
!
interface FastEthernet0
 no ip address
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp client-id FastEthernet4
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 crypto map xxx_To_yyy
!
!
interface Vlan1
 description Internal NetHome Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Home Network
 ip address 192.168.41.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 192.168.1.0 255.255.255.0 Tunnel41
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.41.51 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.41.51 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.41.51 3074 interface FastEthernet4 3074
!
logging trap debugging
logging 192.168.41.22
access-list 1 permit 192.168.41.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit udp host 204.204.204.66 any eq isakmp
access-list 101 permit udp host 204.204.204.66 eq isakmp any
access-list 101 permit esp host 204.204.204.66 any
access-list 101 permit icmp any any
access-list 101 permit udp any any eq bootpc
access-list 129 deny   ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 129 permit ip 192.168.41.0 0.0.0.255 any
access-list 141 permit gre any any
access-list 141 permit ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny   ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.41.0 0.0.0.255 any

Branch-2

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!

username admin privilege 15 view root pass
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key secret address 204.204.204.66
crypto isakmp keepalive 10 5 periodic
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac 
!
crypto map vpnmap 31 ipsec-isakmp 
 set peer 204.204.204.66
 set transform-set vpn_set 
 match address 131
!
interface Tunnel31
 ip address 172.16.31.34 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source  5206.206.206.1
 tunnel destination 204.204.204.66
!
interface FastEthernet0/1
 ip address 206.206.206.1 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip inspect ISP2-cbac out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
!
interface Vlan10
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.79.142.6
ip route 172.18.1.0 255.255.255.0 192.168.3.254
ip route 172.18.2.0 255.255.255.0 192.168.3.254
ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
ip route 192.168.1.0 255.255.255.0 192.168.3.254
ip route 192.168.2.0 255.255.255.0 192.168.3.254
ip route 192.168.10.0 255.255.255.0 192.168.3.254
!
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.3.10 5899 206.206.206.5 5899 extendable
!
access-list 20 permit x.x.x.x
access-list 20 permit 192.168.0.0 0.0.255.255
access-list 20 permit 172.18.0.0 0.0.255.255
access-list 101 permit udp any host 206.206.206.1 eq 5060
access-list 101 permit udp host 204.204.204.66 any eq isakmp
access-list 101 permit udp host 204.204.204.66 eq isakmp any
access-list 101 permit esp host 204.204.204.66 any
access-list 102 remark NAT ACL
access-list 102 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 deny   ip 192.168.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 102 deny   ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 102 deny   ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
access-list 102 permit ip 172.18.3.0 0.0.0.255 any
access-list 131 permit gre any any
access-list 131 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
route-map nonat permit 41
 match ip address 175
!

More information about the cisco-nsp mailing list