[c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!
Nick Hilliard
nick at foobar.org
Mon Jan 14 10:16:44 EST 2013
On 14/01/2013 14:59, false wrote:
> I initially had HDQ working fine with the 871W (Branch-1) but when I
> configured branch2 (2801), they both broke.
Can you ping the endpoints of each tunnel?
Nick
The tunnels appear to be up
> but traffic is not routing across them. The two 2801 routers run 12.4
> (c2800nm-adventerprisek9-mz.124-24.T2.bin). These are gre over ipsec
> tunnels. Currently traffic flows over an exsting MPLS network that we
> are getting away from due to cost. As soon as I change the routes to
> point to the Tunnels, it breaks. Traffic doesn't appear to pass through
> the tunnel. BTW, the tunnels do appear up and sessions established. I
> have attached my sanitized configs. Any assistance would be VERY, VERY
> much appreciated.
>
>
> HDQ#sh crypto sess
> Crypto session current status
>
> Interface: FastEthernet0/1
> Session status: UP-ACTIVE
> Peer: 205.205.205.21 port 500
> IKE SA: local 204.204.204.66/500 remote 205.205.205.21/500 Active
> IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
> Active SAs: 4, origin: crypto map
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
> Active SAs: 0, origin: crypto map
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.41.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>
> Interface: FastEthernet0/1
> Session status: UP-IDLE
> Peer: 206.206.206.1 port 500
> IKE SA: local 204.204.204.66/500 remote 206.206.206.1/500 Active
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>
> HDQ#
>
> HDQ#sh cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id status
> 204.204.204.66 206.206.206..1 QM_IDLE 1003 ACTIVE
> 205.205.205.21 204.204.204.66 QM_IDLE 1002 ACTIVE
>
> IPv6 Crypto ISAKMP SA
>
> sh ip int br:
> Tunnel31 172.16.31.33 YES NVRAM up up
> Tunnel41 172.16.31.41 YES NVRAM up up
>
> Configs:
> HDQ
> aaa new-model
> !
> !
> aaa authentication ppp default local
> aaa authorization network vpnauth local
> !
> !
>
> !
> !
> username admin privilege 15 view root pass
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key secret address 205.205.205.21
> crypto isakmp key secret address 206.206.206.1
> crypto isakmp keepalive 10 5 periodic
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
> !
> crypto map vpnmap 10 ipsec-isakmp
> set peer 205.205.205.21
> set transform-set vpn_set
> match address 141
> crypto map vpnmap 31 ipsec-isakmp
> set peer 206.206.206.1
> set transform-set vpn_set
> match address 131
> !
> !
> !
> interface Tunnel31
> ip address 172.16.31.33 255.255.255.252
> ip mtu 1400
> ip tcp adjust-mss 1360
> tunnel source 204.204.204.66
> tunnel destination 206.206.206.1
> !
> interface Tunnel41
> ip address 172.16.31.41 255.255.255.252
> ip mtu 1400
> ip tcp adjust-mss 1360
> tunnel source 204.204.204.66
> tunnel destination 205.205.205.21
> !
> !
> interface FastEthernet0/1
> ip address 204.204.204.66 255.255.255.0
> ip access-group 101 in
> no ip unreachables
> ip flow ingress
> ip flow egress
> ip nat outside
> ip inspect ISP2-cbac out
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map vpnmap
> !
> interface FastEthernet1/0
> description ***To MPLS***
> switchport access vlan 10
> switchport voice vlan 1
> mls qos trust dscp
> auto qos voip trust
> auto discovery qos
> spanning-tree portfast
> !
>
> !
> interface Virtual-Template1
> ip unnumbered Vlan1
> ip virtual-reassembly
> no peer default ip address
> ppp encrypt mppe auto passive
> ppp authentication pap chap ms-chap
> !
> !
> interface Vlan10
> ip address 192.168.1.30 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 204.204.204.254
> ip route 10.255.1.0 255.255.255.0 192.168.1.254
> ip route 172.18.2.0 255.255.255.0 192.168.1.254
> ip route 172.18.3.0 255.255.255.0 192.168.1.254
> ip route 192.168.1.0 255.255.255.0 192.168.3.254
> ip route 192.168.1.0 255.255.255.0 192.168.1.254
> ip route 192.168.1.2 255.255.255.255 Service-Engine0/0
> ip route 192.168.3.0 255.255.255.0 192.168.1.254
> ip route 192.168.10.0 255.255.255.0 192.168.1.157
> ip route 192.168.41.0 255.255.255.0 Tunnel41
> !
> ip nat inside source route-map nonat interface FastEthernet0/1 overload
> ip nat inside source static 192.168.1.157 204.204.204.27
> ip nat inside source static 192.168.1.31 204.204.204.67
> !
> logging 192.168.2.53
> logging 192.168.2.28
> access-list 20 permit 192.168.0.0 0.0.255.255
> access-list 20 permit 172.18.0.0 0.0.255.255
> access-list 101 permit udp host 205.205.205.21 any eq isakmp
> access-list 101 permit udp host 205.205.205.21 eq isakmp any
> access-list 101 permit esp host 205.205.205.21 any
> access-list 101 permit udp host 205.205.205.22 any eq isakmp
> access-list 101 permit udp host 205.205.205.22 eq isakmp any
> access-list 101 permit esp host 205.205.205.22 any
> access-list 101 permit tcp any host 204.204.204.27 eq 443
> access-list 101 permit udp host 206.206.206.1 any eq isakmp
> access-list 101 permit udp host 206.206.206.1 eq isakmp any
> access-list 101 permit esp host 206.206.206.1 any
> access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 131 permit gre any any
> access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 141 permit gre any any
> access-list 141 permit ip 192.168.1.0 0.0.0.255 192.168.41.0 0.0.0.255
> access-list 141 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.41.0 0.0.0.255
> access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.60.0 0.0.0.255
> access-list 175 permit ip 192.168.1.0 0.0.0.255 any
> !
> !
> !
> !
> route-map nonat permit 41
> match ip address 175
> !
> !
>
> Branch-1
>
> Current configuration : 5625 bytes
> !
> version 12.3
>
> !
> username cisco privilege 15
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authorization exec default local
> aaa session-id common
> ip subnet-zero
> ip cef
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key M1bius77 address 204.204.204.66
> crypto isakmp keepalive 10 5 periodic
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
> !
> crypto map xxx_To_yyy 41 ipsec-isakmp
> set peer 204.204.204.66
> set transform-set vpn_set
> match address 141
> !
> bridge irb
> !
> !
> interface Tunnel41
> ip address 172.16.31.42 255.255.255.252
> ip mtu 1400
> ip tcp adjust-mss 1360
> tunnel source 205.205.205.21
> tunnel destination 204.204.204.66
> !
> interface FastEthernet0
> no ip address
> no cdp enable
> spanning-tree portfast
> !
> interface FastEthernet1
> no ip address
> no cdp enable
> spanning-tree portfast
> !
> interface FastEthernet2
> no ip address
> spanning-tree portfast
> !
> interface FastEthernet3
> no ip address
> no cdp enable
> spanning-tree portfast
> !
> interface FastEthernet4
> ip address dhcp client-id FastEthernet4
> ip nat outside
> ip virtual-reassembly
> ip tcp adjust-mss 1452
> duplex auto
> speed auto
> crypto map xxx_To_yyy
> !
> !
> interface Vlan1
> description Internal NetHome Network
> no ip address
> ip nat inside
> ip virtual-reassembly
> bridge-group 1
> bridge-group 1 spanning-disabled
> !
> interface BVI1
> description Bridge to Internal Home Network
> ip address 192.168.41.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> !
> ip classless
> ip route 192.168.1.0 255.255.255.0 Tunnel41
> !
> ip nat inside source route-map nonat interface FastEthernet4 overload
> ip nat inside source static tcp 192.168.41.51 3074 interface FastEthernet4 3074
> ip nat inside source static udp 192.168.41.51 88 interface FastEthernet4 88
> ip nat inside source static udp 192.168.41.51 3074 interface FastEthernet4 3074
> !
> logging trap debugging
> logging 192.168.41.22
> access-list 1 permit 192.168.41.0 0.0.0.255
> access-list 1 permit 192.168.1.0 0.0.0.255
> access-list 101 permit udp host 204.204.204.66 any eq isakmp
> access-list 101 permit udp host 204.204.204.66 eq isakmp any
> access-list 101 permit esp host 204.204.204.66 any
> access-list 101 permit icmp any any
> access-list 101 permit udp any any eq bootpc
> access-list 129 deny ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 129 permit ip 192.168.41.0 0.0.0.255 any
> access-list 141 permit gre any any
> access-list 141 permit ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 175 deny ip 192.168.41.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 175 permit ip 192.168.41.0 0.0.0.255 any
>
> Branch-2
>
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authorization exec default local
> !
> !
>
> username admin privilege 15 view root pass
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key secret address 204.204.204.66
> crypto isakmp keepalive 10 5 periodic
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set vpn_set esp-3des esp-md5-hmac
> !
> crypto map vpnmap 31 ipsec-isakmp
> set peer 204.204.204.66
> set transform-set vpn_set
> match address 131
> !
> interface Tunnel31
> ip address 172.16.31.34 255.255.255.252
> ip mtu 1400
> ip tcp adjust-mss 1360
> tunnel source 5206.206.206.1
> tunnel destination 204.204.204.66
> !
> interface FastEthernet0/1
> ip address 206.206.206.1 255.255.255.248
> ip access-group 101 in
> ip nat outside
> ip inspect ISP2-cbac out
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map vpnmap
> !
> !
> interface Vlan10
> ip address 192.168.3.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 50.79.142.6
> ip route 172.18.1.0 255.255.255.0 192.168.3.254
> ip route 172.18.2.0 255.255.255.0 192.168.3.254
> ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
> ip route 192.168.1.0 255.255.255.0 192.168.3.254
> ip route 192.168.2.0 255.255.255.0 192.168.3.254
> ip route 192.168.10.0 255.255.255.0 192.168.3.254
> !
> ip nat inside source route-map nonat interface FastEthernet0/1 overload
> ip nat inside source static tcp 192.168.3.10 5899 206.206.206.5 5899 extendable
> !
> access-list 20 permit x.x.x.x
> access-list 20 permit 192.168.0.0 0.0.255.255
> access-list 20 permit 172.18.0.0 0.0.255.255
> access-list 101 permit udp any host 206.206.206.1 eq 5060
> access-list 101 permit udp host 204.204.204.66 any eq isakmp
> access-list 101 permit udp host 204.204.204.66 eq isakmp any
> access-list 101 permit esp host 204.204.204.66 any
> access-list 102 remark NAT ACL
> access-list 102 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
> access-list 102 deny ip 192.168.0.0 0.0.255.255 172.18.0.0 0.0.255.255
> access-list 102 deny ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255
> access-list 102 deny ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.255.255
> access-list 102 permit ip 192.168.3.0 0.0.0.255 any
> access-list 102 permit ip 172.18.3.0 0.0.0.255 any
> access-list 131 permit gre any any
> access-list 131 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> !
> !
> !
> !
> route-map nonat permit 41
> match ip address 175
> !
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list