[c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!
false
jctx09 at yahoo.com
Mon Jan 14 12:32:52 EST 2013
Nick,
Are you referring to the real public ip addresses? Or the Tunnel 172.16.x.x addresses?
Originally, the real public ip addresses could all ping each other but right now I cannot ping the public peers. I can't even ping anything on the internet from the 871W (Branch-1) and it doesn't even have an access-list applied or CBAC applied. The 2800s have the "ip inspect name ISP2-cbac icmp" command and I added an entry on the 101 acl (permit icmp any any). I am using CBAC for outbound traffic and the 101 acl for inbound. Users can browse the Internet but the router doesn't seem to be able to ping anything. Ping did work before all the vpn work.
Branch-1 (871W)
interface FastEthernet4
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
crypto map xxx_To_yyy
end
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.41.51 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.41.51 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.41.51 3074 interface FastEthernet4 3074
--- On Mon, 1/14/13, Nick Hilliard <nick at foobar.org> wrote:
> From: Nick Hilliard <nick at foobar.org>
> Subject: Re: [c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!
> To: cisco-nsp at puck.nether.net
> Date: Monday, January 14, 2013, 9:16 AM
> On 14/01/2013 14:59, false wrote:
> > I initially had HDQ working fine with the 871W
> (Branch-1) but when I
> > configured branch2 (2801), they both broke.
>
> Can you ping the endpoints of each tunnel?
>
> Nick
>
>
> The tunnels appear to be up
> > but traffic is not routing across them. The two 2801
> routers run 12.4
> > (c2800nm-adventerprisek9-mz.124-24.T2.bin). These are
> gre over ipsec
> > tunnels. Currently traffic flows over an exsting MPLS
> network that we
> > are getting away from due to cost. As soon as I change
> the routes to
> > point to the Tunnels, it breaks. Traffic doesn't appear
> to pass through
> > the tunnel. BTW, the tunnels do appear up and sessions
> established. I
> > have attached my sanitized configs. Any assistance
> would be VERY, VERY
> > much appreciated.
>
>
> >
> >
> > HDQ#sh crypto sess
> > Crypto session current status
> >
> > Interface: FastEthernet0/1
> > Session status: UP-ACTIVE
> > Peer: 205.205.205.21 port 500
> > IKE SA: local 204.204.204.66/500
> remote 205.205.205.21/500 Active
> > IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0
> 0.0.0.0/0.0.0.0
> > Active SAs: 4,
> origin: crypto map
> > IPSEC FLOW: permit ip
> 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
> > Active SAs: 0,
> origin: crypto map
> > IPSEC FLOW: permit ip
> 192.168.1.0/255.255.255.0 192.168.41.0/255.255.255.0
> > Active SAs: 0,
> origin: crypto map
> >
> > Interface: FastEthernet0/1
> > Session status: UP-IDLE
> > Peer: 206.206.206.1 port 500
> > IKE SA: local 204.204.204.66/500
> remote 206.206.206.1/500 Active
> > IPSEC FLOW: permit ip
> 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0
> > Active SAs: 0,
> origin: crypto map
> >
> > HDQ#
> >
> > HDQ#sh cry isa sa
> > IPv4 Crypto ISAKMP SA
> > dst
> src
> state
> conn-id status
> >
> 204.204.204.66 206.206.206..1 QM_IDLE
> 1003 ACTIVE
> >
> 205.205.205.21 204.204.204.66 QM_IDLE
> 1002 ACTIVE
> >
> > IPv6 Crypto ISAKMP SA
> >
> > sh ip int br:
> > Tunnel31
> 172.16.31.33
> YES NVRAM up
> up
> > Tunnel41
> 172.16.31.41
> YES NVRAM up
> up
> >
> > Configs:
> > HDQ
> > aaa new-model
> > !
> > !
> > aaa authentication ppp default local
> > aaa authorization network vpnauth local
> > !
> > !
> >
> > !
> > !
> > username admin privilege 15 view root pass
> > !
> > crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key secret address 205.205.205.21
> > crypto isakmp key secret address 206.206.206.1
> > crypto isakmp keepalive 10 5 periodic
> > !
> > crypto ipsec security-association lifetime seconds
> 86400
> > !
> > crypto ipsec transform-set vpn_set esp-3des
> esp-md5-hmac
> > !
> > crypto map vpnmap 10 ipsec-isakmp
> > set peer 205.205.205.21
> > set transform-set vpn_set
> > match address 141
> > crypto map vpnmap 31 ipsec-isakmp
> > set peer 206.206.206.1
> > set transform-set vpn_set
> > match address 131
> > !
> > !
> > !
> > interface Tunnel31
> > ip address 172.16.31.33 255.255.255.252
> > ip mtu 1400
> > ip tcp adjust-mss 1360
> > tunnel source 204.204.204.66
> > tunnel destination 206.206.206.1
> > !
> > interface Tunnel41
> > ip address 172.16.31.41 255.255.255.252
> > ip mtu 1400
> > ip tcp adjust-mss 1360
> > tunnel source 204.204.204.66
> > tunnel destination 205.205.205.21
> > !
> > !
> > interface FastEthernet0/1
> > ip address 204.204.204.66 255.255.255.0
> > ip access-group 101 in
> > no ip unreachables
> > ip flow ingress
> > ip flow egress
> > ip nat outside
> > ip inspect ISP2-cbac out
> > ip virtual-reassembly
> > duplex auto
> > speed auto
> > crypto map vpnmap
> > !
> > interface FastEthernet1/0
> > description ***To MPLS***
> > switchport access vlan 10
> > switchport voice vlan 1
> > mls qos trust dscp
> > auto qos voip trust
> > auto discovery qos
> > spanning-tree portfast
> > !
> >
> > !
> > interface Virtual-Template1
> > ip unnumbered Vlan1
> > ip virtual-reassembly
> > no peer default ip address
> > ppp encrypt mppe auto passive
> > ppp authentication pap chap ms-chap
> > !
> > !
> > interface Vlan10
> > ip address 192.168.1.30 255.255.255.0
> > ip nat inside
> > ip virtual-reassembly
> > !
> > ip forward-protocol nd
> > ip route 0.0.0.0 0.0.0.0 204.204.204.254
> > ip route 10.255.1.0 255.255.255.0 192.168.1.254
> > ip route 172.18.2.0 255.255.255.0 192.168.1.254
> > ip route 172.18.3.0 255.255.255.0 192.168.1.254
> > ip route 192.168.1.0 255.255.255.0 192.168.3.254
> > ip route 192.168.1.0 255.255.255.0 192.168.1.254
> > ip route 192.168.1.2 255.255.255.255 Service-Engine0/0
> > ip route 192.168.3.0 255.255.255.0 192.168.1.254
> > ip route 192.168.10.0 255.255.255.0 192.168.1.157
> > ip route 192.168.41.0 255.255.255.0 Tunnel41
> > !
> > ip nat inside source route-map nonat interface
> FastEthernet0/1 overload
> > ip nat inside source static 192.168.1.157
> 204.204.204.27
> > ip nat inside source static 192.168.1.31
> 204.204.204.67
> > !
> > logging 192.168.2.53
> > logging 192.168.2.28
> > access-list 20 permit 192.168.0.0 0.0.255.255
> > access-list 20 permit 172.18.0.0 0.0.255.255
> > access-list 101 permit udp host 205.205.205.21 any eq
> isakmp
> > access-list 101 permit udp host 205.205.205.21 eq
> isakmp any
> > access-list 101 permit esp host 205.205.205.21 any
> > access-list 101 permit udp host 205.205.205.22 any eq
> isakmp
> > access-list 101 permit udp host 205.205.205.22 eq
> isakmp any
> > access-list 101 permit esp host 205.205.205.22 any
> > access-list 101 permit tcp any host 204.204.204.27 eq
> 443
> > access-list 101 permit udp host 206.206.206.1 any eq
> isakmp
> > access-list 101 permit udp host 206.206.206.1 eq isakmp
> any
> > access-list 101 permit esp host 206.206.206.1 any
> > access-list 121 permit ip 192.168.1.0 0.0.0.255
> 192.168.2.0 0.0.0.255
> > access-list 131 permit gre any any
> > access-list 131 permit ip 192.168.1.0 0.0.0.255
> 192.168.3.0 0.0.0.255
> > access-list 141 permit gre any any
> > access-list 141 permit ip 192.168.1.0 0.0.0.255
> 192.168.41.0 0.0.0.255
> > access-list 141 permit ip 192.168.1.0 0.0.0.255
> 192.168.2.0 0.0.0.255
> > access-list 175 deny ip 192.168.1.0
> 0.0.0.255 192.168.41.0 0.0.0.255
> > access-list 175 deny ip 192.168.1.0
> 0.0.0.255 192.168.2.0 0.0.0.255
> > access-list 175 deny ip 192.168.1.0
> 0.0.0.255 192.168.3.0 0.0.0.255
> > access-list 175 deny ip 192.168.1.0
> 0.0.0.255 192.168.60.0 0.0.0.255
> > access-list 175 permit ip 192.168.1.0 0.0.0.255 any
> > !
> > !
> > !
> > !
> > route-map nonat permit 41
> > match ip address 175
> > !
> > !
> >
> > Branch-1
> >
> > Current configuration : 5625 bytes
> > !
> > version 12.3
> >
> > !
> > username cisco privilege 15
> > aaa new-model
> > !
> > !
> > aaa authentication login default local
> > aaa authorization exec default local
> > aaa session-id common
> > ip subnet-zero
> > ip cef
> > !
> > crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key M1bius77 address 204.204.204.66
> > crypto isakmp keepalive 10 5 periodic
> > !
> > crypto ipsec security-association lifetime seconds
> 86400
> > !
> > crypto ipsec transform-set vpn_set esp-3des
> esp-md5-hmac
> > !
> > crypto map xxx_To_yyy 41 ipsec-isakmp
> > set peer 204.204.204.66
> > set transform-set vpn_set
> > match address 141
> > !
> > bridge irb
> > !
> > !
> > interface Tunnel41
> > ip address 172.16.31.42 255.255.255.252
> > ip mtu 1400
> > ip tcp adjust-mss 1360
> > tunnel source 205.205.205.21
> > tunnel destination 204.204.204.66
> > !
> > interface FastEthernet0
> > no ip address
> > no cdp enable
> > spanning-tree portfast
> > !
> > interface FastEthernet1
> > no ip address
> > no cdp enable
> > spanning-tree portfast
> > !
> > interface FastEthernet2
> > no ip address
> > spanning-tree portfast
> > !
> > interface FastEthernet3
> > no ip address
> > no cdp enable
> > spanning-tree portfast
> > !
> > interface FastEthernet4
> > ip address dhcp client-id FastEthernet4
> > ip nat outside
> > ip virtual-reassembly
> > ip tcp adjust-mss 1452
> > duplex auto
> > speed auto
> > crypto map xxx_To_yyy
> > !
> > !
> > interface Vlan1
> > description Internal NetHome Network
> > no ip address
> > ip nat inside
> > ip virtual-reassembly
> > bridge-group 1
> > bridge-group 1 spanning-disabled
> > !
> > interface BVI1
> > description Bridge to Internal Home Network
> > ip address 192.168.41.1 255.255.255.0
> > ip nat inside
> > ip virtual-reassembly
> > !
> > ip classless
> > ip route 192.168.1.0 255.255.255.0 Tunnel41
> > !
> > ip nat inside source route-map nonat interface
> FastEthernet4 overload
> > ip nat inside source static tcp 192.168.41.51 3074
> interface FastEthernet4 3074
> > ip nat inside source static udp 192.168.41.51 88
> interface FastEthernet4 88
> > ip nat inside source static udp 192.168.41.51 3074
> interface FastEthernet4 3074
> > !
> > logging trap debugging
> > logging 192.168.41.22
> > access-list 1 permit 192.168.41.0 0.0.0.255
> > access-list 1 permit 192.168.1.0 0.0.0.255
> > access-list 101 permit udp host 204.204.204.66 any eq
> isakmp
> > access-list 101 permit udp host 204.204.204.66 eq
> isakmp any
> > access-list 101 permit esp host 204.204.204.66 any
> > access-list 101 permit icmp any any
> > access-list 101 permit udp any any eq bootpc
> > access-list 129 deny ip 192.168.41.0
> 0.0.0.255 192.168.1.0 0.0.0.255
> > access-list 129 permit ip 192.168.41.0 0.0.0.255 any
> > access-list 141 permit gre any any
> > access-list 141 permit ip 192.168.41.0 0.0.0.255
> 192.168.1.0 0.0.0.255
> > access-list 175 deny ip 192.168.41.0
> 0.0.0.255 192.168.1.0 0.0.0.255
> > access-list 175 permit ip 192.168.41.0 0.0.0.255 any
> >
> > Branch-2
> >
> > aaa new-model
> > !
> > !
> > aaa authentication login default local
> > aaa authorization exec default local
> > !
> > !
> >
> > username admin privilege 15 view root pass
> > !
> > crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key secret address 204.204.204.66
> > crypto isakmp keepalive 10 5 periodic
> > !
> > crypto ipsec security-association lifetime seconds
> 86400
> > !
> > crypto ipsec transform-set vpn_set esp-3des
> esp-md5-hmac
> > !
> > crypto map vpnmap 31 ipsec-isakmp
> > set peer 204.204.204.66
> > set transform-set vpn_set
> > match address 131
> > !
> > interface Tunnel31
> > ip address 172.16.31.34 255.255.255.252
> > ip mtu 1400
> > ip tcp adjust-mss 1360
> > tunnel source 5206.206.206.1
> > tunnel destination 204.204.204.66
> > !
> > interface FastEthernet0/1
> > ip address 206.206.206.1 255.255.255.248
> > ip access-group 101 in
> > ip nat outside
> > ip inspect ISP2-cbac out
> > ip virtual-reassembly
> > duplex auto
> > speed auto
> > crypto map vpnmap
> > !
> > !
> > interface Vlan10
> > ip address 192.168.3.1 255.255.255.0
> > ip nat inside
> > ip virtual-reassembly
> > !
> > ip forward-protocol nd
> > ip route 0.0.0.0 0.0.0.0 50.79.142.6
> > ip route 172.18.1.0 255.255.255.0 192.168.3.254
> > ip route 172.18.2.0 255.255.255.0 192.168.3.254
> > ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
> > ip route 192.168.1.0 255.255.255.0 192.168.3.254
> > ip route 192.168.2.0 255.255.255.0 192.168.3.254
> > ip route 192.168.10.0 255.255.255.0 192.168.3.254
> > !
> > ip nat inside source route-map nonat interface
> FastEthernet0/1 overload
> > ip nat inside source static tcp 192.168.3.10 5899
> 206.206.206.5 5899 extendable
> > !
> > access-list 20 permit x.x.x.x
> > access-list 20 permit 192.168.0.0 0.0.255.255
> > access-list 20 permit 172.18.0.0 0.0.255.255
> > access-list 101 permit udp any host 206.206.206.1 eq
> 5060
> > access-list 101 permit udp host 204.204.204.66 any eq
> isakmp
> > access-list 101 permit udp host 204.204.204.66 eq
> isakmp any
> > access-list 101 permit esp host 204.204.204.66 any
> > access-list 102 remark NAT ACL
> > access-list 102 deny ip 192.168.0.0
> 0.0.255.255 192.168.0.0 0.0.255.255
> > access-list 102 deny ip 192.168.0.0
> 0.0.255.255 172.18.0.0 0.0.255.255
> > access-list 102 deny ip 172.18.0.0
> 0.0.255.255 172.18.0.0 0.0.255.255
> > access-list 102 deny ip 172.18.0.0
> 0.0.255.255 192.168.0.0 0.0.255.255
> > access-list 102 permit ip 192.168.3.0 0.0.0.255 any
> > access-list 102 permit ip 172.18.3.0 0.0.0.255 any
> > access-list 131 permit gre any any
> > access-list 131 permit ip 192.168.3.0 0.0.0.255
> 192.168.1.0 0.0.0.255
> > !
> > !
> > !
> > !
> > route-map nonat permit 41
> > match ip address 175
> > !
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list