[c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!
false
jctx09 at yahoo.com
Mon Jan 14 13:38:57 EST 2013
Update. More data.
If I remove the crypto map for Branch-2 (vpnmap 31) then the tunnel for Branch-1 (crypto map 10) comes back up. It apears that having both crypto maps like below causes int fa0/1 to not be aware of what traffic to send down what tunnel. See example of problematic config below.
Problem:
crypto map vpnmap 10 ipsec-isakmp
set peer 205.205.205.21
set transform-set vpn_set
match address 141
crypto map vpnmap 31 ipsec-isakmp
set peer 206.206.206.1 set transform-set vpn_set
match address 131
I'm pretty sure I remember doing it this way several years ago. What changes need to be made to allow these multiple crypto maps and using just one crypto map tag on fa0/1 (isp interface)?
Thank you,
--- On Mon, 1/14/13, false <jctx09 at yahoo.com> wrote:
> From: false <jctx09 at yahoo.com>
> Subject: Re: [c-nsp] unable to route traffic over ipsec/gre tunnels - HELP!
> To: cisco-nsp at puck.nether.net, "Nick Hilliard" <nick at foobar.org>
> Date: Monday, January 14, 2013, 11:32 AM
> Nick,
>
> Are you referring to the real public ip addresses? Or the
> Tunnel 172.16.x.x addresses?
>
> Originally, the real public ip addresses could all ping each
> other but right now I cannot ping the public peers. I can't
> even ping anything on the internet from the 871W (Branch-1)
> and it doesn't even have an access-list applied or CBAC
> applied. The 2800s have the "ip inspect name ISP2-cbac icmp"
> command and I added an entry on the 101 acl (permit icmp any
> any). I am using CBAC for outbound traffic and the 101 acl
> for inbound. Users can browse the Internet but the router
> doesn't seem to be able to ping anything. Ping did work
> before all the vpn work.
>
> Branch-1 (871W)
> interface FastEthernet4
> ip address dhcp client-id FastEthernet4
> ip nat outside
> ip virtual-reassembly
> ip tcp adjust-mss 1452
> duplex auto
> speed auto
> crypto map xxx_To_yyy
> end
>
> ip nat inside source route-map nonat interface FastEthernet4
> overload
> ip nat inside source static tcp 192.168.41.51 3074 interface
> FastEthernet4 3074
> ip nat inside source static udp 192.168.41.51 88 interface
> FastEthernet4 88
> ip nat inside source static udp 192.168.41.51 3074 interface
> FastEthernet4 3074
>
>
>
> --- On Mon, 1/14/13, Nick Hilliard <nick at foobar.org>
> wrote:
>
> > From: Nick Hilliard <nick at foobar.org>
> > Subject: Re: [c-nsp] unable to route traffic over
> ipsec/gre tunnels - HELP!
> > To: cisco-nsp at puck.nether.net
> > Date: Monday, January 14, 2013, 9:16 AM
> > On 14/01/2013 14:59, false wrote:
> > > I initially had HDQ working fine with the 871W
> > (Branch-1) but when I
> > > configured branch2 (2801), they both broke.
> >
> > Can you ping the endpoints of each tunnel?
> >
> > Nick
> >
> >
> > The tunnels appear to be up
> > > but traffic is not routing across them. The two
> 2801
> > routers run 12.4
> > > (c2800nm-adventerprisek9-mz.124-24.T2.bin). These
> are
> > gre over ipsec
> > > tunnels. Currently traffic flows over an exsting
> MPLS
> > network that we
> > > are getting away from due to cost. As soon as I
> change
> > the routes to
> > > point to the Tunnels, it breaks. Traffic doesn't
> appear
> > to pass through
> > > the tunnel. BTW, the tunnels do appear up and
> sessions
> > established. I
> > > have attached my sanitized configs. Any
> assistance
> > would be VERY, VERY
> > > much appreciated.
> >
> >
> > >
> > >
> > > HDQ#sh crypto sess
> > > Crypto session current status
> > >
> > > Interface: FastEthernet0/1
> > > Session status: UP-ACTIVE
> > > Peer: 205.205.205.21 port 500
> > > IKE SA: local 204.204.204.66/500
> > remote 205.205.205.21/500 Active
> > > IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0
> > 0.0.0.0/0.0.0.0
> > > Active SAs: 4,
> > origin: crypto map
> > > IPSEC FLOW: permit ip
> > 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
> > > Active SAs: 0,
> > origin: crypto map
> > > IPSEC FLOW: permit ip
> > 192.168.1.0/255.255.255.0 192.168.41.0/255.255.255.0
> > > Active SAs: 0,
> > origin: crypto map
> > >
> > > Interface: FastEthernet0/1
> > > Session status: UP-IDLE
> > > Peer: 206.206.206.1 port 500
> > > IKE SA: local 204.204.204.66/500
> > remote 206.206.206.1/500 Active
> > > IPSEC FLOW: permit ip
> > 192.168.1.0/255.255.255.0 192.168.3.0/255.255.255.0
> > > Active SAs: 0,
> > origin: crypto map
> > >
> > > HDQ#
> > >
> > > HDQ#sh cry isa sa
> > > IPv4 Crypto ISAKMP SA
> > > dst
> > src
> > state
> > conn-id status
> > >
> > 204.204.204.66 206.206.206..1 QM_IDLE
> > 1003 ACTIVE
> > >
> > 205.205.205.21 204.204.204.66 QM_IDLE
> > 1002 ACTIVE
> > >
> > > IPv6 Crypto ISAKMP SA
> > >
> > > sh ip int br:
> > > Tunnel31
> > 172.16.31.33
> > YES NVRAM up
> > up
> > > Tunnel41
> > 172.16.31.41
> > YES NVRAM up
> > up
> > >
> > > Configs:
> > > HDQ
> > > aaa new-model
> > > !
> > > !
> > > aaa authentication ppp default local
> > > aaa authorization network vpnauth local
> > > !
> > > !
> > >
> > > !
> > > !
> > > username admin privilege 15 view root pass
> > > !
> > > crypto isakmp policy 10
> > > encr 3des
> > > hash md5
> > > authentication pre-share
> > > group 2
> > > crypto isakmp key secret address 205.205.205.21
> > > crypto isakmp key secret address 206.206.206.1
> > > crypto isakmp keepalive 10 5 periodic
> > > !
> > > crypto ipsec security-association lifetime
> seconds
> > 86400
> > > !
> > > crypto ipsec transform-set vpn_set esp-3des
> > esp-md5-hmac
> > > !
> > > crypto map vpnmap 10 ipsec-isakmp
> > > set peer 205.205.205.21
> > > set transform-set vpn_set
> > > match address 141
> > > crypto map vpnmap 31 ipsec-isakmp
> > > set peer 206.206.206.1
> > > set transform-set vpn_set
> > > match address 131
> > > !
> > > !
> > > !
> > > interface Tunnel31
> > > ip address 172.16.31.33 255.255.255.252
> > > ip mtu 1400
> > > ip tcp adjust-mss 1360
> > > tunnel source 204.204.204.66
> > > tunnel destination 206.206.206.1
> > > !
> > > interface Tunnel41
> > > ip address 172.16.31.41 255.255.255.252
> > > ip mtu 1400
> > > ip tcp adjust-mss 1360
> > > tunnel source 204.204.204.66
> > > tunnel destination 205.205.205.21
> > > !
> > > !
> > > interface FastEthernet0/1
> > > ip address 204.204.204.66 255.255.255.0
> > > ip access-group 101 in
> > > no ip unreachables
> > > ip flow ingress
> > > ip flow egress
> > > ip nat outside
> > > ip inspect ISP2-cbac out
> > > ip virtual-reassembly
> > > duplex auto
> > > speed auto
> > > crypto map vpnmap
> > > !
> > > interface FastEthernet1/0
> > > description ***To MPLS***
> > > switchport access vlan 10
> > > switchport voice vlan 1
> > > mls qos trust dscp
> > > auto qos voip trust
> > > auto discovery qos
> > > spanning-tree portfast
> > > !
> > >
> > > !
> > > interface Virtual-Template1
> > > ip unnumbered Vlan1
> > > ip virtual-reassembly
> > > no peer default ip address
> > > ppp encrypt mppe auto passive
> > > ppp authentication pap chap ms-chap
> > > !
> > > !
> > > interface Vlan10
> > > ip address 192.168.1.30 255.255.255.0
> > > ip nat inside
> > > ip virtual-reassembly
> > > !
> > > ip forward-protocol nd
> > > ip route 0.0.0.0 0.0.0.0 204.204.204.254
> > > ip route 10.255.1.0 255.255.255.0 192.168.1.254
> > > ip route 172.18.2.0 255.255.255.0 192.168.1.254
> > > ip route 172.18.3.0 255.255.255.0 192.168.1.254
> > > ip route 192.168.1.0 255.255.255.0 192.168.3.254
> > > ip route 192.168.1.0 255.255.255.0 192.168.1.254
> > > ip route 192.168.1.2 255.255.255.255
> Service-Engine0/0
> > > ip route 192.168.3.0 255.255.255.0 192.168.1.254
> > > ip route 192.168.10.0 255.255.255.0 192.168.1.157
> > > ip route 192.168.41.0 255.255.255.0 Tunnel41
> > > !
> > > ip nat inside source route-map nonat interface
> > FastEthernet0/1 overload
> > > ip nat inside source static 192.168.1.157
> > 204.204.204.27
> > > ip nat inside source static 192.168.1.31
> > 204.204.204.67
> > > !
> > > logging 192.168.2.53
> > > logging 192.168.2.28
> > > access-list 20 permit 192.168.0.0 0.0.255.255
> > > access-list 20 permit 172.18.0.0 0.0.255.255
> > > access-list 101 permit udp host 205.205.205.21 any
> eq
> > isakmp
> > > access-list 101 permit udp host 205.205.205.21 eq
> > isakmp any
> > > access-list 101 permit esp host 205.205.205.21
> any
> > > access-list 101 permit udp host 205.205.205.22 any
> eq
> > isakmp
> > > access-list 101 permit udp host 205.205.205.22 eq
> > isakmp any
> > > access-list 101 permit esp host 205.205.205.22
> any
> > > access-list 101 permit tcp any host 204.204.204.27
> eq
> > 443
> > > access-list 101 permit udp host 206.206.206.1 any
> eq
> > isakmp
> > > access-list 101 permit udp host 206.206.206.1 eq
> isakmp
> > any
> > > access-list 101 permit esp host 206.206.206.1 any
> > > access-list 121 permit ip 192.168.1.0 0.0.0.255
> > 192.168.2.0 0.0.0.255
> > > access-list 131 permit gre any any
> > > access-list 131 permit ip 192.168.1.0 0.0.0.255
> > 192.168.3.0 0.0.0.255
> > > access-list 141 permit gre any any
> > > access-list 141 permit ip 192.168.1.0 0.0.0.255
> > 192.168.41.0 0.0.0.255
> > > access-list 141 permit ip 192.168.1.0 0.0.0.255
> > 192.168.2.0 0.0.0.255
> > > access-list 175 deny ip 192.168.1.0
> > 0.0.0.255 192.168.41.0 0.0.0.255
> > > access-list 175 deny ip 192.168.1.0
> > 0.0.0.255 192.168.2.0 0.0.0.255
> > > access-list 175 deny ip 192.168.1.0
> > 0.0.0.255 192.168.3.0 0.0.0.255
> > > access-list 175 deny ip 192.168.1.0
> > 0.0.0.255 192.168.60.0 0.0.0.255
> > > access-list 175 permit ip 192.168.1.0 0.0.0.255
> any
> > > !
> > > !
> > > !
> > > !
> > > route-map nonat permit 41
> > > match ip address 175
> > > !
> > > !
> > >
> > > Branch-1
> > >
> > > Current configuration : 5625 bytes
> > > !
> > > version 12.3
> > >
> > > !
> > > username cisco privilege 15
> > > aaa new-model
> > > !
> > > !
> > > aaa authentication login default local
> > > aaa authorization exec default local
> > > aaa session-id common
> > > ip subnet-zero
> > > ip cef
> > > !
> > > crypto isakmp policy 10
> > > encr 3des
> > > hash md5
> > > authentication pre-share
> > > group 2
> > > crypto isakmp key M1bius77 address 204.204.204.66
> > > crypto isakmp keepalive 10 5 periodic
> > > !
> > > crypto ipsec security-association lifetime
> seconds
> > 86400
> > > !
> > > crypto ipsec transform-set vpn_set esp-3des
> > esp-md5-hmac
> > > !
> > > crypto map xxx_To_yyy 41 ipsec-isakmp
> > > set peer 204.204.204.66
> > > set transform-set vpn_set
> > > match address 141
> > > !
> > > bridge irb
> > > !
> > > !
> > > interface Tunnel41
> > > ip address 172.16.31.42 255.255.255.252
> > > ip mtu 1400
> > > ip tcp adjust-mss 1360
> > > tunnel source 205.205.205.21
> > > tunnel destination 204.204.204.66
> > > !
> > > interface FastEthernet0
> > > no ip address
> > > no cdp enable
> > > spanning-tree portfast
> > > !
> > > interface FastEthernet1
> > > no ip address
> > > no cdp enable
> > > spanning-tree portfast
> > > !
> > > interface FastEthernet2
> > > no ip address
> > > spanning-tree portfast
> > > !
> > > interface FastEthernet3
> > > no ip address
> > > no cdp enable
> > > spanning-tree portfast
> > > !
> > > interface FastEthernet4
> > > ip address dhcp client-id FastEthernet4
> > > ip nat outside
> > > ip virtual-reassembly
> > > ip tcp adjust-mss 1452
> > > duplex auto
> > > speed auto
> > > crypto map xxx_To_yyy
> > > !
> > > !
> > > interface Vlan1
> > > description Internal NetHome Network
> > > no ip address
> > > ip nat inside
> > > ip virtual-reassembly
> > > bridge-group 1
> > > bridge-group 1 spanning-disabled
> > > !
> > > interface BVI1
> > > description Bridge to Internal Home Network
> > > ip address 192.168.41.1 255.255.255.0
> > > ip nat inside
> > > ip virtual-reassembly
> > > !
> > > ip classless
> > > ip route 192.168.1.0 255.255.255.0 Tunnel41
> > > !
> > > ip nat inside source route-map nonat interface
> > FastEthernet4 overload
> > > ip nat inside source static tcp 192.168.41.51
> 3074
> > interface FastEthernet4 3074
> > > ip nat inside source static udp 192.168.41.51 88
> > interface FastEthernet4 88
> > > ip nat inside source static udp 192.168.41.51
> 3074
> > interface FastEthernet4 3074
> > > !
> > > logging trap debugging
> > > logging 192.168.41.22
> > > access-list 1 permit 192.168.41.0 0.0.0.255
> > > access-list 1 permit 192.168.1.0 0.0.0.255
> > > access-list 101 permit udp host 204.204.204.66 any
> eq
> > isakmp
> > > access-list 101 permit udp host 204.204.204.66 eq
> > isakmp any
> > > access-list 101 permit esp host 204.204.204.66
> any
> > > access-list 101 permit icmp any any
> > > access-list 101 permit udp any any eq bootpc
> > > access-list 129 deny ip 192.168.41.0
> > 0.0.0.255 192.168.1.0 0.0.0.255
> > > access-list 129 permit ip 192.168.41.0 0.0.0.255
> any
> > > access-list 141 permit gre any any
> > > access-list 141 permit ip 192.168.41.0 0.0.0.255
> > 192.168.1.0 0.0.0.255
> > > access-list 175 deny ip 192.168.41.0
> > 0.0.0.255 192.168.1.0 0.0.0.255
> > > access-list 175 permit ip 192.168.41.0 0.0.0.255
> any
> > >
> > > Branch-2
> > >
> > > aaa new-model
> > > !
> > > !
> > > aaa authentication login default local
> > > aaa authorization exec default local
> > > !
> > > !
> > >
> > > username admin privilege 15 view root pass
> > > !
> > > crypto isakmp policy 10
> > > encr 3des
> > > hash md5
> > > authentication pre-share
> > > group 2
> > > crypto isakmp key secret address 204.204.204.66
> > > crypto isakmp keepalive 10 5 periodic
> > > !
> > > crypto ipsec security-association lifetime
> seconds
> > 86400
> > > !
> > > crypto ipsec transform-set vpn_set esp-3des
> > esp-md5-hmac
> > > !
> > > crypto map vpnmap 31 ipsec-isakmp
> > > set peer 204.204.204.66
> > > set transform-set vpn_set
> > > match address 131
> > > !
> > > interface Tunnel31
> > > ip address 172.16.31.34 255.255.255.252
> > > ip mtu 1400
> > > ip tcp adjust-mss 1360
> > > tunnel source 5206.206.206.1
> > > tunnel destination 204.204.204.66
> > > !
> > > interface FastEthernet0/1
> > > ip address 206.206.206.1 255.255.255.248
> > > ip access-group 101 in
> > > ip nat outside
> > > ip inspect ISP2-cbac out
> > > ip virtual-reassembly
> > > duplex auto
> > > speed auto
> > > crypto map vpnmap
> > > !
> > > !
> > > interface Vlan10
> > > ip address 192.168.3.1 255.255.255.0
> > > ip nat inside
> > > ip virtual-reassembly
> > > !
> > > ip forward-protocol nd
> > > ip route 0.0.0.0 0.0.0.0 50.79.142.6
> > > ip route 172.18.1.0 255.255.255.0 192.168.3.254
> > > ip route 172.18.2.0 255.255.255.0 192.168.3.254
> > > ip route 172.18.3.2 255.255.255.255
> Service-Engine0/0
> > > ip route 192.168.1.0 255.255.255.0 192.168.3.254
> > > ip route 192.168.2.0 255.255.255.0 192.168.3.254
> > > ip route 192.168.10.0 255.255.255.0 192.168.3.254
> > > !
> > > ip nat inside source route-map nonat interface
> > FastEthernet0/1 overload
> > > ip nat inside source static tcp 192.168.3.10 5899
> > 206.206.206.5 5899 extendable
> > > !
> > > access-list 20 permit x.x.x.x
> > > access-list 20 permit 192.168.0.0 0.0.255.255
> > > access-list 20 permit 172.18.0.0 0.0.255.255
> > > access-list 101 permit udp any host 206.206.206.1
> eq
> > 5060
> > > access-list 101 permit udp host 204.204.204.66 any
> eq
> > isakmp
> > > access-list 101 permit udp host 204.204.204.66 eq
> > isakmp any
> > > access-list 101 permit esp host 204.204.204.66
> any
> > > access-list 102 remark NAT ACL
> > > access-list 102 deny ip 192.168.0.0
> > 0.0.255.255 192.168.0.0 0.0.255.255
> > > access-list 102 deny ip 192.168.0.0
> > 0.0.255.255 172.18.0.0 0.0.255.255
> > > access-list 102 deny ip 172.18.0.0
> > 0.0.255.255 172.18.0.0 0.0.255.255
> > > access-list 102 deny ip 172.18.0.0
> > 0.0.255.255 192.168.0.0 0.0.255.255
> > > access-list 102 permit ip 192.168.3.0 0.0.0.255
> any
> > > access-list 102 permit ip 172.18.3.0 0.0.0.255
> any
> > > access-list 131 permit gre any any
> > > access-list 131 permit ip 192.168.3.0 0.0.0.255
> > 192.168.1.0 0.0.0.255
> > > !
> > > !
> > > !
> > > !
> > > route-map nonat permit 41
> > > match ip address 175
> > > !
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list