Probuje uruchomić poniższy setup z GRE over IPsec w VRF IVRF (KLIENT) sourcowane z IP w FVRF (INTERNET)
Wiem, że podobny problem był już przerabiany tu ale jakoś mi to nie działa.
W obecnym konfigu keepalive GRE nie inicjują IPseca. Po zmianie tunnel vrf KLIENT IPsec od razu się trigeruje ale tunnel cały czas leży, po dodaniu keepalive po drugiej stronie, lokalny router nie forwarduje ich do VRF KLIENT i tunnel cały czas leży.
Config i debug ip packet dla keepalive włączonych na lokalnym routerze - IPsec nie wstaje.
Proszę o sugestie.
Kod: Zaznacz cały
ip vrf INTERNET
rd 119:119
!
ip vrf KLIENT
rd 3:3
!
crypto keyring KEYRING vrf INTERNET
pre-shared-key address Y.Y.Y.Y key KEY
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp profile IKE-PROFILE
vrf KLIENT
keyring KEYRING
match identity address Y.Y.Y.Y 255.255.255.255 INTERNET
local-address GigabitEthernet0/1.119
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile IPSEC-PROFILE
set transform-set ESP-AES256-SHA1
set isakmp-profile IKE-PROFILE
!
crypto map CRYPTO-MAP 1 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set ESP-AES256-SHA1
set isakmp-profile IKE-PROFILE
match address CRYPTO-ACL
!
interface Tunnel1
ip vrf forwarding KLIENT
ip address 192.168.0.2 255.255.255.252
keepalive 3 3
tunnel source GigabitEthernet0/1.119
tunnel destination Y.Y.Y.Y
tunnel vrf INTERNET
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.109
encapsulation dot1Q 109
ip address 172.31.109.9 255.255.255.0
!
interface GigabitEthernet0/1.119
encapsulation dot1Q 119
ip vrf forwarding INTERNET
ip address X.X.X.X 255.255.255.240
crypto map CRYPTO-MAP
!
interface GigabitEthernet0/1.2040
encapsulation dot1Q 2040
ip vrf forwarding KLIENT
ip address 10.3.0.30 255.255.255.248
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip route vrf INTERNET Y.Y.Y.Y 255.255.255.255 Z.Z.Z.Z
ip route vrf KLIENT 10.0.0.12 255.255.255.255 Tunnel1
ip route vrf KLIENT Y.Y.Y.Y 255.255.255.255 GigabitEthernet0/1.119 Z.Z.Z.Z
!
ip access-list extended CRYPTO-ACL
permit gre host X.X.X.X host Y.Y.Y.Y
!
FIBipv4-packet-proc: route packet from (local) src X.X.X.X dst Y.Y.Y.Y
FIBfwd-proc: packet routed by adj to GigabitEthernet0/1.119 Z.Z.Z.Z
FIBipv4-packet-proc: packet routing succeeded
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, sending, proto=47
FIBipv4-packet-proc: route packet from (local) src X.X.X.X dst Y.Y.Y.Y
FIBfwd-proc: packet routed by adj to GigabitEthernet0/1.119 Z.Z.Z.Z
FIBipv4-packet-proc: packet routing succeeded
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, sending, proto=47
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, output feature, proto=47, IPSec output classification(35), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, output feature, proto=47, IPSec: to crypto engine(79), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, output feature, proto=47, Post-encryption output features(80), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, pre-encap feature, proto=47, IPSec Output Encap(1), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, pre-encap feature, proto=47, Crypto Engine(3), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE