GRE over IPsec crypto map + IVRF + FVRF

Problemy związane z routingiem
Wiadomość
Autor
nowy
wannabe
wannabe
Posty: 210
Rejestracja: 10 paź 2006, 20:26
Lokalizacja: Warszawa

GRE over IPsec crypto map + IVRF + FVRF

#1

#1 Post autor: nowy »

Witam,

Probuje uruchomić poniższy setup z GRE over IPsec w VRF IVRF (KLIENT) sourcowane z IP w FVRF (INTERNET)

Wiem, że podobny problem był już przerabiany tu ale jakoś mi to nie działa.

W obecnym konfigu keepalive GRE nie inicjują IPseca. Po zmianie tunnel vrf KLIENT IPsec od razu się trigeruje ale tunnel cały czas leży, po dodaniu keepalive po drugiej stronie, lokalny router nie forwarduje ich do VRF KLIENT i tunnel cały czas leży.

Config i debug ip packet dla keepalive włączonych na lokalnym routerze - IPsec nie wstaje.

Proszę o sugestie.

Kod: Zaznacz cały

ip vrf INTERNET
 rd 119:119
!
ip vrf KLIENT
 rd 3:3
!
crypto keyring KEYRING vrf INTERNET 
  pre-shared-key address Y.Y.Y.Y key KEY
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile IKE-PROFILE
   vrf KLIENT
   keyring KEYRING
   match identity address Y.Y.Y.Y 255.255.255.255 INTERNET
   local-address GigabitEthernet0/1.119
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile IKE-PROFILE
!
crypto map CRYPTO-MAP 1 ipsec-isakmp 
 set peer Y.Y.Y.Y
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile IKE-PROFILE
 match address CRYPTO-ACL
!
interface Tunnel1
 ip vrf forwarding KLIENT
 ip address 192.168.0.2 255.255.255.252
 keepalive 3 3
 tunnel source GigabitEthernet0/1.119
 tunnel destination Y.Y.Y.Y
 tunnel vrf INTERNET
!
interface Embedded-Service-Engine0/0
 no ip address
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.109
 encapsulation dot1Q 109
 ip address 172.31.109.9 255.255.255.0
!
interface GigabitEthernet0/1.119
 encapsulation dot1Q 119
 ip vrf forwarding INTERNET
 ip address X.X.X.X 255.255.255.240
 crypto map CRYPTO-MAP
!
interface GigabitEthernet0/1.2040
 encapsulation dot1Q 2040
 ip vrf forwarding KLIENT
 ip address 10.3.0.30 255.255.255.248
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route vrf INTERNET Y.Y.Y.Y 255.255.255.255 Z.Z.Z.Z
ip route vrf KLIENT 10.0.0.12 255.255.255.255 Tunnel1
ip route vrf KLIENT Y.Y.Y.Y 255.255.255.255 GigabitEthernet0/1.119 Z.Z.Z.Z
!
ip access-list extended CRYPTO-ACL
 permit gre host X.X.X.X host Y.Y.Y.Y
!

FIBipv4-packet-proc: route packet from (local) src X.X.X.X dst Y.Y.Y.Y
FIBfwd-proc: packet routed by adj to GigabitEthernet0/1.119 Z.Z.Z.Z
FIBipv4-packet-proc: packet routing succeeded
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, sending, proto=47
FIBipv4-packet-proc: route packet from (local) src X.X.X.X dst Y.Y.Y.Y
FIBfwd-proc: packet routed by adj to GigabitEthernet0/1.119 Z.Z.Z.Z
FIBipv4-packet-proc: packet routing succeeded
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, sending, proto=47
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, output feature, proto=47, IPSec output classification(35), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, output feature, proto=47, IPSec: to crypto engine(79), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, output feature, proto=47, Post-encryption output features(80), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, pre-encap feature, proto=47, IPSec Output Encap(1), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=X.X.X.X (local), d=Y.Y.Y.Y (GigabitEthernet0/1.119), len 48, pre-encap feature, proto=47, Crypto Engine(3), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Awatar użytkownika
drake
CCIE
CCIE
Posty: 1593
Rejestracja: 06 maja 2005, 01:32
Lokalizacja: Dortmund, DE
Kontakt:

#2

#2 Post autor: drake »

Hej,
a jaki IOS? Mialem do czynienia z podobnymi roznymi problemami odnosnie keepalive dla GRE po ktorym smigal IPSec...

Pozdruffka! ;)
Never stop exploring :)

https://iverion.de

nowy
wannabe
wannabe
Posty: 210
Rejestracja: 10 paź 2006, 20:26
Lokalizacja: Warszawa

#3

#3 Post autor: nowy »

15.2(4)M6

piotro
wannabe
wannabe
Posty: 402
Rejestracja: 07 paź 2005, 12:50

#4

#4 Post autor: piotro »

Tak na bardzo szybko, bez patrzenia na twoj konfig/debugi - sprawdz czy nie bedzie dzialac lepiej na 15.1M.
Ostatnio przerabialem problemy z L2TP/IPSEC w VRFach na 3900/2900 i generalnie tragedia, bugi, konfig dzialajacy bez problemow na IOS 12 - dziala (choc z problemami) na 15.1M, ale ipsec w ogole nie wstaje w tym samym konfigu na 15.2M, 15.3M.

hubertzw
wannabe
wannabe
Posty: 106
Rejestracja: 18 lis 2009, 07:37
Lokalizacja: Warsaw/Bratislava

#5

#5 Post autor: hubertzw »

hej, ten przyklad ktory podales w linku jest o 'IPSec over GRE', w temacie widze 'GRE over IPsec', ktora z tych metod chcesz zastosowac bo widze crypto mape i ipsec profile?
Jesli 'gre over ipsec' to raczej powinno byc bez crypto mapy na int a 'tunnel protection' na tun1, myle sie ?

usunalem tez keepalive 3 3

Kod: Zaznacz cały

loo0 [R6] gig0/0 ----- gig0/0 [R7] loo0
6.6.6.6   10.0.0.6       10.0.0.7    7.7.7.7
              tun1            tun1
          192.168.0.1   192.168.0.2


R6:

Kod: Zaznacz cały


!
ip vrf INTERNET
!
ip vrf KLIENT
!
crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.7 key KEY
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.7 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1
 set isakmp-profile IKE-PROFILE
!
interface Loopback0
 ip vrf forwarding KLIENT
 ip address 6.6.6.6 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding KLIENT
 ip address 192.168.0.1 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.7
 tunnel vrf INTERNET
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.6 255.255.255.0
 media-type gbic
 speed 1000
 duplex full
 negotiation auto
!
ip route vrf INTERNET 192.168.0.2 255.255.255.255 GigabitEthernet0/0 10.0.0.7
ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1
!
ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.6 host 10.0.0.7
!

R7:

Kod: Zaznacz cały

ip vrf INTERNET
!
ip vrf KLIENT
crypto keyring KEYRING vrf INTERNET
  pre-shared-key address 10.0.0.6 key KEY
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp profile IKE-PROFILE
   keyring KEYRING
   match identity address 10.0.0.6 255.255.255.255 INTERNET
   local-address GigabitEthernet0/0
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1
 set isakmp-profile IKE-PROFILE
!
interface Loopback0
 ip vrf forwarding KLIENT
 ip address 7.7.7.7 255.255.255.0
!
interface Tunnel1
 ip vrf forwarding KLIENT
 ip address 192.168.0.2 255.255.255.0
 tunnel source GigabitEthernet0/0
 tunnel destination 10.0.0.6
 tunnel vrf INTERNET
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface GigabitEthernet0/0
 ip vrf forwarding INTERNET
 ip address 10.0.0.7 255.255.255.0
 media-type gbic
 speed 1000
 duplex full
 negotiation auto
!
ip route vrf INTERNET 192.168.0.1 255.255.255.255 GigabitEthernet0/0 10.0.0.6
ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1
!
ip access-list extended CRYPTO-ACL
 permit gre host 10.0.0.7 host 10.0.0.6
!
!

Kod: Zaznacz cały

R6#ping vrf KLIENT 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/137/168 ms
R6#

Kod: Zaznacz cały

R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

Pozdrawiam

nowy
wannabe
wannabe
Posty: 210
Rejestracja: 10 paź 2006, 20:26
Lokalizacja: Warszawa

#6

#6 Post autor: nowy »

hubertzw pisze:hej, ten przyklad ktory podales w linku jest o 'IPSec over GRE', w temacie widze 'GRE over IPsec', ktora z tych metod chcesz zastosowac bo widze crypto mape i ipsec profile?
Jesli 'gre over ipsec' to raczej powinno byc bez crypto mapy na int a 'tunnel protection' na tun1, myle sie ?
Soft zupgradowany do 15.1, nie pomogło.

Dzięki za test. Testuje GRE over IPsec. Zestawiłem IPsec tak jak ty. IPsec wstaje ale żaden ruch nie wpada w tunel. Nie mogę pingować ani zalnego IP tunnelu GRE ani zdalnej sieci, dziwne.

Zastanawia mnie w twoim konfigu ten static, jaki jest jego cel?
ip route vrf INTERNET 192.168.0.2 255.255.255.255 GigabitEthernet0/0 10.0.0.7
Kolejna sprawa czy możesz pingować 192.168.0.2 z R6?

hubertzw
wannabe
wannabe
Posty: 106
Rejestracja: 18 lis 2009, 07:37
Lokalizacja: Warsaw/Bratislava

#7

#7 Post autor: hubertzw »

Kod: Zaznacz cały

R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)

R6#ping vrf KLIENT 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/141/188 ms
R6#sh crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.0.0.6

   protected vrf: KLIENT
   local  ident (addr/mask/prot/port): (10.0.0.6/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.0.0.7/255.255.255.255/47/0)
   current_peer 10.0.0.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
    #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.6, remote crypto endpt.: 10.0.0.7
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x20259C21(539335713)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4F916E54(1334931028)


hubertzw
wannabe
wannabe
Posty: 106
Rejestracja: 18 lis 2009, 07:37
Lokalizacja: Warsaw/Bratislava

#8

#8 Post autor: hubertzw »

usunalem tez ten static, bez niego tez dziala, testowalem wczesniej kilka wariantow i go zostawilem, jak widac jest zbedny:

Kod: Zaznacz cały

R6#sh run | i route
ip route vrf KLIENT 0.0.0.0 0.0.0.0 Tunnel1
R6#ping vrf KLIENT 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/130/156 ms
R6#
pozdrawiam
Hubert

nowy
wannabe
wannabe
Posty: 210
Rejestracja: 10 paź 2006, 20:26
Lokalizacja: Warszawa

#9

#9 Post autor: nowy »

Problem jest chyba raczej w tym, że po drugiej stronie mam zwykły GRE over IPsec bez VRFów na crypto mapie.
Jak skonfiguruje po oby stronach VTI to działa bez problemu.
Także muszę dostosować stronę z VRFami tak żeby działa ze zwykłą crypto mapa po drugiej stronie.

nowy
wannabe
wannabe
Posty: 210
Rejestracja: 10 paź 2006, 20:26
Lokalizacja: Warszawa

#10

#10 Post autor: nowy »

OK problem rozwiązany. Okazało się, że keepalive pod tunnelem w takim rozwiązaniu nie jest supportowany.

Wklejam działające konfigi.

Z crypto mapą:

Kod: Zaznacz cały

ip vrf INTERNET 
 rd 119:119 
! 
ip vrf KLIENT 
 rd 3:3 
! 
crypto keyring KEYRING vrf INTERNET 
  pre-shared-key address Y.Y.Y.Y key KEY 
! 
crypto isakmp policy 1 
 encr aes 256 
 authentication pre-share 
 group 5
!
crypto isakmp profile IKE-PROFILE 
   keyring KEYRING 
   match identity address Y.Y.Y.Y 255.255.255.255 INTERNET 
   local-address GigabitEthernet0/1.119 
!  
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
 mode transport 
! 
crypto map CRYPTO-MAP 1 ipsec-isakmp 
 set peer Y.Y.Y.Y 
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile IKE-PROFILE 
 match address CRYPTO-ACL 
! 
interface Tunnel1 
 ip vrf forwarding KLIENT 
 ip address 192.168.0.2 255.255.255.252 
 tunnel source GigabitEthernet0/1.119 
 tunnel destination Y.Y.Y.Y 
 tunnel vrf INTERNET 
! 
interface Embedded-Service-Engine0/0 
 no ip address 
! 
interface GigabitEthernet0/0 
 no ip address 
 duplex auto 
 speed auto 
! 
interface GigabitEthernet0/1 
 no ip address 
 duplex auto 
 speed auto 
! 
interface GigabitEthernet0/1.109 
 encapsulation dot1Q 109 
 ip address 172.31.109.9 255.255.255.0 
! 
interface GigabitEthernet0/1.119 
 encapsulation dot1Q 119 
 ip vrf forwarding INTERNET 
 ip address X.X.X.X 255.255.255.240 
 crypto map CRYPTO-MAP 
! 
interface GigabitEthernet0/1.2040 
 encapsulation dot1Q 2040 
 ip vrf forwarding KLIENT 
 ip address 10.3.0.30 255.255.255.248 
! 
interface GigabitEthernet0/2 
 no ip address 
 shutdown 
 duplex auto 
 speed auto 
! 
ip route vrf INTERNET Y.Y.Y.Y 255.255.255.255 Z.Z.Z.Z 
ip route vrf KLIENT 10.0.0.12 255.255.255.255 Tunnel1 
ip route vrf KLIENT Y.Y.Y.Y 255.255.255.255 GigabitEthernet0/1.119 Z.Z.Z.Z 
! 
ip access-list extended CRYPTO-ACL 
 permit gre host X.X.X.X host Y.Y.Y.Y
I VTI

Kod: Zaznacz cały

ip vrf INTERNET 
 rd 119:119 
! 
ip vrf KLIENT 
 rd 3:3 
! 
crypto keyring KEYRING vrf INTERNET 
  pre-shared-key address Y.Y.Y.Y key KEY 
! 
crypto isakmp policy 1 
 encr aes 256 
 authentication pre-share 
 group 5
!
crypto isakmp profile IKE-PROFILE 
   keyring KEYRING 
   match identity address Y.Y.Y.Y 255.255.255.255 INTERNET 
   local-address GigabitEthernet0/1.119 
!  
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
 mode transport 
! 
crypto ipsec profile IPSEC-PROFILE 
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile IKE-PROFILE
! 
crypto map CRYPTO-MAP 1 ipsec-isakmp 
 set peer Y.Y.Y.Y 
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile IKE-PROFILE 
 match address CRYPTO-ACL 
! 
interface Tunnel1 
 ip vrf forwarding KLIENT 
 ip address 192.168.0.2 255.255.255.252 
 tunnel source GigabitEthernet0/1.119 
 tunnel destination Y.Y.Y.Y
 tunnel vrf INTERNET
 tunnel protection ipsec profile IPSEC-PROFILE
! 
interface Embedded-Service-Engine0/0 
 no ip address 
! 
interface GigabitEthernet0/0 
 no ip address 
 duplex auto 
 speed auto 
! 
interface GigabitEthernet0/1 
 no ip address 
 duplex auto 
 speed auto 
! 
interface GigabitEthernet0/1.109 
 encapsulation dot1Q 109 
 ip address 172.31.109.9 255.255.255.0 
! 
interface GigabitEthernet0/1.119 
 encapsulation dot1Q 119 
 ip vrf forwarding INTERNET 
 ip address X.X.X.X 255.255.255.240 
! 
interface GigabitEthernet0/1.2040 
 encapsulation dot1Q 2040 
 ip vrf forwarding KLIENT 
 ip address 10.3.0.30 255.255.255.248 
! 
interface GigabitEthernet0/2 
 no ip address 
 shutdown 
 duplex auto 
 speed auto 
! 
ip route vrf INTERNET Y.Y.Y.Y 255.255.255.255 Z.Z.Z.Z 
ip route vrf KLIENT 10.0.0.12 255.255.255.255 Tunnel1 
ip route vrf KLIENT Y.Y.Y.Y 255.255.255.255 GigabitEthernet0/1.119 Z.Z.Z.Z 

ODPOWIEDZ