Flex VPN Spoke-2-Spoke

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
Wiadomość
Autor
martino76
CCIE
CCIE
Posty: 883
Rejestracja: 17 gru 2010, 15:23
Lokalizacja: Barczewo

Flex VPN Spoke-2-Spoke

#1

#1 Post autor: martino76 »

Witam,

Testuje Flex VPN Spoke-2-Spoke i mam problem, gdyż traffic pomiędzy spokami dalej leci mi przez huba. W logach widze, ze Virtuall-Access dla komunikacji spoke-2-spoke nie wstaje

Kod: Zaznacz cały

spoke2# 
*Jul 21 10:44:07.028: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to do
wn

Kod: Zaznacz cały

interface Virtual-Template1 type tunnel
 vrf forwarding LAN
 ip unnumbered Loopback0
 ip mtu 1340
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp network-id 1
 ip nhrp redirect
 ip summary-address eigrp 100 0.0.0.0 0.0.0.0
 ip tcp adjust-mss 1300
 tunnel source GigabitEthernet1
 tunnel path-mtu-discovery
 tunnel vrf INET
 tunnel protection ipsec profile IPSEC-IKEV2
end
spoke

Kod: Zaznacz cały

interface Tunnel1
 vrf forwarding LAN
 ip address negotiated
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel source GigabitEthernet1
 tunnel destination dynamic
 tunnel vrf INET
 tunnel protection ipsec profile IPSEC-IKEV2
 
 interface Virtual-Template1 type tunnel
 ip unnumbered Tunnel1
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 ip nhrp redirect
 tunnel protection ipsec profile IPSEC-IKEV2
 
IPsec zapina mi się między spoke i hub bez problemu, EIGRP wstaje oraz otrzymuje default route z hub

Kod: Zaznacz cały

spoke2#sh ip route vrf LAN

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

D*    0.0.0.0/0 [90/27008000] via 192.168.1.1, 00:28:38, Tunnel1
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C        172.16.1.3/32 is directly connected, Loopback100
C        172.16.2.0/24 is directly connected, Loopback1
L        172.16.2.1/32 is directly connected, Loopback1
      192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Tunnel1
S        192.168.1.1/32 is directly connected, Tunnel1
L        192.168.1.16/32 is directly connected, Tunnel1
Jesli zrobie ping między dwoma spoke to widze ze IPsec nie wstaje

Kod: Zaznacz cały

spoke2#sh crypto session 
Crypto session current status

Interface: Tunnel1
Profile: IKEV2-PROFILE
Session status: UP-ACTIVE     
Peer: 150.1.1.2 port 500 
  Session ID: 9  
  IKEv2 SA: local 152.1.1.2/500 remote 150.1.1.2/500 Active 
  IPSEC FLOW: permit 47 host 152.1.1.2 host 150.1.1.2 
        Active SAs: 2, origin: crypto map

Interface: Virtual-Access1
Profile: IKEV2-PROFILE
Session status: DOWN-NEGOTIATING
Peer: 151.1.1.2 port 500 
  Session ID: 13  
  IKEv2 SA: local 152.1.1.2/500 remote 151.1.1.2/500 Inactive 
  IPSEC FLOW: permit 47 host 152.1.1.2 host 151.1.1.2 
        Active SAs: 0, origin: crypto map
Jakieś pomysły?

Pozdro,

Awatar użytkownika
konradrz
CCIE
CCIE
Posty: 400
Rejestracja: 23 sty 2008, 14:21
Lokalizacja: Singapore, SG
Kontakt:

Re: Flex VPN Spoke-2-Spoke

#2

#2 Post autor: konradrz »

A bez IPSec działa? (jeśli tak, to pewnie crypto isakmp policy/key)

Swoją drogą, dawno temu był taki (not maintained) doc, w którym było:
Migrating from Dynamic Multipoint VPN Phase 2 to Phase 3

(...) the removal of some of the restrictions on the routing protocols
required by Phase 2 (OSPF broadcast mode, non-split-tunneling)."

Following is the list of configuration changes that need to be done for
both hubs and spokes, and for the two main routing protocols: Enhanced
Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First
(OSPF), which will have to be applied in any of the migration
approaches...

To enable NHRP shortcut switching:

• All spokes need to have the commands ip nhrp shortcut and the ip nhrp redirect added to their tunnel interfaces. For the hubs use only ip nhrp redirect.

• For EIGRP, in the hub side only:

– Remove: no ip next-hop-self eigrp <as> from the hub tunnel configuration

– Leave: no ip split-horizon eigrp <as> in the hub tunnel configuration

– Add as needed: ip summary-address eigrp <as> <summary-of-spokes-subnets> 5

• For OSPF, for all hubs and spokes:

– Change from ip ospf network broadcast to ip ospf network point-multipoint.
więc może spróbuj z huba tą jedną linijkę usunąć?

martino76
CCIE
CCIE
Posty: 883
Rejestracja: 17 gru 2010, 15:23
Lokalizacja: Barczewo

Re: Flex VPN Spoke-2-Spoke

#3

#3 Post autor: martino76 »

Hey Konrad problem rozwiązany

Awatar użytkownika
konradrz
CCIE
CCIE
Posty: 400
Rejestracja: 23 sty 2008, 14:21
Lokalizacja: Singapore, SG
Kontakt:

Re: Flex VPN Spoke-2-Spoke

#4

#4 Post autor: konradrz »

To jeszcze dla potomnych napisz co było nie tak :)

martino76
CCIE
CCIE
Posty: 883
Rejestracja: 17 gru 2010, 15:23
Lokalizacja: Barczewo

Re: Flex VPN Spoke-2-Spoke

#5

#5 Post autor: martino76 »

Dla potomnych to tunnel interfejs mode musi być

Kod: Zaznacz cały

tunnel mode ipsec ipv4
bo by default jest gre.

Pozdro,

ODPOWIEDZ