CCNP – GRE over IPSEC (part 2)

In this installment of the GRE over IPSec series, we will put together the IPSec and Routing protocols portions of the config. Now we need to put the ACL’s in place for the “interesting” traffic to go over the IPSec tunnel.

! Main Router
!
access-list 150 permit gre host 14.36.88.6 host 14.38.88.10
!
! Remote Router R2
! Need to add a loopback to see an additional route from R2
!
!int l0
ip address 192.168.10.1 255.255.255.0
!
access-list 120 permit gre host 14.38.88.10 host 14.36.88.6
!

The next step will be to setup the ISAKMP policy key and IPSec transform set.

! Main Router
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

! Remote Router R1
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

The next thing to get setup os to configure the Crypto map

! Main Router
!
crypto map vpn 20 ipsec-isakmp
set peer 14.38.88.10
set transform-set strong
match address 150

! Remote Router R2
!
crypto map vpn 10 ipsec-isakmp
set peer 14.36.88.6
set transform-set strong
match address 120

Now you will need to apply the Crypto map

! Main Router
!
interface tunnel0
crypto map vpn
!
interface fa0/1
crypto map vpn

! Remote Router R2
!
interface tunnel0
crypto map vpn
!
interface fa0/0
crypto map vpn

Router BGP Changes

! Main Router
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

! Remote Router R2
!
router eigrp 60
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

With everything working, this is what you should see each router –

From Main –

Main#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 14.36.1.1 to network 0.0.0.0

D 192.168.10.0/24 [90/297372416] via 192.168.16.1, 00:04:20, Tunnel0
C 192.168.16.0/24 is directly connected, Tunnel0
14.0.0.0/16 is subnetted, 1 subnets
C 14.36.0.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 14.36.1.1

From Remote R2 –

R2#sh ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 14.38.1.1 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, Loopback0
C 192.168.16.0/24 is directly connected, Tunnel0
14.0.0.0/16 is subnetted, 1 subnets
C 14.38.0.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 14.38.1.1

Now that we have a functional two router config using GRE and IPSec, now the time to do walk through a few troubleshooting steps to establish a baseline in this lab situation to help you identify problems when you do this in the real world. The first thing to look at is the Tunnel interface. To test that routes are being distributed, you can enter an additional route using a loopback interface on one router and verify that it show up on the other router or router(s) when you add additional routers to this configuration which we will do in a later post. Doing a sh int t0 will show us whether two way traffic is present on the interface.

This is what the Tunnel 0 interface should look like on each of the routers –

R2#sh int t0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 192.168.16.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 14.38.88.10 (FastEthernet0/0), destination 14.36.88.6
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:03, output 00:00:02, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 178
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
566 packets input, 47712 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
566 packets output, 47712 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

What you are looking for hear is that the packet input and output counters are incrementing.

You should also be familiar with how to check that EIGRP is working. From the Main router, you should see something like this –

Main#sh ip eigrp 60 neighbors
IP-EIGRP neighbors for process 60
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.16.1 Tu0 11 00:44:24 38 5000 0 6

We should now look to see where the routes are coming from that we see –

Main#sh ip eigrp 60 topology
IP-EIGRP Topology Table for AS(60)/ID(192.168.16.2)

Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status

P 192.168.10.0/24, 1 successors, FD is 297372416
via 192.168.16.1 (297372416/128256), Tunnel0
P 192.168.5.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.16.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0

For those that are not familiar with IPSEC, there are a couple of commands that will serve you well to be able to see when you have a IPSec issue. This first command will show you that the two way tunnel has been properly negotiated –

Main#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
14.36.88.6 14.38.88.10 QM_IDLE 1002 0 ACTIVE

QM_IDLE is the main thing to look for here. That is a good indication that all is well.

This next command will show you that there is two way traffic is traversing the IPSEC tunnel. The main thing to look for here is that the packet encaps/decaps counters are incrementing. If, for example, you only see the encaps (encapsulation) counter incrementing but not the decaps (decapsulation) counter, this would indicate a problem in the IPSec configuration on either end or possibly a routing problem at the remote end.

Main#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: vpn, local addr 14.36.88.6

protected vrf: (none)
local ident (addr/mask/prot/port): (14.36.88.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.38.88.10/255.255.255.255/47/0)
current_peer 14.38.88.10 port 500
PERMIT, flags={}
#pkts encaps: 640, #pkts encrypt: 640, #pkts digest: 640
#pkts decaps: 641, #pkts decrypt: 641, #pkts verify: 641
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 14.36.88.6, remote crypto endpt.: 14.38.88.10
path mtu 1476, ip mtu 1476
current outbound spi: 0xB54848E5(3041413349)

inbound esp sas:
spi: 0x2AE499CE(719624654)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4511186/681)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB54848E5(3041413349)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4511186/680)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: FastEthernet0/1
Crypto map tag: vpn, local addr 14.36.88.6

protected vrf: (none)
local ident (addr/mask/prot/port): (14.36.88.6/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (14.38.88.10/255.255.255.255/47/0)
current_peer 14.38.88.10 port 500
PERMIT, flags={}
#pkts encaps: 642, #pkts encrypt: 642, #pkts digest: 642
#pkts decaps: 643, #pkts decrypt: 643, #pkts verify: 643
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 14.36.88.6, remote crypto endpt.: 14.38.88.10
path mtu 1476, ip mtu 1476
current outbound spi: 0xB54848E5(3041413349)

inbound esp sas:
spi: 0x2AE499CE(719624654)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 1, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4511185/672)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB54848E5(3041413349)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 2, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4511185/671)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Send to Kindle
This entry was posted in Blog Entries, CCNP and tagged , . Bookmark the permalink.