From: Max Bozeman (maxbozeman@excite.com)
Date: Wed Sep 06 2006 - 12:26:57 ART
I am trying to seperate the Provider connected interface from the internal interfaces at a remote site using VRFs. That part is easy. I am also tunneling to connect back to the core site using GRE (tunnel interface in the default interface) over IPSEC (transport mode). It works great if I am only using GRE; but it stops working as soon as I add the IPSEC portion. The IPSEC SAs are established. The tunnel on the Remote router is showing up and up (I am using keepalives).
The tunnel on the core router is up and down. I am sending and receiving keepalives from the remote, and I am sending from the core. I am never receiving on the core. There is no issue with the router in between (this is all labbed using Ethernet interfaces) because I have done this with the routers back-to-back and have had the same issue. While I don't know why I am not seeing it now, earlier on a debug tunnel I was seeing "GRE/IP "something" classify 192.168.1.2->192.168.0.1: failed"
Here is the layout: Remote<-->R2<-->Core
Here are the applicable configs:
Remote:
hostname Remote
!
ip vrf DSLLAB
rd 200:1
!
no ip domain lookup
!
crypto keyring DSLKEYS vrf DSLLAB
pre-shared-key address 192.168.0.1 key x1x2x3x4
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp profile DSLLAB
vrf DSLLAB
keyring DSLKEYS
self-identity address
match identity address 192.168.0.1 255.255.255.255 DSLLAB
keepalive 60 retry 3
!
!
crypto ipsec transform-set transport-tset esp-3des esp-md5-hmac
mode transport
!
crypto map DSLLAB 1 ipsec-isakmp
set peer 192.168.0.1
set transform-set transport-tset
set isakmp-profile DSLLAB
match address 110
!
!
!
interface Tunnel0
bandwidth 512
ip address 10.1.1.2 255.255.255.252
ip mtu 1430
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 192.168.0.1
tunnel vrf DSLLAB
!
interface FastEthernet0/0
ip vrf forwarding DSLLAB
ip address 192.168.1.2 255.255.255.252
duplex auto
speed auto
crypto map DSLLAB
no shut
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto
no shut
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route vrf DSLLAB 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 110 permit gre host 192.168.1.2 host 192.168.0.1
!
line con 0
exec-timeout 0 0
R2:
hostname r2
!
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.252
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
no shut
Core:
hostname Core
!
no ip domain lookup
!
crypto keyring DSLKEYS
pre-shared-key address 192.168.1.2 key x1x2x3x4
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp profile DSLLAB
keyring DSLKEYS
self-identity address
match identity address 192.168.1.2 255.255.255.252
keepalive 60 retry 3
!
crypto ipsec transform-set transport-tset esp-3des esp-md5-hmac
mode transport
!
crypto map DSLLAB 1 ipsec-isakmp
set peer 192.168.1.2
set transform-set transport-tset
set isakmp-profile DSLLAB
match address 110
!
interface Tunnel0
description GRE Tunnel
bandwidth 512
ip address 10.1.1.1 255.255.255.252
ip mtu 1430
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 192.168.1.2
!
interface FastEthernet0/0
description Direct ISP Access
ip address 192.168.0.1 255.255.255.252
no ip redirects
duplex auto
speed auto
crypto map DSLLAB
no shut
!
interface FastEthernet0/1
ip address 10.3.3.1 255.255.255.0
duplex auto
speed auto
no shut
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 192.168.1.0 255.255.255.252 192.168.0.2
!
access-list 110 permit gre host 192.168.0.1 host 192.168.1.2
!
line con 0
exec-timeout 0 0
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART