Re: Crypto Across two catalyst 6509s

Hi,

I think the problem here is your routing.

You need to have a routing process for the tunnel interfaces and the networks to be encrypted, while you have a separate 1 for the SVIs (tunnel source/destinations).

Regards.

________________________________
From: olumayokun fowowe <olumayokun_at_gmail.com>
To: Iwan Hoogendoorn <iwan_at_ipexpert.com>
Cc: Dale Shaw <dale.shaw_at_gmail.com>; Cisco certification <ccielab_at_groupstudy.com>
Sent: Thu, December 3, 2009 4:20:50 PM
Subject: Re: Crypto Across two catalyst 6509s

Hello Iwan,

There is no nat configuration on the switches at all. I can not ping the
tunnel end points. A traceroute from one of the switches to an end device on
the other switch is successful but without showing the ip addresses of the
hops.

Mayokun

On Thu, Dec 3, 2009 at 1:41 PM, Iwan Hoogendoorn <iwan_at_ipexpert.com> wrote:

> hi,
>
> you don't have natting on the interfaces?
> Also when you do a traceroute to you see that the traffic is trying
> into the tunnel.
> Cab you also ping the tunnel endpoints?
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
>
> On Thu, Dec 3, 2009 at 1:24 PM, olumayokun fowowe <olumayokun_at_gmail.com>
> wrote:
> > Hello Dale,
> >
> > Find below the relevant portion of configs and hardware as requested:
> >
> >
> >
> > crypto isakmp policy 100
> > hash md5
> > authentication pre-share
> > crypto isakmp key ABCBCC02TUNNEL address 192.x.y.74
> > !
> >
> > crypto ipsec transform-set BDQ1 esp-des esp-md5-hmac
> > !
> > crypto map ABC_IPsec 1 ipsec-isakmp
> > set peer 192.x.y.74
> > set security-association lifetime seconds 86400
> > set transform-set BDQ1
> > set pfs group1
> > match address BHQ-IPSec
> >
> > ip access-list extended BHQ-IPSec
> > permit gre host 192.x.y.73 host 192.x.y.74
> >
> > interface Tunnel1
> > description TUNNEL CONNECTION TO BCC_IKEJA
> > bandwidth 100000
> > ip address 192.x.y.77 255.255.255.252
> > ip mtu 1400
> > load-interval 30
> > tunnel source 192.x.y.73
> > tunnel destination 192.x.y.74
> > crypto map HQBCC_IPsec
> >
> > interface GigabitEthernet4/22
> > ip address 192.x.y.73 255.255.255.252
> > crypto map ABC_IPsec
> >
> > router eigrp 200
> > net 192.x.0.0
> > no auto-summary
> >
> > ===========================================================
> >
> >
> > CAT6509_EVEN#sh ver
> > Cisco Internetwork Operating System Software
> > IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
> > RELEASE SOFTWARE (fc1)
> > Technical Support: http://www.cisco.com/techsupport
> > Copyright (c) 1986-2006 by cisco Systems, Inc.
> > Compiled Fri 08-Dec-06 12:51 by ccai
> > Image text-base: 0x4002100C, data-base: 0x42320000
> >
> > ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
> > BOOTLDR: s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
> > RELEASE SOFTWARE (fc1)
> >
> > CAT6509_EVEN uptime is 15 weeks, 3 days, 20 hours, 38 minutes
> > Time since CAT6509_EVEN switched to active is 15 weeks, 3 days, 20 hours,
> 37
> > minutes
> > System returned to ROM by reload at 04:52:28 PDT Mon Oct 22 2007 (SP by
> > power-on)
> > System restarted at 16:18:16 gmt Sun Aug 16 2009
> > System image file is "sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"
> >
> >
> > This product contains cryptographic features and is subject to United
> > States and local country laws governing import, export, transfer and
> > use. Delivery of Cisco cryptographic products does not imply
> > third-party authority to import, export, distribute or use encryption.
> > Importers, exporters, distributors and users are responsible for
> > compliance with U.S. and local country laws. By using this product you
> > agree to comply with applicable laws and regulations. If you are unable
> > to comply with U.S. and local laws, return this product immediately.
> >
> > A summary of U.S. laws governing Cisco cryptographic products may be
> found
> > at:
> > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
> >
> > If you require further assistance please contact us by sending email to
> > export_at_cisco.com.
> >
> > cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K
> bytes
> > of memory.
> > Processor board ID SMG1119N2JD
> > SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
> > Last reset from s/w reset
> > X.25 software, Version 3.0.0.
> > Bridging software.
> > 6 Virtual Ethernet/IEEE 802.3 interface(s)
> > 90 Gigabit Ethernet/IEEE 802.3 interface(s)
> > 1917K bytes of non-volatile configuration memory.
> > 8192K bytes of packet buffer memory.
> >
> > 65536K bytes of Flash internal SIMM (Sector size 512K).
> > Configuration register is 0x2102
> >
> > ===========================================================
> >
> > CAT6509_EVEN#sh modul
> > Mod Ports Card Type Model
> Serial
> > No.
> > --- ----- -------------------------------------- ------------------
> > -----------
> > 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
> > SAD111505YB
> > 3 6 Firewall Module WS-SVC-FWM-1
> > SAD1118039C
> > 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
> > SAL1117MD4K
> > 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
> > SAL1020NNHA
> > 6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
> > SAD111701C1
> > 8 8 Intrusion Detection System WS-SVC-IDSM-2
> > SAD111403HD
> >
> > Mod MAC addresses Hw Fw Sw
> > Status
> > --- ---------------------------------- ------ ------------ ------------
> > -------
> > 1 001b.53bc.976c to 001b.53bc.9783 2.5 12.2(14r)S5 12.2(18)SXD7 Ok
> > 3 001a.a148.b9d2 to 001a.a148.b9d9 4.1 7.2(1) 2.3(4) Ok
> > 4 001b.2a8d.73c0 to 001b.2a8d.73ef 2.5 12.2(14r)S5 12.2(18)SXD7 Ok
> > 5 0013.c43a.fb48 to 0013.c43a.fb4b 5.2 8.4(2) 12.2(18)SXD7 Ok
> > 6 000a.b818.bd50 to 000a.b818.bd53 5.3 8.4(2) 12.2(18)SXD7 Ok
> > 8 001b.539c.7850 to 001b.539c.7857 6.3 7.2(1) 5.0(2) Ok
> >
> > Mod Sub-Module Model Serial Hw
> > Status
> > --- --------------------------- ------------------ ------------ -------
> > -------
> > 1 Centralized Forwarding Card WS-F6700-CFC SAD111803XG 3.1 Ok
> > 4 Centralized Forwarding Card WS-F6700-CFC SAD1118077G 3.1 Ok
> > 5 Policy Feature Card 3 WS-F6K-PFC3B SAL1020NHC9 2.3 Ok
> > 5 MSFC3 Daughterboard WS-SUP720 SAL1021NQN1 2.5 Ok
> > 6 Policy Feature Card 3 WS-F6K-PFC3B SAD1116028L 2.3 Ok
> > 6 MSFC3 Daughterboard WS-SUP720 SAD111705WV 2.6 Ok
> > 8 IDS 2 accelerator board WS-SVC-IDSUPG ADBG70701445 2.5 Ok
> >
> > Mod Online Diag Status
> > --- -------------------
> > 1 Pass
> > 3 Pass
> > 4 Pass
> > 5 Pass
> > 6 Pass
> > 8 Pass
> >
> >
> > On Thu, Dec 3, 2009 at 12:02 PM, Dale Shaw <dale.shaw_at_gmail.com> wrote:
> >
> >> Hi,
> >>
> >> On Thu, Dec 3, 2009 at 7:20 PM, olumayokun fowowe <olumayokun_at_gmail.com
> >
> >> wrote:
> >> >
> >> > I noticed something strange recently. I don't know if anybody can help
> me
> >> > with an explanation. the connection between the two catalyst 6509
> >> switches
> >> > are routed and I have a number of SVIs on both switches (the SVIs
> serves
> >> as
> >> > gateway for a number of vlans). i have a GRE over IPSEC tunnel across
> the
> >> > routed interfaces of the catalyst switches. Everything works fine if
> >> traffic
> >> > is passing over the routed interfaces and not the tunnels. However, if
> I
> >> > force the traffic to pass across the tunnel, the SVIs become
> unreachable
> >> > from both sides but the end devices are reachable. A show command
> >> confirms
> >> > that the traffic is being encrypted.
> >>
> >> Could it just be that the crypto processing is being performed by the
> >> RP, instead of in hardware (as it will be for forwarding of plain text
> >> traffic), and it's crippling the systems? It doesn't exactly match
> >> your symptoms, but it's one possible theory. You're not doing any
> >> bridging over the SVIs, are you?
> >>
> >> 1. post hardware configuration ("sh module")
> >> 2. post relevant portions of IOS configuration, and IOS version
> information
> >> 3. do what you can help us to help you. we're not magicians.
> >>
> >> cheers,
> >> Dale
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Dec 04 2009 - 00:58:27 ART