in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 03-16-2017 5:50 AM by Pseudocyber. 1 replies.
Page 1 of 1 (2 items)
Sort Posts: Previous Next
  • 03-16-2017 5:35 AM

    VTI tunnel not passing traffic, but BGP works?

    I'm trying to pass traffic from router 1 to router 6 via VPN tunnel between routers 3 and 5, so that traffic flow "bypasses" R4.

     

    VPN tunnels are up, BGP routing looks good, learning routes and no recursive routing.  Limiting BGP advertisements with prefix-lists.

     

    PROBLEM:  I cannot ping 6.6.6.6 from R2, and vice versa.  Routing looks fine, but traffic does not pass through VPN tunnel - "show crypto ipsec | i encap|decap" does not show encapsulations increasing during continuous ping.

     

    I have 6 routers in GNS3 all running 15.2.  They're in a straight line, 1-2-3-4-5-6.

     

    Routers 3-4 are BGP peers.

     

    Routers 3-5 are IPSEC VPN tunnel endpoints with VTI.  They're BGP peers inside the tunnel.

     

    Routers 1,2,3 are in an EIGRP AS, redistributing into/from BGP on router 3.

     

    R5 0/0 to R4, and R6 0/0 to R5.

     

    All routers have L0 1.1.1.1/32 on 1, 2.2.2.2 on 2 and so on.  Between routers, 2nd octet is low router/high router, and 4th is router.  So between routers 1 and 2 is 10.12.0.0/24 and R1 is .1 and R2 is .2 and so on.

     

    Router1

     

     

    R1#

    R1#sib

    Interface              IP-Address      OK? Method Status                Protocol

    GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

    GigabitEthernet1/0.1   10.0.0.1        YES NVRAM  up                    up      

    GigabitEthernet1/0.12  10.12.0.1       YES manual up                    up     

    Loopback0              1.1.1.1         YES manual up                    up      

    R1#sir

     

     

    Gateway of last resort is not set

     

     

          1.0.0.0/32 is subnetted, 1 subnets

    C        1.1.1.1 is directly connected, Loopback0

          2.0.0.0/32 is subnetted, 1 subnets

    D        2.2.2.2 [90/130816] via 10.12.0.2, 01:44:53, GigabitEthernet1/0.12

          3.0.0.0/32 is subnetted, 1 subnets

    D        3.3.3.3 [90/131072] via 10.12.0.2, 01:43:36, GigabitEthernet1/0.12

          5.0.0.0/32 is subnetted, 1 subnets

    D EX     5.5.5.5 [170/3328] via 10.12.0.2, 01:22:30, GigabitEthernet1/0.12

          6.0.0.0/32 is subnetted, 1 subnets

    D EX     6.6.6.6 [170/3328] via 10.12.0.2, 01:22:56, GigabitEthernet1/0.12

          10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

       10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

    L        10.0.0.1/32 is directly connected, GigabitEthernet1/0.1

    C        10.12.0.0/24 is directly connected, GigabitEthernet1/0.12

    L        10.12.0.1/32 is directly connected, GigabitEthernet1/0.12

    D        10.23.0.0/24 [90/3072] via 10.12.0.2, 01:44:21, GigabitEthernet1/0.12

    D EX     10.56.0.0/24 

               [170/3328] via 10.12.0.2, 01:33:20, GigabitEthernet1/0.12

    R1#

    R1#sh ip eigrp int

    EIGRP-IPv4 Interfaces for AS(250)

                                  Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending

    Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes

    Gi1/0.12                 1        0/0       0/0          59       0/0          240           0

    Lo0                      0        0/0       0/0           0       0/0            0           0

    R1#sh ip eigrp top

     

     

     

     

    P 5.5.5.5/32, 1 successors, FD is 3328, tag is 65000

            via 10.12.0.2 (3328/3072), GigabitEthernet1/0.12

    P 10.56.0.0/24, 1 successors, FD is 3328, tag is 65000

            via 10.12.0.2 (3328/3072), GigabitEthernet1/0.12

    P 2.2.2.2/32, 1 successors, FD is 130816

            via 10.12.0.2 (130816/128256), GigabitEthernet1/0.12

    P 6.6.6.6/32, 1 successors, FD is 3328, tag is 65000

            via 10.12.0.2 (3328/3072), GigabitEthernet1/0.12

    P 3.3.3.3/32, 1 successors, FD is 131072

            via 10.12.0.2 (131072/130816), GigabitEthernet1/0.12

    P 10.23.0.0/24, 1 successors, FD is 3072

            via 10.12.0.2 (3072/2816), GigabitEthernet1/0.12

    P 10.12.0.0/24, 1 successors, FD is 2816

            via Connected, GigabitEthernet1/0.12

    P 1.1.1.1/32, 1 successors, FD is 128256

            via Connected, Loopback0

     

     

    R1# 

    R1#sh run

    interface Loopback0

     ip address 1.1.1.1 255.255.255.255

    !

    !

    interface GigabitEthernet1/0

     no ip address

     negotiation auto

    !

    interface GigabitEthernet1/0.1

     encapsulation dot1Q 1 native

     ip address 10.0.0.1 255.255.255.0

    !

    interface GigabitEthernet1/0.12

     encapsulation dot1Q 12

     ip address 10.12.0.1 255.255.255.0

    !

    !

    router eigrp 250

     network 1.1.1.1 0.0.0.0

     network 10.12.0.0 0.0.0.255

    !

    R1#

     

    Router2:

    R2#sh ip route

     

          1.0.0.0/32 is subnetted, 1 subnets

    D        1.1.1.1 [90/130816] via 10.12.0.1, 01:20:40, GigabitEthernet1/0.12

          2.0.0.0/32 is subnetted, 1 subnets

    C        2.2.2.2 is directly connected, Loopback0

          3.0.0.0/32 is subnetted, 1 subnets

    D        3.3.3.3 [90/130816] via 10.23.0.3, 01:19:11, GigabitEthernet1/0.23

          5.0.0.0/32 is subnetted, 1 subnets

    D EX    5.5.5.5 [170/3072] via 10.23.0.3, 00:58:01, GigabitEthernet1/0.23

          6.0.0.0/32 is subnetted, 1 subnets

    D EX    6.6.6.6 [170/3072] via 10.23.0.3, 00:58:28, GigabitEthernet1/0.23

          10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

    C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

    L        10.0.0.2/32 is directly connected, GigabitEthernet1/0.1

    C        10.12.0.0/24 is directly connected, GigabitEthernet1/0.12

    L        10.12.0.2/32 is directly connected, GigabitEthernet1/0.12

    C        10.23.0.0/24 is directly connected, GigabitEthernet1/0.23

    L        10.23.0.2/32 is directly connected, GigabitEthernet1/0.23

    D EX    10.56.0.0/24

              [170/3072] via 10.23.0.3, 01:08:55, GigabitEthernet1/0.23

     

    R2#sib

    Interface              IP-Address      OK? Method Status                Protocol

    GigabitEthernet1/0    unassigned      YES NVRAM  up                    up     

    GigabitEthernet1/0.1  10.0.0.2        YES NVRAM  up                    up     

    GigabitEthernet1/0.12  10.12.0.2      YES manual up                    up     

    GigabitEthernet1/0.23  10.23.0.2      YES manual up                    up     

    Loopback0              2.2.2.2        YES manual up                    up 

     

     

    Router3

     

    R3#

    R3#sib

    Interface              IP-Address      OK? Method Status                Protocol

    GigabitEthernet1/0    unassigned      YES NVRAM  up                    up     

    GigabitEthernet1/0.1  10.0.0.3        YES NVRAM  up                    up     

    GigabitEthernet1/0.23  10.23.0.3      YES manual up                    up     

    GigabitEthernet1/0.34  10.34.0.3      YES manual up                    up     

    Loopback0              3.3.3.3        YES manual up                    up     

    Tunnel0                192.168.35.3    YES manual up                    up     

    R3#

    R3#sh ip route

    Gateway of last resort is not set

     

     

          1.0.0.0/32 is subnetted, 1 subnets

    D        1.1.1.1 [90/131072] via 10.23.0.2, 01:28:41, GigabitEthernet1/0.23

          2.0.0.0/32 is subnetted, 1 subnets

    D        2.2.2.2 [90/130816] via 10.23.0.2, 01:28:41, GigabitEthernet1/0.23

          3.0.0.0/32 is subnetted, 1 subnets

    C        3.3.3.3 is directly connected, Loopback0

          5.0.0.0/32 is subnetted, 1 subnets

    B        5.5.5.5 [20/0] via 192.168.35.5, 01:03:42

          6.0.0.0/32 is subnetted, 1 subnets

    B        6.6.6.6 [20/0] via 192.168.35.5, 01:04:12

          10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks

    C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

    L        10.0.0.3/32 is directly connected, GigabitEthernet1/0.1

    D        10.12.0.0/24 [90/3072] via 10.23.0.2, 01:28:41, GigabitEthernet1/0.23

    C        10.23.0.0/24 is directly connected, GigabitEthernet1/0.23

    L        10.23.0.3/32 is directly connected, GigabitEthernet1/0.23

    C        10.34.0.0/24 is directly connected, GigabitEthernet1/0.34

    L        10.34.0.3/32 is directly connected, GigabitEthernet1/0.34

    B        10.45.0.0/24 [20/0] via 10.34.0.4, 01:49:09

    B        10.56.0.0/24 [20/0] via 192.168.35.5, 01:34:55

          192.168.35.0/24 is variably subnetted, 2 subnets, 2 masks

    C        192.168.35.0/24 is directly connected, Tunnel0

    L        192.168.35.3/32 is directly connected, Tunnel0

    R3#

    R3#

    R3#

    R3#sh run

    Building configuration...

     

     

    hostname R3

    !

    !

    ip tcp synwait-time 5

    !

    policy-map CSRPAR

    class class-default

      shape average 12800

    !

    !

    !

    crypto isakmp policy 1

    encr 3des

    authentication pre-share

    group 2

    crypto isakmp key xxxxxxxxxxx address 0.0.0.0       

    crypto isakmp keepalive 10

    !

    !

    crypto ipsec transform-set TSET1 esp-3des esp-sha-hmac

    mode tunnel

    !

    crypto ipsec profile VTI

    set transform-set TSET1

    !

    interface Loopback0

    ip address 3.3.3.3 255.255.255.255

    !

    interface Tunnel0

    ip address 192.168.35.3 255.255.255.0

    ip access-group LOG in

    ip access-group LOG out

    tunnel source 10.34.0.3

    tunnel mode ipsec ipv4

    tunnel destination 10.45.0.5

    tunnel protection ipsec profile VTI

    !

    interface GigabitEthernet1/0.1

    encapsulation dot1Q 1 native

    ip address 10.0.0.3 255.255.255.0

    !

    interface GigabitEthernet1/0.23

    encapsulation dot1Q 23

    ip address 10.23.0.3 255.255.255.0

    ip access-group LOG in

    !

    interface GigabitEthernet1/0.34

    encapsulation dot1Q 34

    ip address 10.34.0.3 255.255.255.0

    !

    !

    router eigrp 250

    default-metric 1000000 1 255 1 1500

    network 3.3.3.3 0.0.0.0

    network 10.23.0.0 0.0.0.255

    redistribute bgp 18903 route-map RM_BGP->EIGRP

    !

    router bgp 18903

    bgp log-neighbor-changes

    network 10.34.0.0 mask 255.255.255.0

    redistribute eigrp 250 route-map RM_EIGRP->BGP

    neighbor 10.34.0.4 remote-as 7224

    neighbor 10.34.0.4 description AWS

    neighbor 10.34.0.4 soft-reconfiguration inbound

    neighbor 10.34.0.4 prefix-list PL-BGP-AWS-AD out

    neighbor 192.168.35.5 remote-as 65000

    neighbor 192.168.35.5 description CSR

    neighbor 192.168.35.5 soft-reconfiguration inbound

    neighbor 192.168.35.5 prefix-list PL-BGP-CSR-AD out

    !

    ip access-list extended LOG

    permit ip any any log

    !

    !

    ip prefix-list PL-BGP-AWS-AD seq 5 permit 10.34.0.0/24

    !

    ip prefix-list PL-BGP-CSR-AD seq 5 permit 10.23.0.0/24

    ip prefix-list PL-BGP-CSR-AD seq 10 permit 10.12.0.0/24

    ip prefix-list PL-BGP-CSR-AD seq 15 permit 0.0.0.0/0 ge 32

    !

    ip prefix-list PL_BGP->EIGRP seq 5 permit 0.0.0.0/0 ge 32

    ip prefix-list PL_BGP->EIGRP seq 10 permit 10.56.0.0/24

    !

    ip prefix-list PL_EIGRP->BGP seq 5 permit 10.12.0.0/24

    ip prefix-list PL_EIGRP->BGP seq 10 permit 10.23.0.0/24

    ip prefix-list PL_EIGRP->BGP seq 15 permit 0.0.0.0/0 ge 32

    access-list 100 permit ip any host 6.6.6.6

    access-list 100 permit ip host 6.6.6.6 any

    !

    route-map RM_EIGRP->BGP permit 10

    match ip address prefix-list PL_EIGRP->BGP

    !

    route-map RM_BGP->EIGRP permit 10

    match ip address prefix-list PL_BGP->EIGRP

    !

    !

    end

     

     

    R3# 

    R3#sh ip bgp sum

     

     

    Neighbor        V          AS MsgRcvd MsgSent  TblVer  InQ OutQ Up/Down  State/PfxRcd

    10.34.0.4      4        7224    119    131      11    0    0 01:50:45        1

    192.168.35.5    4        65000    116    116      11    0    0 01:36:34        3

    R3#

    R3#

    R3#sh ip bgp neigh 192.168.35.5 adver

    R3#sh ip bgp neigh 192.168.35.5 advertised-routes

     

     

        Network          Next Hop            Metric LocPrf Weight Path

    *>  1.1.1.1/32      10.23.0.2          131072        32768 ?

    *>  2.2.2.2/32      10.23.0.2          130816        32768 ?

    *>  3.3.3.3/32      0.0.0.0                  0        32768 ?

    *>  10.12.0.0/24    10.23.0.2            3072        32768 ?

    *>  10.23.0.0/24    0.0.0.0                  0        32768 ?

     

     

    Total number of prefixes 5

    R3#sh ip bgp neigh 192.168.35.5 received-r 

     

     

        Network          Next Hop            Metric LocPrf Weight Path

    *>  5.5.5.5/32      192.168.35.5            0            0 65000 i

    *>  6.6.6.6/32      192.168.35.5            0            0 65000 i

    *>  10.56.0.0/24    192.168.35.5            0            0 65000 i

     

     

    Total number of prefixes 3

    R3#

     

     

    R3#

    R3#sh crypto isakmp sa

    IPv4 Crypto ISAKMP SA

    dst            src            state          conn-id status

    10.34.0.3      10.45.0.5      QM_IDLE          1001 ACTIVE

     

     

    IPv6 Crypto ISAKMP SA

     

     

    R3#sh crypto ipsec sa

     

     

    interface: Tunnel0

        Crypto map tag: Tunnel0-head-0, local addr 10.34.0.3

     

     

      protected vrf: (none)

      local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      current_peer 10.45.0.5 port 500

        PERMIT, flags={origin_is_acl,}

        #pkts encaps: 356, #pkts encrypt: 356, #pkts digest: 356

        #pkts decaps: 314, #pkts decrypt: 314, #pkts verify: 314

        #pkts compressed: 0, #pkts decompressed: 0

        #pkts not compressed: 0, #pkts compr. failed: 0

        #pkts not decompressed: 0, #pkts decompress failed: 0

        #send errors 0, #recv errors 0

     

     

        local crypto endpt.: 10.34.0.3, remote crypto endpt.: 10.45.0.5

        path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0.34

        current outbound spi: 0x462B5D66(1177247078)

        PFS (Y/N): N, DH group: none

     

     

        inbound esp sas:

          spi: 0x8DA34CDE(2376289502)

            transform: esp-3des esp-sha-hmac ,

            in use settings ={Tunnel, }

            conn id: 3, flow_id: 3, sibling_flags 80004040, crypto map: Tunnel0-head-0

            sa timing: remaining key lifetime (k/sec): (4279385/475)

            IV size: 8 bytes

            replay detection support: Y

            Status: ACTIVE(ACTIVE)

     

     

        inbound ah sas:

     

     

        inbound pcp sas:

     

     

        outbound esp sas:

          spi: 0x462B5D66(1177247078)

            transform: esp-3des esp-sha-hmac ,

            in use settings ={Tunnel, }

            conn id: 4, flow_id: 4, sibling_flags 80004040, crypto map: Tunnel0-head-0

            sa timing: remaining key lifetime (k/sec): (4279383/475)

            IV size: 8 bytes

            replay detection support: Y

            Status: ACTIVE(ACTIVE)

     

        outbound ah sas:

     

     

        outbound pcp sas:

    R3# 

    R3#sh cyrpto ses

          ^

    % Invalid input detected at '^' marker.

     

     

    R3#sh crypto ses

    Crypto session current status

     

     

    Interface: Tunnel0

    Session status: UP-ACTIVE   

    Peer: 10.45.0.5 port 500

      IKEv1 SA: local 10.34.0.3/500 remote 10.45.0.5/500 Active

      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

            Active SAs: 2, origin: crypto map

     

    Router4

     

     

    sib

    Interface              IP-Address      OK? Method Status                Protocol

     

    GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

    GigabitEthernet1/0.1   10.0.0.4        YES NVRAM  up                    up      

    GigabitEthernet1/0.34  10.34.0.4       YES manual up                    up      

    GigabitEthernet1/0.45  10.45.0.4       YES manual up                    up     

    Loopback0              4.4.4.4         YES manual up                    up      

    R4#

    R4#

    R4#sh ip bgp sum

     

     

    Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

    10.34.0.3       4        18903     141     128        3    0    0 01:51:29        1

    R4#

    R4#sh ip bgp

     

     

         Network          Next Hop            Metric LocPrf Weight Path

     r>  10.34.0.0/24     10.34.0.3                0             0 18903 i

     *>  10.45.0.0/24     0.0.0.0                  0         32768 i

    R4#

    R4#sh ip route

     

     

    Gateway of last resort is not set

     

     

          4.0.0.0/32 is subnetted, 1 subnets

    C        4.4.4.4 is directly connected, Loopback0

          10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

    C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

    L        10.0.0.4/32 is directly connected, GigabitEthernet1/0.1

    C        10.34.0.0/24 is directly connected, GigabitEthernet1/0.34

    L        10.34.0.4/32 is directly connected, GigabitEthernet1/0.34

    C        10.45.0.0/24 is directly connected, GigabitEthernet1/0.45

    L        10.45.0.4/32 is directly connected, GigabitEthernet1/0.45

    R4#

    R4#sh run

    Building configuration...

     

     

    policy-map FOO

     class class-default

     

    crypto isakmp policy 1

     encr 3des

     authentication pre-share

     group 2

    crypto isakmp key VPNKEY1 address 0.0.0.0        

    crypto isakmp keepalive 10

    !

    !

    crypto ipsec transform-set TSET esp-3des esp-sha-hmac 

     mode tunnel

    !

    crypto ipsec profile VTI

     set transform-set TSET 

    !

    interface Loopback0

     ip address 4.4.4.4 255.255.255.255

    !

    interface GigabitEthernet1/0

     no ip address

     negotiation auto

    !

    interface GigabitEthernet1/0.1

     encapsulation dot1Q 1 native

     ip address 10.0.0.4 255.255.255.0

    !

    interface GigabitEthernet1/0.34

     encapsulation dot1Q 34

     ip address 10.34.0.4 255.255.255.0

    !

    interface GigabitEthernet1/0.45

     encapsulation dot1Q 45

     ip address 10.45.0.4 255.255.255.0

    !

    !

    router bgp 7224

     bgp log-neighbor-changes

     network 10.45.0.0 mask 255.255.255.0

     neighbor 10.34.0.3 remote-as 18903

     neighbor 10.34.0.3 description LENDINGTREE

     neighbor 10.34.0.3 soft-reconfiguration inbound

    !

    ip prefix-list PL_CSR_VPN_ADVERTISE seq 5 permit 4.4.4.4/32

    ip prefix-list PL_CSR_VPN_ADVERTISE seq 10 permit 172.18.0.0/16 le 32

    !

    R4#

     

    Router5

     

     

    R5#

    R5#sib

    Interface              IP-Address      OK? Method Status                Protocol

    GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

    GigabitEthernet1/0.1   10.0.0.5        YES NVRAM  up                    up      

    GigabitEthernet1/0.45  10.45.0.5       YES manual up                    up      

    GigabitEthernet1/0.56  10.56.0.5       YES manual up                    up      

    Loopback0              5.5.5.5         YES manual up                    up      

    Tunnel0                192.168.35.5    YES manual up                    up      

    R5#

    R5#

    R5#

    R5#sir

     

     

    Gateway of last resort is 10.45.0.4 to network 0.0.0.0

     

     

    S*    0.0.0.0/0 [1/0] via 10.45.0.4

          1.0.0.0/32 is subnetted, 1 subnets

    B        1.1.1.1 [20/131072] via 192.168.35.3, 01:36:48

          2.0.0.0/32 is subnetted, 1 subnets

    B        2.2.2.2 [20/130816] via 192.168.35.3, 01:36:48

          3.0.0.0/32 is subnetted, 1 subnets

    B        3.3.3.3 [20/0] via 192.168.35.3, 01:36:48

          5.0.0.0/32 is subnetted, 1 subnets

    C        5.5.5.5 is directly connected, Loopback0

          6.0.0.0/32 is subnetted, 1 subnets

    S        6.6.6.6 [1/0] via 10.56.0.6

         10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks

    C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

    L        10.0.0.5/32 is directly connected, GigabitEthernet1/0.1

    B        10.12.0.0/24 [20/3072] via 192.168.35.3, 01:36:48

    B        10.23.0.0/24 [20/0] via 192.168.35.3, 01:39:00

    C        10.45.0.0/24 is directly connected, GigabitEthernet1/0.45

    L        10.45.0.5/32 is directly connected, GigabitEthernet1/0.45

    C        10.56.0.0/24 is directly connected, GigabitEthernet1/0.56

    L        10.56.0.5/32 is directly connected, GigabitEthernet1/0.56

          192.168.35.0/24 is variably subnetted, 2 subnets, 2 masks

    C        192.168.35.0/24 is directly connected, Tunnel0

    L        192.168.35.5/32 is directly connected, Tunnel0

    R5#

    R5#

    R5#

    R5#sh ip bgp sum

    Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

    192.168.35.3    4        18903     131     131        9    0    0 01:49:12        5

    R5#

    R5#

    R5#

    R5#sh ip bgp

     

     

         Network          Next Hop            Metric LocPrf Weight Path

     *>  1.1.1.1/32       192.168.35.3        131072             0 18903 ?

     *>  2.2.2.2/32       192.168.35.3        130816             0 18903 ?

     *>  3.3.3.3/32       192.168.35.3             0             0 18903 ?

     *>  5.5.5.5/32       0.0.0.0                  0         32768 i

     *>  6.6.6.6/32       10.56.0.6                0         32768 i

     *>  10.12.0.0/24     192.168.35.3          3072             0 18903 ?

     *>  10.23.0.0/24     192.168.35.3             0             0 18903 ?

     *>  10.56.0.0/24     0.0.0.0                  0         32768 i

    R5#

    R5#

    R5#

    R5#

    R5#sh crypto isakmp sa

    IPv4 Crypto ISAKMP SA

    dst             src             state          conn-id status

    10.34.0.3       10.45.0.5       QM_IDLE           1001 ACTIVE

     

     

    IPv6 Crypto ISAKMP SA

     

     

    R5#sh crypto ipsec sa

     

     

    interface: Tunnel0

        Crypto map tag: Tunnel0-head-0, local addr 10.45.0.5

     

     

       protected vrf: (none)

       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

       remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

       current_peer 10.34.0.3 port 500

         PERMIT, flags={origin_is_acl,}

        #pkts encaps: 330, #pkts encrypt: 330, #pkts digest: 330

        #pkts decaps: 372, #pkts decrypt: 372, #pkts verify: 372

        #pkts compressed: 0, #pkts decompressed: 0

        #pkts not compressed: 0, #pkts compr. failed: 0

        #pkts not decompressed: 0, #pkts decompress failed: 0

        #send errors 0, #recv errors 0

     

     

         local crypto endpt.: 10.45.0.5, remote crypto endpt.: 10.34.0.3

         path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0.45

         current outbound spi: 0xB2DEB323(3000939299)

         PFS (Y/N): N, DH group: none

     

     

         inbound esp sas:

          spi: 0x15CAFC09(365624329)

       transform: esp-3des esp-sha-hmac ,

            in use settings ={Tunnel, }

            conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: Tunnel0-head-0

            sa timing: remaining key lifetime (k/sec): (4358339/3561)

            IV size: 8 bytes

            replay detection support: Y

            Status: ACTIVE(ACTIVE)

     

     

         inbound ah sas:

     

     

         inbound pcp sas:

     

     

         outbound esp sas:

          spi: 0xB2DEB323(3000939299)

            transform: esp-3des esp-sha-hmac ,

            in use settings ={Tunnel, }

            conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: Tunnel0-head-0

            sa timing: remaining key lifetime (k/sec): (4358339/3561)

            IV size: 8 bytes

            replay detection support: Y

            Status: ACTIVE(ACTIVE)

      outbound ah sas:

     

     

         outbound pcp sas:

    R5# 

    R5#sh crypto ses

    Crypto session current status

     

     

    Interface: Tunnel0

    Session status: UP-ACTIVE     

    Peer: 10.34.0.3 port 500 

      IKEv1 SA: local 10.45.0.5/500 remote 10.34.0.3/500 Active 

      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 

            Active SAs: 2, origin: crypto map

     

     

    R5#

    R5#

    R5#

    R5#sh run

    Building configuration...

     

     

    !

    policy-map CSRPAR

     class class-default

      shape average 12800

    !

    !

    crypto isakmp policy 1

     encr 3des

     authentication pre-share

     group 2

    crypto isakmp key xxxxxxxxxxxxxx address 0.0.0.0        

    crypto isakmp keepalive 10

    !

    !

    crypto ipsec transform-set TSET1 esp-3des esp-sha-hmac 

     mode tunnel

    !

    crypto ipsec profile VTI

     set transform-set TSET1 

    !

    !

    interface Loopback0

     ip address 5.5.5.5 255.255.255.255

    !

    interface Tunnel0

     ip address 192.168.35.5 255.255.255.0

     ip access-group LOG in

     ip access-group LOG out

     tunnel source 10.45.0.5

     tunnel mode ipsec ipv4

     tunnel destination 10.34.0.3

     tunnel protection ipsec profile VTI

    !

    interface GigabitEthernet1/0

     no ip address

     negotiation auto

    !

    interface GigabitEthernet1/0.1

     encapsulation dot1Q 1 native

     ip address 10.0.0.5 255.255.255.0

    !

    interface GigabitEthernet1/0.45

     encapsulation dot1Q 45

     ip address 10.45.0.5 255.255.255.0

    !

    interface GigabitEthernet1/0.56

     encapsulation dot1Q 56

     ip address 10.56.0.5 255.255.255.0

    !

    router bgp 65000

     bgp log-neighbor-changes

     network 5.5.5.5 mask 255.255.255.255

     network 6.6.6.6 mask 255.255.255.255

     network 10.56.0.0 mask 255.255.255.0

     neighbor 192.168.35.3 remote-as 18903

     neighbor 192.168.35.3 description xx_VPN

     neighbor 192.168.35.3 soft-reconfiguration inbound

     neighbor 192.168.35.3 prefix-list PL-BGP-xx-AD out

    !

    ip route 0.0.0.0 0.0.0.0 10.45.0.4 name DEFAULT

    ip route 6.6.6.6 255.255.255.255 10.56.0.6

    !

    ip access-list extended LOG

     permit ip any any

    !

    !

    ip prefix-list PL-BGP-XX-AD seq 5 permit 10.56.0.0/24

    ip prefix-list PL-BGP-XX-AD seq 10 permit 0.0.0.0/0 ge 32

    access-list 100 permit ip any host 6.6.6.6

    access-list 100 permit ip host 6.6.6.6 any

    !

    ROUTER6

    term len 0

     

     

    R6#sib

    Interface              IP-Address      OK? Method Status                Protocol

    GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

    GigabitEthernet1/0.1   10.0.0.6        YES NVRAM  up                    up       

    GigabitEthernet1/0.56  10.56.0.6       YES manual up                    up       

    Loopback0              6.6.6.6         YES manual up                    up      

    R6#

    R6#

    R6#sir

     

     

    Gateway of last resort is 10.56.0.5 to network 0.0.0.0

     

     

    S*    0.0.0.0/0 [1/0] via 10.56.0.5

          6.0.0.0/32 is subnetted, 1 subnets

    C        6.6.6.6 is directly connected, Loopback0

          10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

    C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

    L        10.0.0.6/32 is directly connected, GigabitEthernet1/0.1

    C        10.56.0.0/24 is directly connected, GigabitEthernet1/0.56

    L        10.56.0.6/32 is directly connected, GigabitEthernet1/0.56

    R6#

    R6#

    R6#sh ip proto

    *** IP Routing is NSF aware ***

     

     

    R6#

    interface Loopback0

     ip address 6.6.6.6 255.255.255.255

    !

    interface GigabitEthernet1/0

     no ip address

     negotiation auto

    !

    interface GigabitEthernet1/0.1

     encapsulation dot1Q 1 native

     ip address 10.0.0.6 255.255.255.0

    !

    interface GigabitEthernet1/0.56

     encapsulation dot1Q 56

     ip address 10.56.0.6 255.255.255.0

    !

    ip route 0.0.0.0 0.0.0.0 10.56.0.5

    !

    !

     

     

    R6#

    CCNA, CCNP, CCIE Candidate R&S May '14 and a bunch of "other" certs.

    • Post Points: 5
  • 03-16-2017 5:50 AM In reply to

    Re: VTI tunnel not passing traffic, but BGP works?

    I changed the tunnel to GRE, and routing works fine between routers 1 and 6.

     

    R3#conf t

    R3(config-if)#no tunnel mode ipsec ipv4

    R3(config-if)#tu mode gre ip

    *Mar 16 08:27:20.491: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 10.45.0.5' to manually clear IPSec SA's covered by this IKE SA.

    R3(config-if)#clear crypto sa peer 10.45.0.5

     

    R5#conf t

    R5(config)#int tu0

    R5(config-if)#tunnel mode gre ip

    R5(config-if)#exit

    R5(config)#exit

    R5#

    R5#clear crypto sa peer 10.34.0.3

     

    R6#ping 1.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 84/100/112 ms

    R6#

     

    R1#ping 6.6.6.6

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 100/108/128 ms

    R1

    CCNA, CCNP, CCIE Candidate R&S May '14 and a bunch of "other" certs.

    • Post Points: 5
Page 1 of 1 (2 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved