IPSEC VTI won't route
Hi everyone,
Just trying to lab a simple IPSEC VTI tunnel in GNS3. The tunnel is up, but it just won't route. In an attempt to simplify, I even took out simple EIGRP and put in static routing, and it still won't route across the tunnel. I can't figure it out. Please help.
I have the source and destination interfaces on a point to point ethernet connection - between routers 2 and 3 - 23.0.0.0/24 with .2 on one side, .3 on the other side. The tunnel interfaces are 69.69.69.0/24 with .2 and .3.
R2#
R2#sh run | s ip route|isakmp|ipsec|interface
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile CRYPTO
description VPN_SITE_TO_SITE
set transform-set TSET
set pfs group2
interface Tunnel1
description VPN_TO_PKX
ip address 69.69.69.2 255.255.255.0
tunnel source 23.0.0.2
tunnel mode ipsec ipv4
tunnel destination 23.0.0.3
tunnel bandwidth transmit 25000
tunnel bandwidth receive 25000
tunnel protection ipsec profile CRYPTO
interface FastEthernet0/0
ip address 23.0.0.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet0/1
ip address 10.0.0.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
ip route 10.0.0.0 255.255.0.0 10.0.0.1 name INSIDE
ip route 10.1.0.0 255.255.0.0 69.69.69.3 name TUNNEL
alias exec sir show ip route
R2#
R2#
R2#sh crypto ses
R2#sh crypto session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 23.0.0.3 port 500
IKEv1 SA: local 23.0.0.2/500 remote 23.0.0.3/500 Active
IKEv1 SA: local 23.0.0.2/500 remote 23.0.0.3/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
23.0.0.2 23.0.0.3 QM_IDLE 1001 ACTIVE
23.0.0.3 23.0.0.2 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R2#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 23.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 23.0.0.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1484, #pkts encrypt: 1484, #pkts digest: 1484
#pkts decaps: 1333, #pkts decrypt: 1333, #pkts verify: 1333
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.0.0.2, remote crypto endpt.: 23.0.0.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x7B5CB5EE(2069673454)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xFAFF5987(4211038599)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: 9, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4300118/2524)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7B5CB5EE(2069673454)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: 10, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4300115/2524)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R2#
R2#
R2#sh ip int brief | ex unas
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 23.0.0.2 YES manual up up
FastEthernet0/1 10.0.0.2 YES manual up up
Tunnel1 69.69.69.2 YES manual up up
R2#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.0.1 127 ca01.43fc.0008 ARPA FastEthernet0/1
Internet 10.0.0.2 - ca02.44ac.0006 ARPA FastEthernet0/1
Internet 23.0.0.2 - ca02.44ac.0008 ARPA FastEthernet0/0
Internet 23.0.0.3 138 ca03.435c.0008 ARPA FastEthernet0/0
R2#
R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
S 10.0.0.0/16 [1/0] via 10.0.0.1
C 10.0.0.0/24 is directly connected, FastEthernet0/1
L 10.0.0.2/32 is directly connected, FastEthernet0/1
S 10.1.0.0/16 [1/0] via 69.69.69.3
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 23.0.0.0/24 is directly connected, FastEthernet0/0
L 23.0.0.2/32 is directly connected, FastEthernet0/0
69.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 69.69.69.0/24 is directly connected, Tunnel1
L 69.69.69.2/32 is directly connected, Tunnel1
R2#
R2#sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.0.0.0/16 10.0.0.1 FastEthernet0/1
10.0.0.0/24 attached FastEthernet0/1
10.0.0.0/32 receive FastEthernet0/1
10.0.0.1/32 attached FastEthernet0/1
10.0.0.2/32 receive FastEthernet0/1
10.0.0.255/32 receive FastEthernet0/1
10.1.0.0/16 69.69.69.3 Tunnel1
23.0.0.0/24 attached FastEthernet0/0
23.0.0.0/32 receive FastEthernet0/0
23.0.0.2/32 receive FastEthernet0/0
23.0.0.3/32 attached FastEthernet0/0
23.0.0.255/32 receive FastEthernet0/0
69.69.69.0/24 attached Tunnel1
69.69.69.0/32 receive Tunnel1
69.69.69.2/32 receive Tunnel1
69.69.69.3/32 69.69.69.3 Tunnel1
69.69.69.255/32 receive Tunnel1
127.0.0.0/8 drop
Prefix Next Hop Interface
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
R2#
========================================================================
R3#
R3#sh run | s ip route|isakmp|ipsec|interface
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0
crypto isakmp keepalive 10 3 periodic
crypto ipsec transform-set TSET esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile CRYPTO
description VPN_SITE_TO_SITE
set transform-set TSET
set pfs group2
interface Tunnel1
description VPN_TO_PKX
ip address 69.69.69.3 255.255.255.0
tunnel source 23.0.0.3
tunnel mode ipsec ipv4
tunnel destination 23.0.0.2
tunnel bandwidth transmit 25000
tunnel bandwidth receive 25000
tunnel protection ipsec profile CRYPTO
interface FastEthernet0/0
ip address 23.0.0.3 255.255.255.0
speed auto
duplex auto
interface FastEthernet0/1
ip address 10.1.1.3 255.255.255.0
speed auto
duplex auto
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
ip route 10.0.0.0 255.255.0.0 69.69.69.2 name TUNNEL
ip route 10.1.0.0 255.255.0.0 10.1.1.4 name INSIDE
alias exec sir show ip route
R3#
R3#
R3#sh ip int brief | ex unas
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 23.0.0.3 YES manual up up
FastEthernet0/1 10.1.1.3 YES manual up up
Tunnel1 69.69.69.3 YES manual up up
R3#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.3 - ca03.435c.0006 ARPA FastEthernet0/1
Internet 10.1.1.4 112 ca04.49c8.0008 ARPA FastEthernet0/1
Internet 23.0.0.2 139 ca02.44ac.0008 ARPA FastEthernet0/0
Internet 23.0.0.3 - ca03.435c.0008 ARPA FastEthernet0/0
R3#
R3#sh ip cef
Prefix Next Hop Interface
0.0.0.0/0 no route
0.0.0.0/8 drop
0.0.0.0/32 receive
10.0.0.0/16 69.69.69.2 Tunnel1
10.1.0.0/16 10.1.1.4 FastEthernet0/1
10.1.1.0/24 attached FastEthernet0/1
10.1.1.0/32 receive FastEthernet0/1
10.1.1.3/32 receive FastEthernet0/1
10.1.1.4/32 attached FastEthernet0/1
10.1.1.255/32 receive FastEthernet0/1
23.0.0.0/24 attached FastEthernet0/0
23.0.0.0/32 receive FastEthernet0/0
23.0.0.2/32 attached FastEthernet0/0
23.0.0.3/32 receive FastEthernet0/0
23.0.0.255/32 receive FastEthernet0/0
69.69.69.0/24 attached Tunnel1
69.69.69.0/32 receive Tunnel1
69.69.69.2/32 69.69.69.2 Tunnel1
69.69.69.3/32 receive Tunnel1
69.69.69.255/32 receive Tunnel1
127.0.0.0/8 drop
Prefix Next Hop Interface
224.0.0.0/4 drop
224.0.0.0/24 receive
240.0.0.0/4 drop
255.255.255.255/32 receive
R3#
Comments
Sent from my iPhone
On Jun 9, 2015, at 03:17, Pseudocyber <[email protected]> wrote: