VTI tunnel not passing traffic, but BGP works?

I'm trying to pass traffic from router 1 to router 6 via VPN tunnel between routers 3 and 5, so that traffic flow "bypasses" R4.

 

VPN tunnels are up, BGP routing looks good, learning routes and no recursive routing.  Limiting BGP advertisements with prefix-lists.

 

PROBLEM:  I cannot ping 6.6.6.6 from R2, and vice versa.  Routing looks fine, but traffic does not pass through VPN tunnel - "show crypto ipsec | i encap|decap" does not show encapsulations increasing during continuous ping.

 

I have 6 routers in GNS3 all running 15.2.  They're in a straight line, 1-2-3-4-5-6.

 

Routers 3-4 are BGP peers.

 

Routers 3-5 are IPSEC VPN tunnel endpoints with VTI.  They're BGP peers inside the tunnel.

 

Routers 1,2,3 are in an EIGRP AS, redistributing into/from BGP on router 3.

 

R5 0/0 to R4, and R6 0/0 to R5.

 

All routers have L0 1.1.1.1/32 on 1, 2.2.2.2 on 2 and so on.  Between routers, 2nd octet is low router/high router, and 4th is router.  So between routers 1 and 2 is 10.12.0.0/24 and R1 is .1 and R2 is .2 and so on.

 

Router1

 

 

R1#

R1#sib

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

GigabitEthernet1/0.1   10.0.0.1        YES NVRAM  up                    up      

GigabitEthernet1/0.12  10.12.0.1       YES manual up                    up     

Loopback0              1.1.1.1         YES manual up                    up      

R1#sir

 

 

Gateway of last resort is not set

 

 

      1.0.0.0/32 is subnetted, 1 subnets

C        1.1.1.1 is directly connected, Loopback0

      2.0.0.0/32 is subnetted, 1 subnets

D        2.2.2.2 [90/130816] via 10.12.0.2, 01:44:53, GigabitEthernet1/0.12

      3.0.0.0/32 is subnetted, 1 subnets

D        3.3.3.3 [90/131072] via 10.12.0.2, 01:43:36, GigabitEthernet1/0.12

      5.0.0.0/32 is subnetted, 1 subnets

D EX     5.5.5.5 [170/3328] via 10.12.0.2, 01:22:30, GigabitEthernet1/0.12

      6.0.0.0/32 is subnetted, 1 subnets

D EX     6.6.6.6 [170/3328] via 10.12.0.2, 01:22:56, GigabitEthernet1/0.12

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

   10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

L        10.0.0.1/32 is directly connected, GigabitEthernet1/0.1

C        10.12.0.0/24 is directly connected, GigabitEthernet1/0.12

L        10.12.0.1/32 is directly connected, GigabitEthernet1/0.12

D        10.23.0.0/24 [90/3072] via 10.12.0.2, 01:44:21, GigabitEthernet1/0.12

D EX     10.56.0.0/24 

           [170/3328] via 10.12.0.2, 01:33:20, GigabitEthernet1/0.12

R1#

R1#sh ip eigrp int

EIGRP-IPv4 Interfaces for AS(250)

                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending

Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes

Gi1/0.12                 1        0/0       0/0          59       0/0          240           0

Lo0                      0        0/0       0/0           0       0/0            0           0

R1#sh ip eigrp top

 

 

 

 

P 5.5.5.5/32, 1 successors, FD is 3328, tag is 65000

        via 10.12.0.2 (3328/3072), GigabitEthernet1/0.12

P 10.56.0.0/24, 1 successors, FD is 3328, tag is 65000

        via 10.12.0.2 (3328/3072), GigabitEthernet1/0.12

P 2.2.2.2/32, 1 successors, FD is 130816

        via 10.12.0.2 (130816/128256), GigabitEthernet1/0.12

P 6.6.6.6/32, 1 successors, FD is 3328, tag is 65000

        via 10.12.0.2 (3328/3072), GigabitEthernet1/0.12

P 3.3.3.3/32, 1 successors, FD is 131072

        via 10.12.0.2 (131072/130816), GigabitEthernet1/0.12

P 10.23.0.0/24, 1 successors, FD is 3072

        via 10.12.0.2 (3072/2816), GigabitEthernet1/0.12

P 10.12.0.0/24, 1 successors, FD is 2816

        via Connected, GigabitEthernet1/0.12

P 1.1.1.1/32, 1 successors, FD is 128256

        via Connected, Loopback0

 

 

R1# 

R1#sh run

interface Loopback0

 ip address 1.1.1.1 255.255.255.255

!

!

interface GigabitEthernet1/0

 no ip address

 negotiation auto

!

interface GigabitEthernet1/0.1

 encapsulation dot1Q 1 native

 ip address 10.0.0.1 255.255.255.0

!

interface GigabitEthernet1/0.12

 encapsulation dot1Q 12

 ip address 10.12.0.1 255.255.255.0

!

!

router eigrp 250

 network 1.1.1.1 0.0.0.0

 network 10.12.0.0 0.0.0.255

!

R1#

 

Router2:

R2#sh ip route

 

      1.0.0.0/32 is subnetted, 1 subnets

D        1.1.1.1 [90/130816] via 10.12.0.1, 01:20:40, GigabitEthernet1/0.12

      2.0.0.0/32 is subnetted, 1 subnets

C        2.2.2.2 is directly connected, Loopback0

      3.0.0.0/32 is subnetted, 1 subnets

D        3.3.3.3 [90/130816] via 10.23.0.3, 01:19:11, GigabitEthernet1/0.23

      5.0.0.0/32 is subnetted, 1 subnets

D EX    5.5.5.5 [170/3072] via 10.23.0.3, 00:58:01, GigabitEthernet1/0.23

      6.0.0.0/32 is subnetted, 1 subnets

D EX    6.6.6.6 [170/3072] via 10.23.0.3, 00:58:28, GigabitEthernet1/0.23

      10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

L        10.0.0.2/32 is directly connected, GigabitEthernet1/0.1

C        10.12.0.0/24 is directly connected, GigabitEthernet1/0.12

L        10.12.0.2/32 is directly connected, GigabitEthernet1/0.12

C        10.23.0.0/24 is directly connected, GigabitEthernet1/0.23

L        10.23.0.2/32 is directly connected, GigabitEthernet1/0.23

D EX    10.56.0.0/24

          [170/3072] via 10.23.0.3, 01:08:55, GigabitEthernet1/0.23

 

R2#sib

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1/0    unassigned      YES NVRAM  up                    up     

GigabitEthernet1/0.1  10.0.0.2        YES NVRAM  up                    up     

GigabitEthernet1/0.12  10.12.0.2      YES manual up                    up     

GigabitEthernet1/0.23  10.23.0.2      YES manual up                    up     

Loopback0              2.2.2.2        YES manual up                    up 

 

 

Router3

 

R3#

R3#sib

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1/0    unassigned      YES NVRAM  up                    up     

GigabitEthernet1/0.1  10.0.0.3        YES NVRAM  up                    up     

GigabitEthernet1/0.23  10.23.0.3      YES manual up                    up     

GigabitEthernet1/0.34  10.34.0.3      YES manual up                    up     

Loopback0              3.3.3.3        YES manual up                    up     

Tunnel0                192.168.35.3    YES manual up                    up     

R3#

R3#sh ip route

Gateway of last resort is not set

 

 

      1.0.0.0/32 is subnetted, 1 subnets

D        1.1.1.1 [90/131072] via 10.23.0.2, 01:28:41, GigabitEthernet1/0.23

      2.0.0.0/32 is subnetted, 1 subnets

D        2.2.2.2 [90/130816] via 10.23.0.2, 01:28:41, GigabitEthernet1/0.23

      3.0.0.0/32 is subnetted, 1 subnets

C        3.3.3.3 is directly connected, Loopback0

      5.0.0.0/32 is subnetted, 1 subnets

B        5.5.5.5 [20/0] via 192.168.35.5, 01:03:42

      6.0.0.0/32 is subnetted, 1 subnets

B        6.6.6.6 [20/0] via 192.168.35.5, 01:04:12

      10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

L        10.0.0.3/32 is directly connected, GigabitEthernet1/0.1

D        10.12.0.0/24 [90/3072] via 10.23.0.2, 01:28:41, GigabitEthernet1/0.23

C        10.23.0.0/24 is directly connected, GigabitEthernet1/0.23

L        10.23.0.3/32 is directly connected, GigabitEthernet1/0.23

C        10.34.0.0/24 is directly connected, GigabitEthernet1/0.34

L        10.34.0.3/32 is directly connected, GigabitEthernet1/0.34

B        10.45.0.0/24 [20/0] via 10.34.0.4, 01:49:09

B        10.56.0.0/24 [20/0] via 192.168.35.5, 01:34:55

      192.168.35.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.35.0/24 is directly connected, Tunnel0

L        192.168.35.3/32 is directly connected, Tunnel0

R3#

R3#

R3#

R3#sh run

Building configuration...

 

 

hostname R3

!

!

ip tcp synwait-time 5

!

policy-map CSRPAR

class class-default

  shape average 12800

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxx address 0.0.0.0       

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TSET1 esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile VTI

set transform-set TSET1

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

!

interface Tunnel0

ip address 192.168.35.3 255.255.255.0

ip access-group LOG in

ip access-group LOG out

tunnel source 10.34.0.3

tunnel mode ipsec ipv4

tunnel destination 10.45.0.5

tunnel protection ipsec profile VTI

!

interface GigabitEthernet1/0.1

encapsulation dot1Q 1 native

ip address 10.0.0.3 255.255.255.0

!

interface GigabitEthernet1/0.23

encapsulation dot1Q 23

ip address 10.23.0.3 255.255.255.0

ip access-group LOG in

!

interface GigabitEthernet1/0.34

encapsulation dot1Q 34

ip address 10.34.0.3 255.255.255.0

!

!

router eigrp 250

default-metric 1000000 1 255 1 1500

network 3.3.3.3 0.0.0.0

network 10.23.0.0 0.0.0.255

redistribute bgp 18903 route-map RM_BGP->EIGRP

!

router bgp 18903

bgp log-neighbor-changes

network 10.34.0.0 mask 255.255.255.0

redistribute eigrp 250 route-map RM_EIGRP->BGP

neighbor 10.34.0.4 remote-as 7224

neighbor 10.34.0.4 description AWS

neighbor 10.34.0.4 soft-reconfiguration inbound

neighbor 10.34.0.4 prefix-list PL-BGP-AWS-AD out

neighbor 192.168.35.5 remote-as 65000

neighbor 192.168.35.5 description CSR

neighbor 192.168.35.5 soft-reconfiguration inbound

neighbor 192.168.35.5 prefix-list PL-BGP-CSR-AD out

!

ip access-list extended LOG

permit ip any any log

!

!

ip prefix-list PL-BGP-AWS-AD seq 5 permit 10.34.0.0/24

!

ip prefix-list PL-BGP-CSR-AD seq 5 permit 10.23.0.0/24

ip prefix-list PL-BGP-CSR-AD seq 10 permit 10.12.0.0/24

ip prefix-list PL-BGP-CSR-AD seq 15 permit 0.0.0.0/0 ge 32

!

ip prefix-list PL_BGP->EIGRP seq 5 permit 0.0.0.0/0 ge 32

ip prefix-list PL_BGP->EIGRP seq 10 permit 10.56.0.0/24

!

ip prefix-list PL_EIGRP->BGP seq 5 permit 10.12.0.0/24

ip prefix-list PL_EIGRP->BGP seq 10 permit 10.23.0.0/24

ip prefix-list PL_EIGRP->BGP seq 15 permit 0.0.0.0/0 ge 32

access-list 100 permit ip any host 6.6.6.6

access-list 100 permit ip host 6.6.6.6 any

!

route-map RM_EIGRP->BGP permit 10

match ip address prefix-list PL_EIGRP->BGP

!

route-map RM_BGP->EIGRP permit 10

match ip address prefix-list PL_BGP->EIGRP

!

!

end

 

 

R3# 

R3#sh ip bgp sum

 

 

Neighbor        V          AS MsgRcvd MsgSent  TblVer  InQ OutQ Up/Down  State/PfxRcd

10.34.0.4      4        7224    119    131      11    0    0 01:50:45        1

192.168.35.5    4        65000    116    116      11    0    0 01:36:34        3

R3#

R3#

R3#sh ip bgp neigh 192.168.35.5 adver

R3#sh ip bgp neigh 192.168.35.5 advertised-routes

 

 

    Network          Next Hop            Metric LocPrf Weight Path

*>  1.1.1.1/32      10.23.0.2          131072        32768 ?

*>  2.2.2.2/32      10.23.0.2          130816        32768 ?

*>  3.3.3.3/32      0.0.0.0                  0        32768 ?

*>  10.12.0.0/24    10.23.0.2            3072        32768 ?

*>  10.23.0.0/24    0.0.0.0                  0        32768 ?

 

 

Total number of prefixes 5

R3#sh ip bgp neigh 192.168.35.5 received-r 

 

 

    Network          Next Hop            Metric LocPrf Weight Path

*>  5.5.5.5/32      192.168.35.5            0            0 65000 i

*>  6.6.6.6/32      192.168.35.5            0            0 65000 i

*>  10.56.0.0/24    192.168.35.5            0            0 65000 i

 

 

Total number of prefixes 3

R3#

 

 

R3#

R3#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst            src            state          conn-id status

10.34.0.3      10.45.0.5      QM_IDLE          1001 ACTIVE

 

 

IPv6 Crypto ISAKMP SA

 

 

R3#sh crypto ipsec sa

 

 

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 10.34.0.3

 

 

  protected vrf: (none)

  local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

  remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

  current_peer 10.45.0.5 port 500

    PERMIT, flags={origin_is_acl,}

    #pkts encaps: 356, #pkts encrypt: 356, #pkts digest: 356

    #pkts decaps: 314, #pkts decrypt: 314, #pkts verify: 314

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

 

    local crypto endpt.: 10.34.0.3, remote crypto endpt.: 10.45.0.5

    path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0.34

    current outbound spi: 0x462B5D66(1177247078)

    PFS (Y/N): N, DH group: none

 

 

    inbound esp sas:

      spi: 0x8DA34CDE(2376289502)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: 3, sibling_flags 80004040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4279385/475)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

 

    inbound ah sas:

 

 

    inbound pcp sas:

 

 

    outbound esp sas:

      spi: 0x462B5D66(1177247078)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: 4, sibling_flags 80004040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4279383/475)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

    outbound ah sas:

 

 

    outbound pcp sas:

R3# 

R3#sh cyrpto ses

      ^

% Invalid input detected at '^' marker.

 

 

R3#sh crypto ses

Crypto session current status

 

 

Interface: Tunnel0

Session status: UP-ACTIVE   

Peer: 10.45.0.5 port 500

  IKEv1 SA: local 10.34.0.3/500 remote 10.45.0.5/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

 

Router4

 

 

sib

Interface              IP-Address      OK? Method Status                Protocol

 

GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

GigabitEthernet1/0.1   10.0.0.4        YES NVRAM  up                    up      

GigabitEthernet1/0.34  10.34.0.4       YES manual up                    up      

GigabitEthernet1/0.45  10.45.0.4       YES manual up                    up     

Loopback0              4.4.4.4         YES manual up                    up      

R4#

R4#

R4#sh ip bgp sum

 

 

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

10.34.0.3       4        18903     141     128        3    0    0 01:51:29        1

R4#

R4#sh ip bgp

 

 

     Network          Next Hop            Metric LocPrf Weight Path

 r>  10.34.0.0/24     10.34.0.3                0             0 18903 i

 *>  10.45.0.0/24     0.0.0.0                  0         32768 i

R4#

R4#sh ip route

 

 

Gateway of last resort is not set

 

 

      4.0.0.0/32 is subnetted, 1 subnets

C        4.4.4.4 is directly connected, Loopback0

      10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

L        10.0.0.4/32 is directly connected, GigabitEthernet1/0.1

C        10.34.0.0/24 is directly connected, GigabitEthernet1/0.34

L        10.34.0.4/32 is directly connected, GigabitEthernet1/0.34

C        10.45.0.0/24 is directly connected, GigabitEthernet1/0.45

L        10.45.0.4/32 is directly connected, GigabitEthernet1/0.45

R4#

R4#sh run

Building configuration...

 

 

policy-map FOO

 class class-default

 

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key VPNKEY1 address 0.0.0.0        

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TSET esp-3des esp-sha-hmac 

 mode tunnel

!

crypto ipsec profile VTI

 set transform-set TSET 

!

interface Loopback0

 ip address 4.4.4.4 255.255.255.255

!

interface GigabitEthernet1/0

 no ip address

 negotiation auto

!

interface GigabitEthernet1/0.1

 encapsulation dot1Q 1 native

 ip address 10.0.0.4 255.255.255.0

!

interface GigabitEthernet1/0.34

 encapsulation dot1Q 34

 ip address 10.34.0.4 255.255.255.0

!

interface GigabitEthernet1/0.45

 encapsulation dot1Q 45

 ip address 10.45.0.4 255.255.255.0

!

!

router bgp 7224

 bgp log-neighbor-changes

 network 10.45.0.0 mask 255.255.255.0

 neighbor 10.34.0.3 remote-as 18903

 neighbor 10.34.0.3 description LENDINGTREE

 neighbor 10.34.0.3 soft-reconfiguration inbound

!

ip prefix-list PL_CSR_VPN_ADVERTISE seq 5 permit 4.4.4.4/32

ip prefix-list PL_CSR_VPN_ADVERTISE seq 10 permit 172.18.0.0/16 le 32

!

R4#

 

Router5

 

 

R5#

R5#sib

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

GigabitEthernet1/0.1   10.0.0.5        YES NVRAM  up                    up      

GigabitEthernet1/0.45  10.45.0.5       YES manual up                    up      

GigabitEthernet1/0.56  10.56.0.5       YES manual up                    up      

Loopback0              5.5.5.5         YES manual up                    up      

Tunnel0                192.168.35.5    YES manual up                    up      

R5#

R5#

R5#

R5#sir

 

 

Gateway of last resort is 10.45.0.4 to network 0.0.0.0

 

 

S*    0.0.0.0/0 [1/0] via 10.45.0.4

      1.0.0.0/32 is subnetted, 1 subnets

B        1.1.1.1 [20/131072] via 192.168.35.3, 01:36:48

      2.0.0.0/32 is subnetted, 1 subnets

B        2.2.2.2 [20/130816] via 192.168.35.3, 01:36:48

      3.0.0.0/32 is subnetted, 1 subnets

B        3.3.3.3 [20/0] via 192.168.35.3, 01:36:48

      5.0.0.0/32 is subnetted, 1 subnets

C        5.5.5.5 is directly connected, Loopback0

      6.0.0.0/32 is subnetted, 1 subnets

S        6.6.6.6 [1/0] via 10.56.0.6

     10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

L        10.0.0.5/32 is directly connected, GigabitEthernet1/0.1

B        10.12.0.0/24 [20/3072] via 192.168.35.3, 01:36:48

B        10.23.0.0/24 [20/0] via 192.168.35.3, 01:39:00

C        10.45.0.0/24 is directly connected, GigabitEthernet1/0.45

L        10.45.0.5/32 is directly connected, GigabitEthernet1/0.45

C        10.56.0.0/24 is directly connected, GigabitEthernet1/0.56

L        10.56.0.5/32 is directly connected, GigabitEthernet1/0.56

      192.168.35.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.35.0/24 is directly connected, Tunnel0

L        192.168.35.5/32 is directly connected, Tunnel0

R5#

R5#

R5#

R5#sh ip bgp sum

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

192.168.35.3    4        18903     131     131        9    0    0 01:49:12        5

R5#

R5#

R5#

R5#sh ip bgp

 

 

     Network          Next Hop            Metric LocPrf Weight Path

 *>  1.1.1.1/32       192.168.35.3        131072             0 18903 ?

 *>  2.2.2.2/32       192.168.35.3        130816             0 18903 ?

 *>  3.3.3.3/32       192.168.35.3             0             0 18903 ?

 *>  5.5.5.5/32       0.0.0.0                  0         32768 i

 *>  6.6.6.6/32       10.56.0.6                0         32768 i

 *>  10.12.0.0/24     192.168.35.3          3072             0 18903 ?

 *>  10.23.0.0/24     192.168.35.3             0             0 18903 ?

 *>  10.56.0.0/24     0.0.0.0                  0         32768 i

R5#

R5#

R5#

R5#

R5#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.34.0.3       10.45.0.5       QM_IDLE           1001 ACTIVE

 

 

IPv6 Crypto ISAKMP SA

 

 

R5#sh crypto ipsec sa

 

 

interface: Tunnel0

    Crypto map tag: Tunnel0-head-0, local addr 10.45.0.5

 

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 10.34.0.3 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 330, #pkts encrypt: 330, #pkts digest: 330

    #pkts decaps: 372, #pkts decrypt: 372, #pkts verify: 372

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

 

     local crypto endpt.: 10.45.0.5, remote crypto endpt.: 10.34.0.3

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0.45

     current outbound spi: 0xB2DEB323(3000939299)

     PFS (Y/N): N, DH group: none

 

 

     inbound esp sas:

      spi: 0x15CAFC09(365624329)

   transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: 5, sibling_flags 80000040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4358339/3561)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

 

     inbound ah sas:

 

 

     inbound pcp sas:

 

 

     outbound esp sas:

      spi: 0xB2DEB323(3000939299)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 6, flow_id: 6, sibling_flags 80000040, crypto map: Tunnel0-head-0

        sa timing: remaining key lifetime (k/sec): (4358339/3561)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

  outbound ah sas:

 

 

     outbound pcp sas:

R5# 

R5#sh crypto ses

Crypto session current status

 

 

Interface: Tunnel0

Session status: UP-ACTIVE     

Peer: 10.34.0.3 port 500 

  IKEv1 SA: local 10.45.0.5/500 remote 10.34.0.3/500 Active 

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 

        Active SAs: 2, origin: crypto map

 

 

R5#

R5#

R5#

R5#sh run

Building configuration...

 

 

!

policy-map CSRPAR

 class class-default

  shape average 12800

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxxxxxxxxxxxxx address 0.0.0.0        

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TSET1 esp-3des esp-sha-hmac 

 mode tunnel

!

crypto ipsec profile VTI

 set transform-set TSET1 

!

!

interface Loopback0

 ip address 5.5.5.5 255.255.255.255

!

interface Tunnel0

 ip address 192.168.35.5 255.255.255.0

 ip access-group LOG in

 ip access-group LOG out

 tunnel source 10.45.0.5

 tunnel mode ipsec ipv4

 tunnel destination 10.34.0.3

 tunnel protection ipsec profile VTI

!

interface GigabitEthernet1/0

 no ip address

 negotiation auto

!

interface GigabitEthernet1/0.1

 encapsulation dot1Q 1 native

 ip address 10.0.0.5 255.255.255.0

!

interface GigabitEthernet1/0.45

 encapsulation dot1Q 45

 ip address 10.45.0.5 255.255.255.0

!

interface GigabitEthernet1/0.56

 encapsulation dot1Q 56

 ip address 10.56.0.5 255.255.255.0

!

router bgp 65000

 bgp log-neighbor-changes

 network 5.5.5.5 mask 255.255.255.255

 network 6.6.6.6 mask 255.255.255.255

 network 10.56.0.0 mask 255.255.255.0

 neighbor 192.168.35.3 remote-as 18903

 neighbor 192.168.35.3 description xx_VPN

 neighbor 192.168.35.3 soft-reconfiguration inbound

 neighbor 192.168.35.3 prefix-list PL-BGP-xx-AD out

!

ip route 0.0.0.0 0.0.0.0 10.45.0.4 name DEFAULT

ip route 6.6.6.6 255.255.255.255 10.56.0.6

!

ip access-list extended LOG

 permit ip any any

!

!

ip prefix-list PL-BGP-XX-AD seq 5 permit 10.56.0.0/24

ip prefix-list PL-BGP-XX-AD seq 10 permit 0.0.0.0/0 ge 32

access-list 100 permit ip any host 6.6.6.6

access-list 100 permit ip host 6.6.6.6 any

!

ROUTER6

term len 0

 

 

R6#sib

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1/0     unassigned      YES NVRAM  up                    up      

GigabitEthernet1/0.1   10.0.0.6        YES NVRAM  up                    up       

GigabitEthernet1/0.56  10.56.0.6       YES manual up                    up       

Loopback0              6.6.6.6         YES manual up                    up      

R6#

R6#

R6#sir

 

 

Gateway of last resort is 10.56.0.5 to network 0.0.0.0

 

 

S*    0.0.0.0/0 [1/0] via 10.56.0.5

      6.0.0.0/32 is subnetted, 1 subnets

C        6.6.6.6 is directly connected, Loopback0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C        10.0.0.0/24 is directly connected, GigabitEthernet1/0.1

L        10.0.0.6/32 is directly connected, GigabitEthernet1/0.1

C        10.56.0.0/24 is directly connected, GigabitEthernet1/0.56

L        10.56.0.6/32 is directly connected, GigabitEthernet1/0.56

R6#

R6#

R6#sh ip proto

*** IP Routing is NSF aware ***

 

 

R6#

interface Loopback0

 ip address 6.6.6.6 255.255.255.255

!

interface GigabitEthernet1/0

 no ip address

 negotiation auto

!

interface GigabitEthernet1/0.1

 encapsulation dot1Q 1 native

 ip address 10.0.0.6 255.255.255.0

!

interface GigabitEthernet1/0.56

 encapsulation dot1Q 56

 ip address 10.56.0.6 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.56.0.5

!

!

 

 

R6#

Comments

  • I changed the tunnel to GRE, and routing works fine between routers 1 and 6.

     

    R3#conf t

    R3(config-if)#no tunnel mode ipsec ipv4

    R3(config-if)#tu mode gre ip

    *Mar 16 08:27:20.491: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 10.45.0.5' to manually clear IPSec SA's covered by this IKE SA.

    R3(config-if)#clear crypto sa peer 10.45.0.5

     

    R5#conf t

    R5(config)#int tu0

    R5(config-if)#tunnel mode gre ip

    R5(config-if)#exit

    R5(config)#exit

    R5#

    R5#clear crypto sa peer 10.34.0.3

     

    R6#ping 1.1.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 84/100/112 ms

    R6#

     

    R1#ping 6.6.6.6

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 100/108/128 ms

    R1

Sign In or Register to comment.