Here´s a simple lab to set up a LAN-to-LAN IPsec tunnel. The "LANs" we'll be connecting are two loopback interfaces on R1 and R3, 1.1.1.1/24 and 3.3.3.3/24. Here's our topology:
We'll create one more loopback in each of the routers R1 and R3 to simulate local networks routed via GRE, the addresses for these will be 11.11.11.0/24 in R1 and 33.33.33.0/24 in R3.
If we wanted to be able to use the GRE tunnel without IPsec we would need R2 to have routes to these loopbacks, in this case we won't do that so the GRE tunnel will only work once the IPsec tunnel is established.
Here's a breakdown of the tasks we have to do in order to acomplish this:
1-Create the loopbacks and get basic connectivity
2-Create the GRE tunnel
3-Setup EIGRP
4-Define ISAKMP policy and pre-shared key.
5-Define the IPsec transform-set
6-Create an ACL for our "interesting" traffic.
7-Create a crypto map
8-Apply the crypto map to an interface.
9-Test!
1-Basic connectivity
R1 and R3 should have a default route with next hop in R2, don't create any routes in R2 it will only know directly connected networks. From R1 you should be able to ping 23.23.23.3 but not 3.3.3.3
2-GRE tunnel
R1(config)#interface tunnel 1
R1(config-if)#ip address 13.13.13.1 255.255.255.0
R1(config-if)#tunnel source loopback 0
R1(config-if)#tunnel destination 3.3.3.3
3-EIGRP
R1(config)#router eigrp 13
R1(config-router)#network 1.1.1.0 0.0.0.255
R1(config-router)#network 13.13.13.0 0.0.0.255
R1(config-router)#network 11.11.11.0 0.0.0.255
4-ISAKMP
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption des
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#group 2
R1(config-isakmp)#hash md5
!
R1(config)#crypto isakmp key 0 key address 23.23.23.3
5-IPsec
R1(config)#crypto ipsec transform-set SET esp-3des ah-sha-hmac
R1(cfg-crypto-trans)#mode tunnel
6-ACL
R1(config)#ip access-list extended 103
R1(config-ext-nacl)#10 permit gre host 1.1.1.1 host 3.3.3.3
7-Crypto map
R1(config)#crypto map MAP 10 ipsec-isakmp
R1(config-crypto-map)#set transform-set SET
R1(config-crypto-map)#set peer 23.23.23.3
R1(config-crypto-map)#match address 103
8-Apply the crypto map to the interface
R1(config)#int fa1/0
R1(config-if)#crypto map MAP
9-Test the configuration!
When you apply the crypto map to both routers you should see an EIGRP adjacency being formed, all good so far, but after a while you should see flapping on the Tunnel interface:
*Feb 2 15:32:29.163: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 13: Neighbor 13.13.13.3 (Tunnel1) is up: new adjacency
*Feb 2 15:32:38.023: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
*Feb 2 15:32:39.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Feb 2 15:32:39.063: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 13: Neighbor 13.13.13.3 (Tunnel1) is down: interface down
*Feb 2 15:33:39.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Feb 2 15:33:41.699: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 13: Neighbor 13.13.13.3 (Tunnel1) is up: new adjacency
*Feb 2 15:33:48.023: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
*Feb 2 15:33:49.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
*Feb 2 15:33:49.063: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 13: Neighbor 13.13.13.3 (Tunnel1) is down: interface down
This behaviour is caused by EIGRP route pointing the tunnel's network to be reachable with the Tunnel interface as the next hop for that network, so whenever the router tries to send a packet to tunnel termination on the other router this happens:
The packet is queued in the output queue of the tunnel interface
The tunnel interface adds a GRE header to the packet and queues the packet to the transport protocol destined to the destination address of the tunnel interface.
IP looks up the route to the destination address and learns that it is through the tunnel interface, which returns the packet to Step 1 above; hence, there is a recursive routing loop.
(taken from http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml )
In this configuration there are two ways to solve this problem, one is to remove the loopbacks that are forming the tunnel from the eigrp routing process.The other solution is to manually add a more specific static route for the tunnel destination, with the next hop on our outbound interface (where we have the crypto map applied). So add it in:
R1(config)#ip route 3.3.3.3 255.255.255.255 FastEthernet 1/0
Now the router should have stopped the recursive routing, and you should get a stable tunnel, hte routing table should look something like this:
Gateway of last resort is 12.12.12.2 to network 0.0.0.0
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
33.0.0.0/24 is subnetted, 1 subnets
D 33.33.33.0 [90/297372416] via 13.13.13.3, 00:02:43, Tunnel1
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 3.3.3.3/32 is directly connected, FastEthernet1/0
D 3.3.3.0/24 [90/297372416] via 13.13.13.3, 00:02:43, Tunnel1
11.0.0.0/24 is subnetted, 1 subnets
C 11.11.11.0 is directly connected, Loopback1
12.0.0.0/24 is subnetted, 1 subnets
C 12.12.12.0 is directly connected, FastEthernet1/0
13.0.0.0/24 is subnetted, 1 subnets
C 13.13.13.0 is directly connected, Tunnel1
S* 0.0.0.0/0 [1/0] via 12.12.12.2
And we're done, you should have connectivity between the local networks.
No comments:
Post a Comment