VTI tunnels vs InterVLAN
Hi everyone!
We have 2 Cisco routers - 3925 (office A) and 2921 (office B). There are VTI tunneling (with 3DES encryption), EIGRP dynamic routing (main and reserve optic channels) and 1 default VLAN #2. It`s working model which is used between 2 offices.
Now I have a task to add VLAN #3 in Office B which is used in Office A and routed to FireWall. VLAN #3 must be routed bypassing VTI tunnel. As I understand I should use InterVLAN feature on both routers. But it doesn`t work. :(
Here are configs:
Office A (3925):
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.100.181 255.255.255.0
interface GigabitEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.150.10 255.255.255.0
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.48.101.178 255.255.255.0
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.48.103.178 255.255.255.0
router eigrp 100
network 192.168.100.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.201.176 0.0.0.255
network 192.168.202.176 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.100.180
ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
ip route 192.168.150.0 255.255.255.0 192.168.100.2
Office B (2921):
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.104.1 255.255.255.0
interface GigabitEthernet0/0.3
description MOWDT Vlan 3
encapsulation dot1Q 3
ip address 192.168.150.11 255.255.255.0
interface GigabitEthernet0/1
no ip address
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.48.101.179 255.255.255.0
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.48.103.179 255.255.255.0
router eigrp 100
network 192.168.100.0 0.0.0.255
network 192.168.104.0 0.0.0.255
network 192.168.201.176 0.0.0.255
network 192.168.202.176 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.100.180
ip route 10.48.103.0 255.255.255.0 GigabitEthernet0/1.3
ip route 192.168.150.0 255.255.255.0 GigabitEthernet0/1.3
Could you please assist where is the problem?
These both lines do the same things one is being explicitly value is defined and other is set for auto-discovery, however when it comes tunnel interface all you need is to set the mtu size to 1400.
one: ip tcp adjust-mss 1300
two: tunnel path-mtu-discovery
Now when an additional command, which you need to disable split-horizon on eigrp and the "x" is your process ID, which you need for spoke-to-spoke communication, to pass via the hub.
no ip split−horizon eigrp x
"If I disable these features won't i have problems with fragmentation ?"
Which is taken care by setting mtu size to 1400.
Now you set the "ip tcp adjust-mss 1380" on your physical interfaces facing toward your internal switch.
Have you tried it?
thanks
Message was edited by: Rizwan Mohamed
Similar Messages
-
Is it possible to create a VTI tunnel from my 877 router to my ASA
Hi all
I woulke like to know is it possible to create a VTI tunnel from my 877 router to my ASA, rather than creating a cryptomap on the router ?
cheers
CarlYes you can
Forgot to add that it possible when configuring ezvpn where the 877 is a remote client and Asa server
Sent from Cisco Technical Support iPhone App -
Hi all,
I have configured VTI tunnel interfaces (tunnel mode ipsec ipv4) and OSPF on that interfaces.
VTI is encrypting all data traffic. But what about OSPF traffic?
Is OSPF traffic encrypted also or I need to configure OSPF authentication?
ThanksOSPF exchange is already encrypted inside of the tunnel, so u don't have to use ospf-authentication. OSPF uses tunnel IP addresses for communications, and traffic flow between those two addresses is possible only throught the secure tunnel.
-
Hi all,
We have VTI tunnels between Cisco (3825 and 878) and Juniper (SRX3600).
Sometimes tunnel is going down and I should manualy shutdown and no shutdown tunnel interface to bring it up.
This is logs from Cisco:
%%crypto-4-recvd_pkt_inv_spi: decaps: rec'd ipsec packet has invalid spi for destaddr=X.Y.100.200, prot=50, spi=0xc5d07a33(3318774323), srcaddr=X.Y.100.100
%%crypto-4-ikmp_no_sa: ike message from X.Y.100.100 has no sa and is not an initialization offer
X.Y.100.100 is Juniper SRX3600
X.Y.100.200 is Cisco 3825
But I see this logs more often, than tunnel is going down!
So what is problem?
ThanksHello,
this should help #crypto isakmp invalid-spi-recovery
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
Best Regards
Please rate all helpful posts and close solved questions -
Hi All,
I need to connect some routers to an ASA using IPSec tunnels. The goal is to get netflow traffic from the routers to a collector behide an ASA using IPSec tunnels.
Recently I found out (locally orginated) netflow isn't properly encrypted when send through an IPSec tunnel (http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/. The workaround seems to be using flexible netflow (which my collector doesn't support) or using a real tunnel interface on the router.
This implies I need to use:
- IPSec/GRE
- EzVPN with DVTI
- SVTI...?
Since GRE is not supported on the ASA and I want the tunnel to be always active, implementing static VTI tunnels might be a good idea. So I would like to use something like this on the router.
interface Tunnel0
ip unnumberd loopback0
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
My question is, does anybody know if you can build an IPSec tunnel between an ASA and a router, using a SVTI interface on the router? A code sample for the ASA and the router would be more than welcome.
RegardsHi Hielke ,
if you managed to match the SAs proposed by the router when using SVTI which is any to any , and you will do this on the ASA using a crypto map access-list as follow :
access-list crypto VPN permit ip any any
then all traffic leaving the interface where the crypto map is applied will be subject to encryption , which is not practical in most cases .you may use different interface (on the ASA) to this tunnel with the SVTI as it will use any any and that traffic is different than the one leaving the outside interface .
so as Marcin this will not scale for you
HTH
Mohammad. -
VTI Tunnel Bandwidth Statements
What is the proper way to set bandwidth statements on VTI/GRE tunnels over an MPLS network when different locations have different bandwidth capacities?
For example:
Location 1 - DS3 - 44mbps
Location 2 - DS1 - 1.5mbps
Would I put 'bandwidth 1500' on both ends of the tunnel or would I put 'bandwidth 44000' on the DS3 side and 'bandwidth 1500' on the DS1.Hi Peter,
To my knowledge, bandwidth statement will not restrict the volume of traffic. Instead it is just a parameter used for control plane calculations. If you really want to restrict the volume of traffic flowing over these interfaces, you may have to think of shaping the same.
HTH,
Nagendra -
Virtual Tunnel Interface (VTI) Hub Router Configuration
When configuring multiple VTI tunnels on a hub router, is it recommended that each tunnnel use a unique transform-set and ipsec profile, or they can all share the same configuration.
Example:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set TSET
Thanks.-Hi,
The IPsec profile can be shared.
You could also create multiple transform set and reference it to IPsec profile and then apply it to a specific VTI.
Sent from Cisco Technical Support iPhone App -
OSPF with ipsec VTI interface goes down before dead timer.
I have a strange issue that OSPF will initially start working, hellos are exchanged both ways but then after about 3 – 6 hellos one of the sides stops getting them and the ipsec VTI tunnel drops on router A even before the dead timer reaches 0. Is this default behavior, when OSPF is over a VTI interface if it doesn’t receive hellos is drops the tunnel?
I’m at a loss as to what is going on since it looks like only one neighbor stops receiving hellos, router A, for a brief period of time. This VTI tunnel is going over another provider’s FW and they have assured me the tunnel destination/source ips are wide open they also sent me the ACL and I can verify this. The weird thing is if I enable EIGRP it works great with no issues. On router B I am using the same source/ip unnumbered interface on multiple VTI tunnels to to other destinations but this shouldn’t cause any issues I don’t think. I have never had an issue like this and from what I can tell the router A just stops briefly getting hellos after 3 – 6 initial hellos and drops the protocol on the VTI interface. If I set the dead timer on router A long enough it will stop receiving hellos but stay up and then after a while you get “LOADING to FULL” as the hellos start coming in again. Again the tunnel goes over a cisco 800 which I have no control over it and a potential FW before that but I saw the ACL and ip is being allowed. I was thinking this could be a trolling issue on the FW but it doesn’t explain why EIGRP works. FYI I was having a recursive routing issue before but I have since fixed that and the issue still continues.
******** it turns out that i was using the same source ip on multiple tunnels. IPsec would get confused with packets coming in and would deliver packets to the wrong tunnel interface. This was solved but using the key command with a different key number on each set of tunnels with the shared profile command
"If more than one mGRE tunnel is configured on a router that use the same tunnel source address, the shared keyword must be added to the tunnel protection command on all such tunnel interfaces. Each mGRE tunnel interface still requires a unique tunnel key, NHRP network-ID, and IP subnet address. This is common on a branch router when a dual DMVPN cloud topology is deployed. "
Router A:
router ospf 1
router-id 10.213.22.2
passive-interface default
network x.x.97.26 0.0.0.0 area 0
interface Tunnel1
ip unnumbered GigabitEthernet0/1
ip virtual-reassembly in
ip tcp adjust-mss 1398
ip ospf network point-to-point
load-interval 30
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination x.x.173.109
tunnel path-mtu-discovery
tunnel protection ipsec profile VTI-to-NB
router B:
router ospf 1
router-id 172.17.2.6
priority 1
redistribute static subnets route-map Lan-static-RM
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel4
no passive-interface Tunnel5
network x.x.173.109 0.0.0.0 area 0
network 172.17.2.6 0.0.0.0 area 0
network 192.168.1.47 0.0.0.0 area 0
interface Tunnel4
ip unnumbered GigabitEthernet0/2
ip virtual-reassembly in
ip tcp adjust-mss 1398
ip ospf network point-to-point
load-interval 30
tunnel source GigabitEthernet0/2
tunnel mode ipsec ipv4
tunnel destination x.x.97.26
tunnel path-mtu-discovery
tunnel protection ipsec profile VTI_NB_to_dorrance_prv
end
thanks PDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I haven't studied your config, but I can tell you I have production environment using OSPF across VTI (and GRE, and GRE/IPSec and DMVPN) tunnels without issue. I.e. so OSPF can be okay with VTI tunnels. -
SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)
Good morning Gentlemen, I need some advice. I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.
I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.
Firstly, I am not interested in Policy Based VPNs. I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.
In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.
I have back at the HQ, a cisco router.
The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's
I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.
JUNIPER
Index State Initiator cookie Responder cookie Mode Remote Address
5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 4.4.4.4
CISCO
IPv4 Crypto ISAKMP SA
dst src state conn-id status
4.4.4.4 1.1.1.1 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE
A working VTI tunnel has an SA of : (cisco perspecive)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
I have tried sending this as the proxy-id on the Juniper to no avail.
The error is still :
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
IPSec policy invalidated proposal with error 64
*Jun 6 10:20:07.244: ISAKMP1110): phase 2 SA policy not acceptable!
The IPSEC transform-Set attributes are accepted though,
transform 0, ESP_3DES
*Jun 6 10:20:07.244: ISAKMP: attributes in transform:
*Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA
*Jun 6 10:20:07.244: ISAKMP: SA life type in seconds
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel)
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
So it is something to do with the SA/Proxy ID's being sent.
here is the Juniper Config:
proposal IKE-SHA-AES128-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
policy IKE-POLICY-HQ {
mode aggressive;
proposals IKE-SHA-AES128-DH2;
pre-shared-key ascii-text "secretkey";
gateway IKE-GATEWAY {
ike-policy IKE-POLICY-HQ;
address 4.4.4.4;
local-identity hostname knuckles.net;
external-interface fe-0/0/0.0;
proposal HQ-IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 4608000;
policy HQ-IPSEC-POLICY {
proposals HQ-IPSEC-PROPOSAL;
vpn ROUTE-BASED-VPN-TO-HQ {
bind-interface st0.0;
ike {
gateway IKE-GATEWAY;
ipsec-policy HQ-IPSEC-POLICY;
establish-tunnels immediately;
st0 {
unit 0 {
family inet {
address 10.1.1.2/30;
CISCO SIDE:
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto keyring NICK-SRX
pre-shared-key hostname knuckles.net key secretkey
crypto isakmp profile NICK-SRX-ISAKMP-PROFILE
keyring default
keyring NICK-SRX
match identity host knuckles.net
initiate mode aggressive
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile NICK-SRX-IPSEC-PROFILE
set transform-set ESP-3DES-SHA
set isakmp-profile NICK-SRX-ISAKMP-PROFILE
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet.
e.g.
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
So I guess my question is Is this possible using a static VTI?
What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?
tunnel destination dynamic
Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.
The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.
I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.Perhaps this fellow has cracked it - is this the only way ???
https://supportforums.cisco.com/document/58076/dynamic-ip-dynamic-ip-ipsec-vpn-tunnel -
Mixed Config: VTI and classic ipsec
Is there an issue with running these together on the same router?
I'm just trying to get a migration plan together to move to VTI.Cisco IPSec VTIs are a new tool that customers can use to configure IPSec-based VPNs between site-to-site devices. IPSec VTI tunnels provide a designated pathway across a shared WAN and encapsulate traffic with new packet headers, which helps to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPSec provides true confidentiality (as does encryption) and can carry encrypted traffic.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper0900aecd8029d629.shtml -
I have 5 routers (soon to be 6) with tunnels (all VTI) between them.
I also have a basic OSPF setup running here (previously it was RIP), and all networks can talk to each other, however there is one routing issue, where it takes a longer path to the remote network.
The Configs:
R1:
interface Tunnel0
description tunnel to detroit office
ip address 172.28.40.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel1
description tunnel to San Diego Office
ip address 172.28.42.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel2
description tunnel to Detroit DC
ip address 172.28.43.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel3
description tunnel to detroit office - standby
ip address 172.28.51.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0/0
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router ospf 42
log-adjacency-changes
network 10.87.1.0 0.0.0.255 area 0
network 172.28.40.0 0.0.0.255 area 0
network 172.28.42.0 0.0.0.255 area 0
network 172.28.43.0 0.0.0.255 area 0
network 172.28.51.0 0.0.0.255 area 0
cerberus#sh ip route ospf
172.28.0.0/24 is subnetted, 7 subnets
O 172.28.49.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
O 172.28.50.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
O 172.28.41.0 [110/2000] via 172.28.42.2, 05:47:06, Tunnel1
[110/2000] via 172.28.40.2, 05:47:06, Tunnel0
10.0.0.0/24 is subnetted, 2 subnets
O 10.87.2.0 [110/2001] via 172.28.42.2, 05:47:06, Tunnel1
O 192.168.1.0/24 [110/1001] via 172.28.42.2, 05:47:06, Tunnel1
O 192.168.2.0/24 [110/1001] via 172.28.40.2, 05:47:06, Tunnel0
cerberus#
As you can see for 10.87.2.x it is going through the 192 network, when it has a direct tunnel through tunnel 2
R2:
interface Tunnel0
description tunnel to AIS San Diego
ip address 172.28.42.2 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
interface Tunnel1
description tunnel to detroit office
ip address 172.28.41.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
interface Tunnel2
description tunnel to Detroit Data Center
ip address 172.28.49.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
interface Tunnel3
description tunnel to Detroit t1 router
ip address 172.28.50.1 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination xxx
tunnel protection ipsec profile VTI
router ospf 42
log-adjacency-changes
network 172.28.41.0 0.0.0.255 area 0
network 172.28.42.0 0.0.0.255 area 0
network 172.28.49.0 0.0.0.255 area 0
network 172.28.50.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
#sh ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 24.43.240.137 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
O 10.87.1.0 [110/1001] via 172.28.42.1, 03:55:51, Tunnel0
O 10.87.2.0 [110/1001] via 172.28.49.2, 03:55:51, Tunnel2
172.28.0.0/16 is variably subnetted, 11 subnets, 2 masks
O 172.28.40.0/24 [110/2000] via 172.28.42.1, 03:55:51, Tunnel0
[110/2000] via 172.28.41.2, 03:55:51, Tunnel1
O 172.28.43.0/24 [110/2000] via 172.28.49.2, 03:55:51, Tunnel2
[110/2000] via 172.28.42.1, 03:55:51, Tunnel0
O 172.28.51.0/24 [110/2000] via 172.28.50.2, 03:55:51, Tunnel3
[110/2000] via 172.28.42.1, 03:55:51, Tunnel0
O 192.168.2.0/24 [110/1001] via 172.28.50.2, 03:55:51, Tunnel3
[110/1001] via 172.28.41.2, 03:55:51, Tunnel1
r2 is the route that r1 ends up using when connecting to 10.87.2.x
Any advice on one, how to fix this, and two on the general setup would be wonderful. I am new to ospf and feels like I could have done a better job here (maybe using an area per site)R2 is the router R1 is using to get to the destination that Tunnel 1 on R1 is connected to
Tunnel 1 on R3 is a VTI tunnel to Tunnel 3 on R1.
R1 is currently using tunnel 1 on R1 to hop to R2 and then uses tunnel 2 to get to R3
If that makes sense..
Here is the config for R3
interface Tunnel1
description tunnel to AIS San Diego
ip address 172.28.43.2 255.255.255.0
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface Tunnel2
description tunnel to San Diego Main Office
ip address 172.28.49.2 255.255.255.0
ip ospf network broadcast
ip ospf mtu-ignore
tunnel source xxx
tunnel destination xxx
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router ospf 42
log-adjacency-changes
network 10.87.2.0 0.0.0.255 area 0
network 172.28.43.0 0.0.0.255 area 0
network 172.28.49.0 0.0.0.255 area 0
sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 199.16.189.209 to network 0.0.0.0
172.28.0.0/24 is subnetted, 7 subnets
C 172.28.49.0 is directly connected, Tunnel2
O 172.28.50.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.51.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.40.0 [110/3000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.41.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
O 172.28.42.0 [110/2000] via 172.28.49.1, 02:32:05, Tunnel2
C 172.28.43.0 is directly connected, Tunnel1
10.0.0.0/24 is subnetted, 2 subnets
O 10.87.1.0 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2
C 10.87.2.0 is directly connected, GigabitEthernet0/1
199.16.189.0/28 is subnetted, 1 subnets
C 199.16.189.208 is directly connected, GigabitEthernet0/0
O 192.168.1.0/24 [110/1001] via 172.28.49.1, 02:32:05, Tunnel2
O 192.168.2.0/24 [110/2001] via 172.28.49.1, 02:32:05, Tunnel2 -
IPSec VPN with VTI behind DSL router
Hi All,
Is it possible to use a vti tunnel interface on a router when the outside interface has a private IP address connected to a DSL modem with a static public IP address, in other words the router sits behind the DSL modem?
Router gi0/1 --> DSL Modem --> Internet --> to HQ (Firewall with static IP)
Outside 192.168.1.2 WAN static public IP
LAN 192.168.1.1
Interface config:
interface GigabitEthernet0/1
ip vrf forwarding Internet-VRF
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
end
Tunnel config:
crypto isakmp policy 282
encr aes 256
authentication pre-share
group 2
lifetime 28800
hash sha
crypto isakmp key 0 PSK address xxx.xxx.xxx.xxx
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile VPN
set transform-set aes256-sha
set pfs group2
interface Tunnel1
ip vrf forwarding Internet-VRF
ip address 172.27.82.254 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source Gi0/1
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.xxx
tunnel protection ipsec profile VPN
I have been digging into Cisco documentation but have no answer found.
Thanks in advance.Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?
-
I have a pair of 3945E routers I use as redundant VPN head-ends in our data center and numerous 2901 and one 2951 used as spoke routers. Each of the spokes is connected to the 3945's over VTI tunnels three and four. We regularly see replay errors occur, but this morning, we had it get disruptive enough on one of the tunnels on the 2951 where we were experienced 80 to 90 percent packet loss across that one tunnel. This caused an outage which I was only able to rectify by shutting down the tunnel interface on each router and bringing them back up, thus resetting the SA.
I'm needing to understand how to reduce or completely eliminate the replay errors. I've read something about increasing the replay window size, but don't have a clue where to start. What is the best way to fix this without disabling replay checking? Or, since the VPN head-ends and spoke routers only have static routes established across the Internet to each other, is replay checking even necessary or desired?
Thanks in advance!
Paul WIshartAdam,
I don't have a resolution yet, so I opened a TAC case last Saturday. I'll keep you posted on this forum. -
Which encryption method is the best way to secure the data tranfer
Hi ,
I want to configure the Encryption between two cisco Wan routers(3845 & 3825).
We use 50MB leased line connection and transfer the data. I also configured the QOS to limit the data transfer rate to 20MB on the same pipe and it's working fine.We also use the same pipe for trading purpose too. That's why I limit 20MB for data(copy) transfer between two hosts.
Which encryption method should I use to secure the data transfer?
Plese kinldy advise .
Thanks,Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I would recommend AES256.
I would also recommend a VTI tunnel vs. GRE/IPSec. However, both, depending on your IOS, should support AES256.
Encryption will demand more from your routers. I think the 3845 should be able to support 20 Mbps encrypted, not as sure about the 3825. (BTW, if you have 50 Mbps LL, why are you limited transfer rate to 20 Mbps?)
Also BTW, there's much involved in setting up encrypted tunnels for optimal performance. Also see: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html -
Could someone please point me towards a document which fully explains the pros and cons of VTI against GRE?
There was ask the expert conversation about VTI
check this answer from Sunil Cherukuri CISCO VPN expert
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddaee26/3#selected_message
M.
Hope that helps rate if it does
Maybe you are looking for
-
WARNING: Actions on button and MovieClip
I have the following code that I am trying to get to work with ActionScript 3.0: on (rollOver) { gotoAndPlay("s1"); on (releaseOutside, rollOut) { this.gotoAndPlay("s2"); on (release) { this.gotoAndPlay("s2"); The problem is that ActionScript 3.0 wil
-
Hi can anyone tell why i cant copy a playlist from one playlist folder to another playlist folder? if i drag and drop a playlist it show the green + sign but just moves the playlist any ideas Thanks Ronny
-
Certain characters ie: - ' " and even some font styles, ie: italic don't show correctly in Safari, v. 2.04 (419.3) on some websites. I then try the same website in FireFox and everything displays correctly. Do I have fonts missing, not installed. I o
-
How to set a minimum width and height for a stage or scene?
Hello, Does anyone how to set a minimum width and height for a stage or scene? I tried listening for width/height property value changes and then adjust the width/height if necessary, but that causes unpleasant flickering of the window. In JavaFX 2.1
-
My System keeps crashing too...
When I have run an etre-check the last few times I have noticed that i keep getting messages saying that my cloudd is crashing. I have included the most recent report. Can you please advise what to do. Thank you EtreCheck version: 2.1.8 (121) Report