877 ipsec VTI transitive

Discussion in 'Cisco' started by Daniel-G, Mar 22, 2009.

  1. Daniel-G

    Daniel-G Guest

    Hello all,

    I just setup a tunnel between 2 877 routers using IPSEC VTI and its
    working fine
    http://www.cisco.com/en/US/docs/ios...ts_Configuration_Guide_Chapter.html#wp1027265

    I have this configuration :

    CORP-PIX <--ipsec--> RTR-A <---ipsec VTI---> RTR-B
    Corporate Site A Site B
    10.1.0.0/16 10.2.0.0/22 10.2.4.0/22

    On RTR-A I use a classical crypto map to connect to the corporate lans

    I have the following configurations to manage routing
    RTR-A ACL for tunnel to corporate PIX
    permit 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
    (and the ACL matches on the pix too)

    ======================
    Config RTR-A tunnel to RTR-B

    crypto ipsec profile VtunnelIP
    set transform-set ESP-3DES-SHA
    !
    interface Tunnel0
    ip address 172.31.35.1 255.255.255.248
    ip policy route-map ROUTING-POLICY
    tunnel source <public IP of RTR-A>
    tunnel destination <public IP of RTR-B>
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile VtunnelIP
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 10.2.4.0 255.255.252.0 172.31.35.2
    ======================
    Config RTR-B tunnel to RTR-A

    crypto ipsec profile VtunnelIP
    set transform-set ESP-3DES-SHA
    !
    interface Tunnel0
    ip address 172.31.35.2 255.255.255.248
    tunnel source 80.172.25.116
    tunnel destination 80.172.48.127
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile VtunnelIP
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 10.1.0.0 255.255.0.0 172.31.35.1
    ip route 10.2.0.0 255.255.252.0 172.31.35.1

    On RTR-A the route to 10.1.0.0/16 is given by the crypto map

    ====================== A traceroute yields :
    Received on RTR-B
    trace to 10.1.0.83
    1 *
    172.31.35.1 32 msec *
    2
    *Mar 5 02:20:17.046: ICMP: time exceeded rcvd from 172.31.35.1 * * *

    Sent by RTR-A
    Mar 22 20:05:54.078: ICMP: time exceeded (time to live) sent to 10.2.4.1
    (dest was 10.1.0.83)

    I made such a config with a 877 but for VPN client passing through a
    virtual interface and the VPN client can go everywhere there is a tunnel
    openned to the corporate domain

    Does anybody have an idea of what I'm missing ?

    Thanks in advance

    Daniel
     
    Daniel-G, Mar 22, 2009
    #1
    1. Advertising

  2. Daniel-G

    Daniel-G Guest

    Daniel-G said the following on 03/22/2009 11:31 PM:
    > Hello all,
    >
    > I just setup a tunnel between 2 877 routers using IPSEC VTI and its
    > working fine
    > http://www.cisco.com/en/US/docs/ios...ts_Configuration_Guide_Chapter.html#wp1027265
    >
    > I have this configuration :
    >
    > CORP-PIX <--ipsec--> RTR-A <---ipsec VTI---> RTR-B
    > Corporate Site A Site B
    > 10.1.0.0/16 10.2.0.0/22 10.2.4.0/22
    >
    > On RTR-A I use a classical crypto map to connect to the corporate lans
    >
    > I have the following configurations to manage routing
    > RTR-A ACL for tunnel to corporate PIX
    > permit 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
    > (and the ACL matches on the pix too)
    >
    > ======================
    > Config RTR-A tunnel to RTR-B
    >
    > crypto ipsec profile VtunnelIP
    > set transform-set ESP-3DES-SHA
    > !
    > interface Tunnel0
    > ip address 172.31.35.1 255.255.255.248
    > ip policy route-map ROUTING-POLICY
    > tunnel source <public IP of RTR-A>
    > tunnel destination <public IP of RTR-B>
    > tunnel mode ipsec ipv4
    > tunnel protection ipsec profile VtunnelIP
    > !
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip route 10.2.4.0 255.255.252.0 172.31.35.2
    > ======================
    > Config RTR-B tunnel to RTR-A
    >
    > crypto ipsec profile VtunnelIP
    > set transform-set ESP-3DES-SHA
    > !
    > interface Tunnel0
    > ip address 172.31.35.2 255.255.255.248
    > tunnel source 80.172.25.116
    > tunnel destination 80.172.48.127
    > tunnel mode ipsec ipv4
    > tunnel protection ipsec profile VtunnelIP
    > !
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > ip route 10.1.0.0 255.255.0.0 172.31.35.1
    > ip route 10.2.0.0 255.255.252.0 172.31.35.1
    >
    > On RTR-A the route to 10.1.0.0/16 is given by the crypto map
    >
    > ====================== A traceroute yields :
    > Received on RTR-B
    > trace to 10.1.0.83
    > 1 *
    > 172.31.35.1 32 msec *
    > 2
    > *Mar 5 02:20:17.046: ICMP: time exceeded rcvd from 172.31.35.1 * * *
    >
    > Sent by RTR-A
    > Mar 22 20:05:54.078: ICMP: time exceeded (time to live) sent to 10.2.4.1
    > (dest was 10.1.0.83)
    >
    > I made such a config with a 877 but for VPN client passing through a
    > virtual interface and the VPN client can go everywhere there is a tunnel
    > openned to the corporate domain
    >
    > Does anybody have an idea of what I'm missing ?
    >
    > Thanks in advance
    >
    > Daniel

    Finally I answer to myself

    I started doing a standard ipsec connection and removed [I thought]
    everything but the ipflow stayed active and kept having precedence
    After disconnecting all tunnels and cleaning the config it started
    working fine
    I added a bit of eigrp to distribute routes and now it works perfectly
     
    Daniel-G, Mar 24, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,819
    David
    Jan 7, 2004
  2. Replies:
    4
    Views:
    1,221
  3. Mike Gauthier

    Converting crypto map to unnumbered VTI

    Mike Gauthier, Nov 8, 2007, in forum: Cisco
    Replies:
    16
    Views:
    7,076
    Mike Gauthier
    Nov 28, 2007
  4. GT
    Replies:
    2
    Views:
    2,314
  5. bod43

    Re: ipsec VTI ip address

    bod43, Mar 3, 2010, in forum: Cisco
    Replies:
    0
    Views:
    678
    bod43
    Mar 3, 2010
Loading...

Share This Page