7 Replies Latest reply: Jan 14, 2019 6:59 AM by Juergen Ilse CCNA R&S RSS

    ? CCNP Route Lab Chap7: GRE over IPsec

    Tony

      This problem is straight from the CCNP Route Lab Guide and its literally been keeping me up at night. I followed the lab guide word for word but when I get to the part where I ping a host, its suppose to trigger the IPsec VPN Tunnel, but its not working. I did some debugging and I see that the ACL is not matching for some reason.

       

      The NAT translations aren't suppose to translate anything from 192.168.1.0 to 10.10.0.0 network as designed. The IPsec should trigger via ACL if theres traffic from 192.168.0.0 to 10.10.0.0.

       

      When I do Branch# ping 10.10.1.1 source 192.168.1.1

      The IPsec tunnel won't come up. What am I missing here? This is the one of many issues I encountered with the official lab guide >:(

       

      Thanks for your help

      Chap 7 Topology.PNG

      ---------------------------------------------------------------------

       

      Branch Router

      Branch#show run

      Building configuration...

       

       

      Current configuration : 2048 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      no service password-encryption

      !

      hostname Branch

      !

      boot-start-marker

      boot-end-marker

      !

      !

      no aaa new-model

      !

      resource policy

      !

      memory-size iomem 5

      no ip icmp rate-limit unreachable

      ip cef

      ip tcp synwait-time 5

      !

      !

      !

      !

      no ip domain lookup

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      crypto isakmp policy 1

      encr aes

      authentication pre-share

      group 2

      crypto isakmp key cisco123 address 209.165.200.226

      !

      !

      crypto ipsec transform-set VPN esp-3des esp-sha-hmac

      !

      crypto map IPSECMAP 10 ipsec-isakmp

      set peer 209.165.200.226

      set transform-set VPN

      match address VPNACL

      !

      !

      !

      !

      interface Loopback1

      description Branch LAN

      ip address 192.168.1.1 255.255.255.0

      ip nat inside

      ip virtual-reassembly

      !

      interface FastEthernet0/0

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface Serial0/0/1

      description Connection to ISP

      bandwidth 64

      ip address 209.165.200.242 255.255.255.248

      ip nat outside

      ip virtual-reassembly

      clock rate 2000000

      crypto map IPSECMAP

      !

      interface FastEthernet0/1

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface Serial0/1

      no ip address

      shutdown

      clock rate 2000000

      !

      ip route 0.0.0.0 0.0.0.0 209.165.200.241

      !

      !

      no ip http server

      no ip http secure-server

      ip nat pool BRANCH-NAT-POOL 209.165.200.249 209.165.200.254 prefix-length 29

      ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL

      !

      ip access-list extended BRANCH-NAT-ACL

      remark Do not translate Local LAN to HQ LAN addresses

      deny   ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

      remark Translate Local LAN to all other Internet destinations

      permit ip 192.168.1.0 0.0.0.255 any

      ip access-list extended VPNACL

      remark Branch to HQ traffic to trigger VPN

      permit ip 192.168.1.0 0.0.0.25 10.10.0.0 0.0.255.255

      !

      no cdp log mismatch duplex

      !

      !

      !

      !

      control-plane

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line aux 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line vty 0 4

      login

      !

      !

      end

       

       

      Branch#

      ------------------------------------------------------------------------------------------------------

       

       

       

       

      HQ Router

       

       

      HQ#show run

      Building configuration...

       

       

      Current configuration : 2365 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      no service password-encryption

      !

      hostname HQ

      !

      boot-start-marker

      boot-end-marker

      !

      !

      no aaa new-model

      !

      resource policy

      !

      memory-size iomem 5

      no ip icmp rate-limit unreachable

      ip cef

      ip tcp synwait-time 5

      !

      !

      !

      !

      no ip domain lookup

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      crypto isakmp policy 1

      encr aes

      authentication pre-share

      group 2

      crypto isakmp key cisco123 address 209.165.200.242

      !

      !

      crypto ipsec transform-set VPN esp-3des esp-sha-hmac

      !

      crypto map IPSECMAP 10 ipsec-isakmp

      set peer 209.165.200.242

      set transform-set VPN

      match address VPNACL

      !

      !

      !

      !

      interface Loopback0

      description HQ email server address

      ip address 10.10.20.238 255.255.255.0

      ip nat inside

      ip virtual-reassembly

      !

      interface Loopback1

      description Headquarters LAN

      ip address 10.10.10.1 255.255.255.0

      ip nat inside

      ip virtual-reassembly

      !

      interface FastEthernet0/0

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface Serial0/0/1

      description Connection to ISP

      bandwidth 64

      ip address 209.165.200.226 255.255.255.248

      ip nat outside

      ip virtual-reassembly

      clock rate 64000

      crypto map IPSECMAP

      !

      interface FastEthernet0/1

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface Serial0/1

      no ip address

      shutdown

      clock rate 2000000

      !

      ip route 0.0.0.0 0.0.0.0 209.165.200.225

      !

      !

      no ip http server

      no ip http secure-server

      ip nat pool BRANCH-NAT-POOL 209.165.200.249 209.165.200.254 prefix-length 29

      ip nat pool HQ-NAT-POOL 209.165.200.233 209.165.200.237 prefix-length 29

      ip nat inside source list BRANCH-NAT-ACL pool BRANCH-NAT-POOL

      ip nat inside source list HQ-NAT-ACL pool HQ-NAT-POOL

      ip nat inside source static 10.10.20.238 209.165.200.238

      !

      ip access-list extended HQ-NAT-ACL

      remark Do not translate HQ LAN to Branch LAN addresses

      deny   ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255

      remark Translate Local LAN to all other Internet destinations

      permit ip 10.10.0.0 0.0.255.255 any

      ip access-list extended VPNACL

      remark HQ to Branch traffic to trigger VPN

      permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255

      !

      no cdp log mismatch duplex

      !

      !

      !

      !

      control-plane

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line aux 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line vty 0 4

      login

      !

      !

      end

      HQ#

      -----------------------------------------------------------

       

       

       

       

      ISP Router

      ISP#show run

      Building configuration...

       

       

      Current configuration : 1351 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      no service password-encryption

      !

      hostname ISP

      !

      boot-start-marker

      boot-end-marker

      !

      !

      no aaa new-model

      !

      resource policy

      !

      memory-size iomem 5

      no ip icmp rate-limit unreachable

      ip cef

      ip tcp synwait-time 5

      !

      !

      !

      !

      no ip domain lookup

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      interface Loopback1

      description Simulating the Internet

      ip address 209.165.202.129 255.255.255.240

      !

      interface FastEthernet0/0

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface Serial0/0/0

      description Connection to Branch

      bandwidth 64

      ip address 209.165.200.241 255.255.255.248

      clock rate 64000

      !

      interface FastEthernet0/1

      no ip address

      shutdown

      duplex auto

      speed auto

      !

      interface Serial0/0/1

      description Connection to HQ

      bandwidth 64

      ip address 209.165.200.225 255.255.255.248

      clock rate 2000000

      !

      ip route 209.165.200.232 255.255.255.248 209.165.200.226

      ip route 209.165.200.248 255.255.255.248 209.165.200.241

      ip route 209.165.200.248 255.255.255.248 209.165.200.242

      !

      !

      no ip http server

      no ip http secure-server

      !

      no cdp log mismatch duplex

      !

      !

      !

      !

      control-plane

      !

      !

      !

      !

      !

      !

      !

      !

      !

      !

      line con 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line aux 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line vty 0 4

      login

      !

      !

      end

       

       

      ISP#

        • 1. Re: ? CCNP Route Lab Chap7: GRE over IPsec
          Juergen Ilse CCNA R&S

          If you want to run GRE over VPN, i'm missing something here. You need a tunnel interfaces for the gre connection, and you have to secure the traffic between the tunnel endpoint addresses with ipsec, not the traffic, that should be tunneld through GRE. You have configured an ipsec tunnel, but not an ipsec secured GRE tunnel. The reason why your tunnel does not come up is a typing mismatch in configuration of the branch router. You wrote:

           

          ip access-list extended VPNACL

          remark Branch to HQ traffic to trigger VPN

          permit ip 192.168.1.0 0.0.0.25 10.10.0.0 0.0.255.255

           

          But the last line of this snippet should read:

           

          permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255


          If the crypto ACLs don't match on both sides, the tunnel won't come up, because the don't find an ipsec policy, that is acceptable for both sides.

          • 2. Re: ? CCNP Route Lab Chap7: GRE over IPsec
            Mustafa

            My suggestion:

            1.try you GRE tunnel without IPsec. Because IPSec relays on GRE, GRE should be work first.

            2. create ACL like this

                access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

                access-list 100 permit ip 192.168.1.0 0.0.0.255 any

             

                create route-map

             

                route-map NONAT permit 10

                  match ip address 100

             

                add nat

             

               ip nat inside source route-map NONAT pool BRANCH-NAT-POOL

             

            3. and as Juergen wrote there is mistake in ACL "permit ip 192.168.1.0 0.0.0.25 10.10.0.0 0.0.255.255"

            • 3. Re: ? CCNP Route Lab Chap7: GRE over IPsec
              Juergen Ilse CCNA R&S

              Mustafa schrieb:

               

              My suggestion:

              1.try you GRE tunnel without IPsec. Because IPSec relays on GRE, GRE should be work first.

              2. create ACL like this

                  access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

                  access-list 100 permit ip 192.168.1.0 0.0.0.255 any

               

                  create route-map

               

                  route-map NONAT permit 10

                    match ip address 100

               

                  add nat

               

                 ip nat inside source route-map NONAT pool BRANCH-NAT-POOL

               

              3. and as Juergen wrote there is mistake in ACL "permit ip 192.168.1.0 0.0.0.25 10.10.0.0 0.0.255.255"

              Wouldn't it also be a )maybe more simple) solution to just configure the GRE tunnel interface as "nat inside" on both sides? Then you don't need to configure a nat exemption for the tunnel traffic ... But thanks for the example of NAT configuration with route-map, i never used it this way before.

              • 4. Re: ? CCNP Route Lab Chap7: GRE over IPsec
                Tony

                Juergen,

                 

                Thank you! That fixed it. It also gave me the idea to add the same both ACL to the other router. Now both routers have the entry:

                 

                ip access-list extended VPNACL

                remark HQ to Branch traffic to trigger VPN

                permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255

                remark HQ to Branch traffic to trigger VPN

                permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

                • 5. Re: ? CCNP Route Lab Chap7: GRE over IPsec
                  Juergen Ilse CCNA R&S

                  The VPN ACLs does not need to have the exact same entries. They have to match in that, that for every entry in the ACL on one side, there have to be a matching entry with exchanged source and destination in the ACL on the other side. The VPN ACL has to match the outgoing traffic hrough the VPN tunnel. So if you have:

                   

                  ip access-list extended VPNACL

                  remark HQ to Branch traffic to trigger VPN

                  permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255

                   

                  on one side, you need to have:

                   

                  ip access-list extended VPNACL

                  remark HQ to Branch traffic to trigger VPN

                  permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255

                   

                  on the other side. There is no need to have both permit entries on both sides. And you should know, that it would not work, if you have "not matching entries" on both sides, that only include similar traffic:

                   

                  ip access-list extended VPNACL

                  remark HQ to Branch traffic to trigger VPN

                  permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255

                   

                  on one side and:

                   

                  ip access-list extended VPNACL

                  remark HQ to Branch traffic to trigger VPN

                  permit ip 192.168.1.0 0.0.0.127 10.10.0.0 0.0.255.255

                  permit ip 192.168.1.0 0.0.128.127 10.10.0.0 0.0.255.255

                   

                  would not let the tunnel come up. Both ACLs match similar trafiic, but on one side with one permit rule that has no match on the other side and two permit rules without corresponding rule on the other side. So don't try something like that. The rules have to match exactly (except, that you will have exchanged source and destination on the other side).

                   

                  But again to the topic of this thread: What you have configured is not GRE over IPSEC, it is a pure IPSEC tunnel, which has nothing to do with GRE.

                  • 6. Re: ? CCNP Route Lab Chap7: GRE over IPsec
                    Tony

                    Jeurgen,

                     

                    I know I have not created GRE over IPsec. I'm following the Lab guide, but I got stuck when the IPsec tunnel didn't come up. Its working now and I've finished the chapter. Thanks for your help

                    • 7. Re: ? CCNP Route Lab Chap7: GRE over IPsec
                      Juergen Ilse CCNA R&S

                      To configure GRE over ipsec, you may configure the ipsec part with a crypto map bound to the egress interface of the traffic, or you may protect the traffic by applying an ipsec profile to the tunnel interface. If you use a crypto map, your ACL needs only to match the traffic between the tunnel endpoints of the GRE tunnel, not the traffic, which has to be tunnels through the GRE tunnel. If you use an ipsec profile applied to the tunnel interface, you need no crypto ACL at all.