Skip navigation
Cisco Learning Home > CCIE Security Study Group > Discussions
3822 Views 15 Replies Latest reply: Mar 11, 2012 7:53 AM by MIKIS RSS 1 2 Previous Next

Currently Being Moderated

DVTI and Routing Protocol

Dec 17, 2011 12:11 AM

Dr. RDX 271 posts since
May 25, 2009

In a lab it says to configure DVTI ( hardware client ) and then the routes of inside network should come using EIGRP . I am able to make the connection work but EIGRP doesnt seems to work . Below is my config

 

R3 ( SERVER )

 

Rack1R3#sh run

Building configuration...

 

Current configuration : 2475 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Rack1R3

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization network default local

!

aaa session-id common

memory-size iomem 5

ip cef

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!


!

username cisco password 0 cisco

archive

log config

  hidekeys

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group IT

key CISCO

pool default

acl 101

!

crypto isakmp client configuration group EZVPN

key cisco

pool default

acl 101

crypto isakmp profile vpn

   match identity group EZVPN

   client authentication list default

   isakmp authorization list default

   client configuration address respond

   client configuration group EZVPN

   virtual-template 100

!

!

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

!

crypto ipsec profile vpn

set transform-set vpn

set isakmp-profile vpn

!

!

crypto dynamic-map vpn 10

set transform-set vpn

reverse-route

!


!

ip tcp synwait-time 5

!

!

interface Loopback0

ip address 150.1.3.3 255.255.255.0

!

interface Loopback44

ip address 20.0.0.33 255.255.255.0

!

interface FastEthernet0/0

ip address 136.1.123.3 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 136.1.23.3 255.255.255.0

clock rate 64000

!

interface FastEthernet0/1

ip address 136.1.100.3 255.255.255.0

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

interface Virtual-Template100 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn

!

router eigrp 100

network 20.0.0.0

network 136.1.100.3 0.0.0.0

no auto-summary

!

router rip

version 2

redistribute static

network 136.1.0.0

network 150.1.0.0

no auto-summary

!

ip local pool default 20.0.0.1 20.0.0.254

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

ip access-list extended VPN

permit ip 136.1.100.0 0.0.0.255 any

permit ip 10.0.0.0 0.0.0.255 any

!

ip radius source-interface Loopback0

!


radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO

!

control-plane

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

line vty 0 4

password cisco

!

!

end


R1 ( CLIENT )

 

Rack1R1#sh run

Building configuration...

 

 

Current configuration : 1301 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Rack1R1

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

no ip domain lookup

!        

multilink bundle-name authenticated

!

archive

log config

  hidekeys

!

!

crypto ipsec client ezvpn EZVPN

connect manual

group EZVPN key cisco

mode client

peer 136.1.100.3

acl 1

xauth userid mode http-intercept

!        

!

ip tcp synwait-time 5

!

!

!

interface Loopback0

ip address 150.1.1.1 255.255.255.0

!

interface FastEthernet0/0

ip address 136.1.121.1 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN

!

interface FastEthernet0/1

ip address 136.1.11.1 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN inside

!

router eigrp 100

network 20.0.0.0

network 150.1.0.0

auto-summary

!

router rip

version 2

network 136.1.0.0

network 150.1.0.0

no auto-summary

!

ip forward-protocol nd

!

!

ip http server

no ip http secure-server

!

access-list 1 permit 150.1.3.3 log

!

!

control-plane

!        

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

line vty 0 4

password cisco

login

!

end

 

Result of R3 Routing table

Rack1R3#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     136.1.0.0/24 is subnetted, 5 subnets

R       136.1.11.0 [120/2] via 136.1.123.12, 00:00:02, FastEthernet0/0

C       136.1.23.0 is directly connected, Serial0/0

C       136.1.100.0 is directly connected, FastEthernet0/1

R       136.1.121.0 [120/1] via 136.1.123.12, 00:00:02, FastEthernet0/0

C       136.1.123.0 is directly connected, FastEthernet0/0

     20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C       20.0.0.0/24 is directly connected, Loopback44

S       20.0.0.1/32 [1/0] via 0.0.0.0, Virtual-Access2

     10.0.0.0/24 is subnetted, 1 subnets

R       10.0.0.0 [120/1] via 136.1.23.2, 00:00:14, Serial0/0

     150.1.0.0/24 is subnetted, 2 subnets

C       150.1.3.0 is directly connected, Loopback0

R       150.1.1.0 [120/2] via 136.1.123.12, 00:00:02, FastEthernet0/0

 

Client is assigned ip address 20.0.0.1/32 and I have added it into the EIGRP process . The solution in workbooks says to make a loopback on Server of same ip address scheme and add it to eigrp process . One thing to note is that EIGRP will only work on directly connected interfaes ( directly or using tunnels ) . Now since client end has 20.0.0.1 and server end edge interface was 136.1.x.x how can advertising 20.x.x.x work ?

 

Please let me know how can I make this work using dynamic routing protocol .

 

 

Note : This is linked to INE Workbook Vol 1 task 3.23

  • Bhupendra 19 posts since
    Jan 17, 2011
    Currently Being Moderated
    1. Dec 17, 2011 2:48 PM (in response to Dr. RDX)
    Re: DVTI and Routing Protocol

    Hi Dr,

     

    I couldn't notice much except your VTI on the server.

    Change IP scheme to 'ip unnumbered lo44' and it must work because as far as I remember an EZVPN server using DVTI and traditional remote client work pretty well with each other.

     

    HTH

    Bhupi

  • Yevgeniy 63 posts since
    Mar 22, 2011
    Currently Being Moderated
    2. Dec 17, 2011 8:58 PM (in response to Dr. RDX)
    Re: DVTI and Routing Protocol

    Try debuging EIGRP update events on remote router and see if he recives any update. same for other side.

  • Yevgeniy 63 posts since
    Mar 22, 2011
    Currently Being Moderated
    4. Dec 18, 2011 3:43 AM (in response to Dr. RDX)
    Re: DVTI and Routing Protocol

    Do you mean that EIGRP updates are not propogated via Tunnel interface?

    Try to set Unicast updates on Client an see if they recieved by EZVPN server.

  • Bhupendra 19 posts since
    Jan 17, 2011
    Currently Being Moderated
    5. Dec 18, 2011 3:54 AM (in response to Dr. RDX)
    Re: DVTI and Routing Protocol

    Hi Dr.,

     

    I'd like to know more about the routing tables on the server end.

    How is it that you're getting a static route for the allocated address though you haven't mentioned any reverse-route in the assigned ipsec profile and if you're using this dynamic map somewhere else.

    And have you tried using no auto-summary under eigrp, just in case that makes things troublesome.

     

    It'll be great if you can share your current config and routing tables

     

    Regards

  • Bhupendra 19 posts since
    Jan 17, 2011
    Currently Being Moderated
    8. Dec 18, 2011 5:49 AM (in response to Dr. RDX)
    Re: DVTI and Routing Protocol

    Hi Dr

     

    Thanks for the prompt response.

    If the client uses DVTI, it's ip address shows up as Remote Ident in the head-end Ipsec SA.

    I'd like to remind you that if you're using legacy remote client with this server, route-injection won't work.

    Check this compatibility table : http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1291721

     

    Plus, there is a typo in your config as your crypto map attaches to the fastethernet while you're advertising serial on to your eigrp 1.

     

    hth

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    10. Dec 18, 2011 6:47 AM (in response to Dr. RDX)
    Re: DVTI and Routing Protocol

    I'm struggling to wrap my mind around the need for a routing protocol here.  If using EZVPN Hardware client, the client will tunnel everything except the tunnel itself back to the EZVPN Server.  Alternatively, it can receive a split tunnel acl.  The EZVPN server receives the remote network as a static route if using NEM and Reverse Route Injection.  So if this is a sophisticated solution requiring additional nodes at the remote side, the client can always redistribute a default route.  The head end can always redistribute what is learned via RRI.  So even if this was used as a backup to a WAN it would work without running EIGRP over DVTI (I've seen this work well over SVTI, but not experimented nor felt the need to on DVTI).  The only arguement I could see for requiring EIGRP in a EZVPN environment is if you had multiple client devices backing each other up.  I'm sure I'm missing something and there may be some use case and documented strategy for doing it.  I've just not ran across it. 

  • You need to tweak the configuration to make the routing protocol to work.

     

    Your Server' and Client's Virtual access interface IP address will not be in same subnet and hence the EIGRP will

    not work across the VTI. As per your 2nd configuration, the Server's VTI will have the IP address of 136.1.100.3

    and the client's VTI will have the IP address in subnet of 5.5.5.1-5.5.5.10 (pool address).

     

    Now you see that both VTI's IP address are in different subnet and hence EIGRP doesn't work.

     

    Let's fix it, do the following:

     

    Server side configuration

    ==================

     

    1. On the server, configure a loopback interface with IP address of 5.5.5.254/24.
    2. Unnumber the Server VTI to this loopback interface.
    3. Configure the pool to 5.5.5.1 - 5.5.5.2253
    4. Configure "network 5.5.5.0 0.0.0.255" under EIGRP.

     

    On client

    =======

     

    Configure "network 5.5.5.0 0.0.0.255" under EIGRP.

     

     

    Disable auto-sommary for EIGRP on both client and server.

     

     

    Now both Server's and Client's VTI will be in the same 5.5.5.0/24 subnet and network 5.5.5.0 0.0.0.255 establishes EIGRP relationship.

     

     

    This fixes your issue.

     

     

    With regards

    Kings

  • Bhupendra 19 posts since
    Jan 17, 2011

    Hi Kings,

     

    I guess you skipped a point in his config, he's not even using that pool so the only way his tunnel came up can be due to the client being in NEM.

     

    aside to Dr.

    if you switch the remote to client mode, solution provided by Kings must be more than sufficient.

     

  • Currently Being Moderated
    14. Dec 18, 2011 8:25 PM (in response to Bhupendra)
    Re: DVTI and Routing Protocol

    His first config was in client mode.

     

    Anyway for the NEM also, the same logic should be used. Both the VTI should be unnumbered to the interfaces

    that are in the same subnet.

     

    Checkout the "sh crypto ipsec sa" O/P, the local address and current peer are in different subnet and hence EIGRP is not going run.

     

     

    Rack1R3#show crypto ipsec sa          

     

     

    interface: Virtual-Access2

        Crypto map tag: Virtual-Access2-head-0, local addr 136.1.123.3

     

     

       protected vrf: (none)

       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

       remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

       current_peer 136.1.121.1 port 500

     

     

    To fix it, unnumber the client's and server's VTI to the interface whose IP address are in same subnet and configure the

    "network X.X.X.X" for that network.

     

    If outgoing interfaces are not directly connected, then create a loopback interfaces on server and client in the same subnet and unnumber the VTI to that loopback interface.

     

    Then run EIGRP over that subnet (loopback interface's IP address subnet ) using network X.X.X.X.

     

    Remember to have the loopback interface's IP address reachable by either using static routes or throught IGP.

     

    With regards

    Kings

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)