1 2 Previous Next 15 Replies Latest reply: Mar 11, 2012 7:53 AM by MIKIS RSS

    DVTI and Routing Protocol

    Dr. RDX

      In a lab it says to configure DVTI ( hardware client ) and then the routes of inside network should come using EIGRP . I am able to make the connection work but EIGRP doesnt seems to work . Below is my config

       

      R3 ( SERVER )

       

      Rack1R3#sh run

      Building configuration...

       

      Current configuration : 2475 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      no service password-encryption

      !

      hostname Rack1R3

      !

      boot-start-marker

      boot-end-marker

      !

      enable password cisco

      !

      aaa new-model

      !

      !

      aaa authentication login default local

      aaa authorization network default local

      !

      aaa session-id common

      memory-size iomem 5

      ip cef

      !

      !

      no ip domain lookup

      !

      multilink bundle-name authenticated

      !


      !

      username cisco password 0 cisco

      archive

      log config

        hidekeys

      !

      crypto isakmp policy 10

      encr 3des

      hash md5

      authentication pre-share

      group 2

      !

      crypto isakmp client configuration group IT

      key CISCO

      pool default

      acl 101

      !

      crypto isakmp client configuration group EZVPN

      key cisco

      pool default

      acl 101

      crypto isakmp profile vpn

         match identity group EZVPN

         client authentication list default

         isakmp authorization list default

         client configuration address respond

         client configuration group EZVPN

         virtual-template 100

      !

      !

      crypto ipsec transform-set vpn esp-3des esp-md5-hmac

      !

      crypto ipsec profile vpn

      set transform-set vpn

      set isakmp-profile vpn

      !

      !

      crypto dynamic-map vpn 10

      set transform-set vpn

      reverse-route

      !


      !

      ip tcp synwait-time 5

      !

      !

      interface Loopback0

      ip address 150.1.3.3 255.255.255.0

      !

      interface Loopback44

      ip address 20.0.0.33 255.255.255.0

      !

      interface FastEthernet0/0

      ip address 136.1.123.3 255.255.255.0

      duplex auto

      speed auto

      !

      interface Serial0/0

      ip address 136.1.23.3 255.255.255.0

      clock rate 64000

      !

      interface FastEthernet0/1

      ip address 136.1.100.3 255.255.255.0

      duplex auto

      speed auto

      !

      interface Serial0/1

      no ip address

      shutdown

      clock rate 2000000

      !

      interface Virtual-Template100 type tunnel

      ip unnumbered FastEthernet0/1

      tunnel mode ipsec ipv4

      tunnel protection ipsec profile vpn

      !

      router eigrp 100

      network 20.0.0.0

      network 136.1.100.3 0.0.0.0

      no auto-summary

      !

      router rip

      version 2

      redistribute static

      network 136.1.0.0

      network 150.1.0.0

      no auto-summary

      !

      ip local pool default 20.0.0.1 20.0.0.254

      ip forward-protocol nd

      !

      !

      ip http server

      no ip http secure-server

      !

      ip access-list extended VPN

      permit ip 136.1.100.0 0.0.0.255 any

      permit ip 10.0.0.0 0.0.0.255 any

      !

      ip radius source-interface Loopback0

      !


      radius-server host 10.0.0.100 auth-port 1645 acct-port 1646 key CISCO

      !

      control-plane

      !

      !

      line con 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line aux 0

      exec-timeout 0 0

      privilege level 15

      line vty 0 4

      password cisco

      !

      !

      end


      R1 ( CLIENT )

       

      Rack1R1#sh run

      Building configuration...

       

       

      Current configuration : 1301 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      no service password-encryption

      !

      hostname Rack1R1

      !

      boot-start-marker

      boot-end-marker

      !

      enable password cisco

      !

      no aaa new-model

      memory-size iomem 5

      ip cef

      !

      !

      no ip domain lookup

      !        

      multilink bundle-name authenticated

      !

      archive

      log config

        hidekeys

      !

      !

      crypto ipsec client ezvpn EZVPN

      connect manual

      group EZVPN key cisco

      mode client

      peer 136.1.100.3

      acl 1

      xauth userid mode http-intercept

      !        

      !

      ip tcp synwait-time 5

      !

      !

      !

      interface Loopback0

      ip address 150.1.1.1 255.255.255.0

      !

      interface FastEthernet0/0

      ip address 136.1.121.1 255.255.255.0

      duplex auto

      speed auto

      crypto ipsec client ezvpn EZVPN

      !

      interface FastEthernet0/1

      ip address 136.1.11.1 255.255.255.0

      duplex auto

      speed auto

      crypto ipsec client ezvpn EZVPN inside

      !

      router eigrp 100

      network 20.0.0.0

      network 150.1.0.0

      auto-summary

      !

      router rip

      version 2

      network 136.1.0.0

      network 150.1.0.0

      no auto-summary

      !

      ip forward-protocol nd

      !

      !

      ip http server

      no ip http secure-server

      !

      access-list 1 permit 150.1.3.3 log

      !

      !

      control-plane

      !        

      !

      line con 0

      exec-timeout 0 0

      privilege level 15

      logging synchronous

      line aux 0

      exec-timeout 0 0

      privilege level 15

      line vty 0 4

      password cisco

      login

      !

      end

       

      Result of R3 Routing table

      Rack1R3#sh ip route

      Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

             E1 - OSPF external type 1, E2 - OSPF external type 2

             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

             ia - IS-IS inter area, * - candidate default, U - per-user static route

             o - ODR, P - periodic downloaded static route

      Gateway of last resort is not set

           136.1.0.0/24 is subnetted, 5 subnets

      R       136.1.11.0 [120/2] via 136.1.123.12, 00:00:02, FastEthernet0/0

      C       136.1.23.0 is directly connected, Serial0/0

      C       136.1.100.0 is directly connected, FastEthernet0/1

      R       136.1.121.0 [120/1] via 136.1.123.12, 00:00:02, FastEthernet0/0

      C       136.1.123.0 is directly connected, FastEthernet0/0

           20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

      C       20.0.0.0/24 is directly connected, Loopback44

      S       20.0.0.1/32 [1/0] via 0.0.0.0, Virtual-Access2

           10.0.0.0/24 is subnetted, 1 subnets

      R       10.0.0.0 [120/1] via 136.1.23.2, 00:00:14, Serial0/0

           150.1.0.0/24 is subnetted, 2 subnets

      C       150.1.3.0 is directly connected, Loopback0

      R       150.1.1.0 [120/2] via 136.1.123.12, 00:00:02, FastEthernet0/0

       

      Client is assigned ip address 20.0.0.1/32 and I have added it into the EIGRP process . The solution in workbooks says to make a loopback on Server of same ip address scheme and add it to eigrp process . One thing to note is that EIGRP will only work on directly connected interfaes ( directly or using tunnels ) . Now since client end has 20.0.0.1 and server end edge interface was 136.1.x.x how can advertising 20.x.x.x work ?

       

      Please let me know how can I make this work using dynamic routing protocol .

       

       

      Note : This is linked to INE Workbook Vol 1 task 3.23

        • 1. Re: DVTI and Routing Protocol
          Bhupendra

          Hi Dr,

           

          I couldn't notice much except your VTI on the server.

          Change IP scheme to 'ip unnumbered lo44' and it must work because as far as I remember an EZVPN server using DVTI and traditional remote client work pretty well with each other.

           

          HTH

          Bhupi

          • 2. Re: DVTI and Routing Protocol
            Yevgeniy

            Try debuging EIGRP update events on remote router and see if he recives any update. same for other side.

            • 3. Re: DVTI and Routing Protocol
              Dr. RDX

              I tried that and there seems to be no debugs .

               

              @Bhupendra : I tried changing the headend interface to loopback one and dialed VPN to that interface still EIGRP or any other routing protocol over DVTI doesnt seems to work .

               

              RTR emulated is of 3725 and today I tested the same with 3745 .

              • 4. Re: DVTI and Routing Protocol
                Yevgeniy

                Do you mean that EIGRP updates are not propogated via Tunnel interface?

                Try to set Unicast updates on Client an see if they recieved by EZVPN server.

                • 5. Re: DVTI and Routing Protocol
                  Bhupendra

                  Hi Dr.,

                   

                  I'd like to know more about the routing tables on the server end.

                  How is it that you're getting a static route for the allocated address though you haven't mentioned any reverse-route in the assigned ipsec profile and if you're using this dynamic map somewhere else.

                  And have you tried using no auto-summary under eigrp, just in case that makes things troublesome.

                   

                  It'll be great if you can share your current config and routing tables

                   

                  Regards

                  • 6. Re: DVTI and Routing Protocol
                    Dr. RDX

                    Will test it and let u know ... will reply in few hours

                    • 7. Re: DVTI and Routing Protocol
                      Dr. RDX

                      I had to redo this again so there might be some changes to the configs . As far as static route goes it gets injected by itself using DVTI , I dont think we need reverse-route command . Client is configured using Network Extension mode this time following is config of head-end device along with ip route table . No eigrp debugs seems to show when i connect vpn sucessfully . There was a mistake earlier where crypto map was also applied because I was testing classic EzVPN also so I might have forgot to remove that when letting you guys know about it .

                       

                      Rack1R3#sh run       

                      Building configuration...

                       

                       

                      Current configuration : 2603 bytes

                      !

                      version 12.4

                      service timestamps debug datetime msec

                      service timestamps log datetime msec

                      no service password-encryption

                      !

                      hostname Rack1R3

                      !

                      boot-start-marker

                      boot-end-marker

                      !

                      enable password cisco

                      !

                      aaa new-model

                      !

                      !

                      aaa authentication login default local

                      aaa authorization network default local

                      !

                      !

                      aaa session-id common

                      memory-size iomem 5

                      ip cef

                      !

                      !

                      !

                      !

                      no ip domain lookup

                      !

                      multilink bundle-name authenticated

                      !

                      !

                      !

                      !

                      !

                      username cisco password 0 cisco

                      archive

                      log config

                        hidekeys

                      !

                      !

                      crypto isakmp policy 1

                      group 2

                      !

                      crypto isakmp policy 3

                      encr 3des

                      hash md5

                      authentication pre-share

                      group 2

                      !

                      crypto isakmp client configuration group cisco

                      key cisco

                      dns 10.2.2.2 10.2.2.3

                      wins 10.6.6.6

                      domain cisco.com

                      pool green

                      acl 199

                      !

                      crypto isakmp client configuration group IT

                      key CISCO

                      pool default

                      acl 101

                      !

                      crypto isakmp client configuration group EZVPN

                      key cisco

                      pool default

                      acl 101

                      crypto isakmp profile vpn

                         match identity group EZVPN

                         isakmp authorization list default

                         client configuration address respond

                         client configuration group EZVPN

                         virtual-template 100

                      !

                      !

                      crypto ipsec transform-set dessha esp-des esp-sha-hmac

                      crypto ipsec transform-set vpn esp-3des esp-md5-hmac

                      !

                      crypto ipsec profile vpn

                      set transform-set vpn

                      set isakmp-profile vpn

                      !

                      !

                      crypto dynamic-map mode 1

                      set transform-set dessha

                      !

                      !

                      crypto map mode isakmp authorization list default

                      crypto map mode client configuration address respond

                      crypto map mode 1 ipsec-isakmp dynamic mode

                      !        

                      !

                      !

                      ip tcp synwait-time 5

                      !

                      !

                      !

                      interface Loopback0

                      ip address 150.1.3.3 255.255.255.0

                      !

                      interface FastEthernet0/0

                      ip address 136.1.123.3 255.255.255.0

                      duplex auto

                      speed auto

                      !

                      interface Serial0/0

                      ip address 136.1.23.3 255.255.255.0

                      clock rate 64000

                      !

                      interface FastEthernet0/1

                      ip address 136.1.100.3 255.255.255.0

                      duplex auto

                      speed auto

                      !        

                      interface Serial0/1

                      no ip address

                      shutdown

                      clock rate 2000000

                      !

                      interface Virtual-Template100 type tunnel

                      ip unnumbered FastEthernet0/0

                      tunnel mode ipsec ipv4

                      tunnel protection ipsec profile vpn

                      !

                      router eigrp 1

                      network 136.1.23.3 0.0.0.0

                      network 150.1.3.3 0.0.0.0

                      no auto-summary

                      !

                      router rip

                      version 2

                      network 136.1.0.0

                      network 150.1.0.0

                      no auto-summary

                      !

                      ip local pool green 5.5.5.1 5.5.5.10

                      ip forward-protocol nd

                      !

                      !

                      no ip http server

                      no ip http secure-server

                      !

                      !

                      !

                      !

                      radius-server host 136.1.100.100 auth-port 1645 acct-port 1646

                      radius-server key CISCO

                      !

                      control-plane

                      !

                      !

                      line con 0

                      exec-timeout 0 0

                      privilege level 15

                      logging synchronous

                      line aux 0

                      exec-timeout 0 0

                      privilege level 15

                      line vty 0 4

                      password cisco

                      !

                      !

                      end

                       

                       

                      Rack1R3#

                      Rack1R3#sh ip route

                      Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

                             D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

                             N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

                             E1 - OSPF external type 1, E2 - OSPF external type 2

                             i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

                             ia - IS-IS inter area, * - candidate default, U - per-user static route

                             o - ODR, P - periodic downloaded static route

                       

                       

                      Gateway of last resort is not set

                       

                       

                           136.1.0.0/24 is subnetted, 5 subnets

                      S       136.1.11.0 [1/0] via 0.0.0.0, Virtual-Access2

                      C       136.1.23.0 is directly connected, Serial0/0

                      C       136.1.100.0 is directly connected, FastEthernet0/1

                      R       136.1.121.0 [120/1] via 136.1.123.12, 00:00:17, FastEthernet0/0

                      C       136.1.123.0 is directly connected, FastEthernet0/0

                           10.0.0.0/24 is subnetted, 1 subnets

                      R       10.0.0.0 [120/1] via 136.1.23.2, 00:00:10, Serial0/0

                           150.1.0.0/24 is subnetted, 2 subnets

                      C       150.1.3.0 is directly connected, Loopback0

                      R       150.1.1.0 [120/2] via 136.1.123.12, 00:00:17, FastEthernet0/0


                      Rack1R3#show crypto ipsec client ezvpn

                      Easy VPN Remote Phase: 6

                      Rack1R3#show crypto ipsec sa          

                       

                       

                      interface: Virtual-Access2

                          Crypto map tag: Virtual-Access2-head-0, local addr 136.1.123.3

                       

                       

                         protected vrf: (none)

                         local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

                         remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

                         current_peer 136.1.121.1 port 500

                           PERMIT, flags={origin_is_acl,}

                          #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

                          #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1

                          #pkts compressed: 0, #pkts decompressed: 0

                          #pkts not compressed: 0, #pkts compr. failed: 0

                          #pkts not decompressed: 0, #pkts decompress failed: 0

                          #send errors 1, #recv errors 0

                       

                       

                           local crypto endpt.: 136.1.123.3, remote crypto endpt.: 136.1.121.1

                           path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

                           current outbound spi: 0x958AEE18(2508910104)

                       

                       

                           inbound esp sas:

                            spi: 0xB765EF0F(3076910863)

                              transform: esp-3des esp-md5-hmac ,

                              in use settings ={Tunnel, }

                              conn id: 7, flow_id: 7, crypto map: Virtual-Access2-head-0

                              sa timing: remaining key lifetime (k/sec): (4433730/3304)

                              IV size: 8 bytes

                              replay detection support: Y

                              Status: ACTIVE

                       

                       

                           inbound ah sas:

                       

                       

                           inbound pcp sas:

                       

                       

                           outbound esp sas:

                            spi: 0x958AEE18(2508910104)

                              transform: esp-3des esp-md5-hmac ,

                              in use settings ={Tunnel, }

                              conn id: 8, flow_id: 8, crypto map: Virtual-Access2-head-0

                              sa timing: remaining key lifetime (k/sec): (4433728/3304)

                              IV size: 8 bytes

                              replay detection support: Y

                              Status: ACTIVE

                       

                       

                           outbound ah sas:

                       

                       

                           outbound pcp sas:

                      • 8. Re: DVTI and Routing Protocol
                        Bhupendra

                        Hi Dr

                         

                        Thanks for the prompt response.

                        If the client uses DVTI, it's ip address shows up as Remote Ident in the head-end Ipsec SA.

                        I'd like to remind you that if you're using legacy remote client with this server, route-injection won't work.

                        Check this compatibility table : http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1291721

                         

                        Plus, there is a typo in your config as your crypto map attaches to the fastethernet while you're advertising serial on to your eigrp 1.

                         

                        hth

                        • 9. Re: DVTI and Routing Protocol
                          Dr. RDX

                          Keeping in mind that I have DVTI terminated to virtual ( unnumbered to fa0/0 ) which interface should I advertise in the EIGRP process ? If i advertise the outside physical one it goes into recursive routing loop . logic is same like DMVPN etc where we cant advertise outside real address over tunnel .

                           

                          Also which interface should i advertise on Client ?

                          • 10. Re: DVTI and Routing Protocol
                            Paul Stewart  -  CCIE Security

                            I'm struggling to wrap my mind around the need for a routing protocol here.  If using EZVPN Hardware client, the client will tunnel everything except the tunnel itself back to the EZVPN Server.  Alternatively, it can receive a split tunnel acl.  The EZVPN server receives the remote network as a static route if using NEM and Reverse Route Injection.  So if this is a sophisticated solution requiring additional nodes at the remote side, the client can always redistribute a default route.  The head end can always redistribute what is learned via RRI.  So even if this was used as a backup to a WAN it would work without running EIGRP over DVTI (I've seen this work well over SVTI, but not experimented nor felt the need to on DVTI).  The only arguement I could see for requiring EIGRP in a EZVPN environment is if you had multiple client devices backing each other up.  I'm sure I'm missing something and there may be some use case and documented strategy for doing it.  I've just not ran across it. 

                            • 11. Re: DVTI and Routing Protocol
                              Kingsley - CCSP/CCIP/ CCNP/CCIE Security

                              You need to tweak the configuration to make the routing protocol to work.

                               

                              Your Server' and Client's Virtual access interface IP address will not be in same subnet and hence the EIGRP will

                              not work across the VTI. As per your 2nd configuration, the Server's VTI will have the IP address of 136.1.100.3

                              and the client's VTI will have the IP address in subnet of 5.5.5.1-5.5.5.10 (pool address).

                               

                              Now you see that both VTI's IP address are in different subnet and hence EIGRP doesn't work.

                               

                              Let's fix it, do the following:

                               

                              Server side configuration

                              ==================

                               

                              1. On the server, configure a loopback interface with IP address of 5.5.5.254/24.
                              2. Unnumber the Server VTI to this loopback interface.
                              3. Configure the pool to 5.5.5.1 - 5.5.5.2253
                              4. Configure "network 5.5.5.0 0.0.0.255" under EIGRP.

                               

                              On client

                              =======

                               

                              Configure "network 5.5.5.0 0.0.0.255" under EIGRP.

                               

                               

                              Disable auto-sommary for EIGRP on both client and server.

                               

                               

                              Now both Server's and Client's VTI will be in the same 5.5.5.0/24 subnet and network 5.5.5.0 0.0.0.255 establishes EIGRP relationship.

                               

                               

                              This fixes your issue.

                               

                               

                              With regards

                              Kings

                              • 12. Re: DVTI and Routing Protocol
                                Dr. RDX

                                I got it and was able to get EIGRP up and running

                                 

                                THANKS EVERYONE

                                • 13. Re: DVTI and Routing Protocol
                                  Bhupendra

                                  Hi Kings,

                                   

                                  I guess you skipped a point in his config, he's not even using that pool so the only way his tunnel came up can be due to the client being in NEM.

                                   

                                  aside to Dr.

                                  if you switch the remote to client mode, solution provided by Kings must be more than sufficient.

                                   

                                   

                                  • 14. Re: DVTI and Routing Protocol
                                    Kingsley - CCSP/CCIP/ CCNP/CCIE Security

                                    His first config was in client mode.

                                     

                                    Anyway for the NEM also, the same logic should be used. Both the VTI should be unnumbered to the interfaces

                                    that are in the same subnet.

                                     

                                    Checkout the "sh crypto ipsec sa" O/P, the local address and current peer are in different subnet and hence EIGRP is not going run.

                                     

                                     

                                    Rack1R3#show crypto ipsec sa          

                                     

                                     

                                    interface: Virtual-Access2

                                        Crypto map tag: Virtual-Access2-head-0, local addr 136.1.123.3

                                     

                                     

                                       protected vrf: (none)

                                       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

                                       remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

                                       current_peer 136.1.121.1 port 500

                                     

                                     

                                    To fix it, unnumber the client's and server's VTI to the interface whose IP address are in same subnet and configure the

                                    "network X.X.X.X" for that network.

                                     

                                    If outgoing interfaces are not directly connected, then create a loopback interfaces on server and client in the same subnet and unnumber the VTI to that loopback interface.

                                     

                                    Then run EIGRP over that subnet (loopback interface's IP address subnet ) using network X.X.X.X.

                                     

                                    Remember to have the loopback interface's IP address reachable by either using static routes or throught IGP.

                                     

                                    With regards

                                    Kings

                                    1 2 Previous Next