Cisco IPSec VPN using VTI Interface

Moderator: mike

Post Reply
paamaran
Posts: 4
Joined: Mon Apr 03, 2017 3:20 pm

Cisco IPSec VPN using VTI Interface

Post by paamaran » Sat May 13, 2017 7:55 pm

Hi All,

I am trying to setup a Cisco IPSec VPN using VTI interfaces

I follow the link below for reference

http://www.cisco.com/en/US/docs/ios/12_ ... #wp1063136

I did everything as per the instruction. Of course I have changed the IP Scheme to my own

The Tunnel is showing UP. But I am able to do a end to end ping from the Hosts

Can anybody help me out what mistake I am doing.

My Environment:

EVE-NG
Mac OS X El Capitan
All the Routers are Cisco 7206 VXR ADV ENTERPRISE IMAGE

I have attached the Topology and config files of the two Routers and Tunnel Status etc

I am happy to provide more input if need be

I have tried attaching the config files. But I am not able to do so. The forum is not allowing to upload .txt or .log files. So I am pasting config here

// VXR1 Config Details //

VXR1#show run
Building configuration...

Current configuration : 1490 bytes
!
! Last configuration change at 20:59:15 UTC Sat May 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname VXR1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco12345 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.10.10.1 255.255.255.0
tunnel source 100.1.1.1
tunnel mode ipsec ipv4
tunnel destination 200.1.1.1
tunnel protection ipsec profile P1
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
ip address 100.1.1.1 255.255.255.0
duplex full
!
interface FastEthernet2/0
no ip address
shutdown
duplex full
!
interface FastEthernet3/0
no ip address
shutdown
duplex full
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface FastEthernet5/0
no ip address
shutdown
duplex full
!
interface FastEthernet6/0
no ip address
shutdown
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.1.1.2
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

VXR1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 100.1.1.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 100.1.1.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Tunnel0
L 10.10.10.1/32 is directly connected, Tunnel0
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.1.1.0/24 is directly connected, FastEthernet1/0
L 100.1.1.1/32 is directly connected, FastEthernet1/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/0
L 192.168.1.1/32 is directly connected, FastEthernet0/0
S 192.168.2.0/24 is directly connected, Tunnel0
VXR1#show int tun
VXR1#show int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.10.10.1/24
MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 100.1.1.1, destination 200.1.1.1
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "P1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:24:01
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
VXR1#
VXR1#show crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 200.1.1.1 port 500
IKEv1 SA: local 100.1.1.1/500 remote 200.1.1.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

VXR1#
VXR1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
100.1.1.1 200.1.1.1 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

VXR1#
VXR1#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 100.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 200.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 100.1.1.1, remote crypto endpt.: 200.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0x6ABCA84D(1790748749)
PFS (Y/N): N, DH group: none


VPCS Ping & Trace Results

VPCS> ping 200.1.1.1

84 bytes from 200.1.1.1 icmp_seq=1 ttl=254 time=101.035 ms
84 bytes from 200.1.1.1 icmp_seq=2 ttl=254 time=62.694 ms
84 bytes from 200.1.1.1 icmp_seq=3 ttl=254 time=44.362 ms
84 bytes from 200.1.1.1 icmp_seq=4 ttl=254 time=43.343 ms
84 bytes from 200.1.1.1 icmp_seq=5 ttl=254 time=59.422 ms

VPCS> ping 192.168.2.10

192.168.2.10 icmp_seq=1 timeout
192.168.2.10 icmp_seq=2 timeout
192.168.2.10 icmp_seq=3 timeout
192.168.2.10 icmp_seq=4 timeout
192.168.2.10 icmp_seq=5 timeout

VPCS> trace 192.168.2.10
trace to 192.168.2.10, 8 hops max, press Ctrl+C to stop
1 192.168.1.1 2.321 ms 10.235 ms 9.657 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *

VPCS>

// VXR6 Config Details //

VXR6#show run
Building configuration...

Current configuration : 1490 bytes
!
! Last configuration change at 21:03:17 UTC Sat May 13 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname VXR6
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Cisco12345 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.10.10.2 255.255.255.0
tunnel source 200.1.1.1
tunnel mode ipsec ipv4
tunnel destination 100.1.1.1
tunnel protection ipsec profile P1
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
ip address 200.1.1.1 255.255.255.0
duplex full
!
interface FastEthernet2/0
no ip address
shutdown
duplex full
!
interface FastEthernet3/0
no ip address
shutdown
duplex full
!
interface FastEthernet4/0
no ip address
shutdown
duplex full
!
interface FastEthernet5/0
no ip address
shutdown
duplex full
!
interface FastEthernet6/0
no ip address
shutdown
duplex full
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.1.1.2
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end

VXR6#
VXR6#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 200.1.1.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 200.1.1.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Tunnel0
L 10.10.10.2/32 is directly connected, Tunnel0
S 192.168.1.0/24 is directly connected, Tunnel0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, FastEthernet0/0
L 192.168.2.1/32 is directly connected, FastEthernet0/0
200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.1.1.0/24 is directly connected, FastEthernet1/0
L 200.1.1.1/32 is directly connected, FastEthernet1/0
VXR6#show int tu
VXR6#show int tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.10.10.2/24
MTU 17886 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 200.1.1.1, destination 100.1.1.1
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1446 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "P1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:29:41
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
VXR6#show cr
VXR6#show crypto se
VXR6#show crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 100.1.1.1 port 500
IKEv1 SA: local 200.1.1.1/500 remote 100.1.1.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

VXR6#show cr
VXR6#show crypto sa
VXR6#show crypto is
VXR6#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
100.1.1.1 200.1.1.1 QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

VXR6#show cr
VXR6#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 200.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 100.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 200.1.1.1, remote crypto endpt.: 100.1.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1/0
current outbound spi: 0xAE4D3824(2924296228)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6ABCA84D(1790748749)

VXR6#

VPCS> trace 192.168.1.10
trace to 192.168.1.10, 8 hops max, press Ctrl+C to stop
1 192.168.2.1 7.036 ms 9.320 ms 10.027 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *

VPCS>

Kindly Help

Thanks

PAM
You do not have the required permissions to view the files attached to this post.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Cisco IPSec VPN using VTI Interface

Post by Uldis (UD) » Sat May 13, 2017 9:06 pm

My advice do the export lab with all your configs, then it will be easier load in our EVEs and test what you have missed in there:)

UD

paamaran
Posts: 4
Joined: Mon Apr 03, 2017 3:20 pm

Re: Cisco IPSec VPN using VTI Interface

Post by paamaran » Sun May 14, 2017 5:04 pm

Hi,

Attached the LAB Export

Thank you

PAM
You do not have the required permissions to view the files attached to this post.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Cisco IPSec VPN using VTI Interface

Post by Uldis (UD) » Mon May 15, 2017 10:32 am

change tunnel encapsulation to:

tunnel mode ipip

paamaran
Posts: 4
Joined: Mon Apr 03, 2017 3:20 pm

Re: Cisco IPSec VPN using VTI Interface

Post by paamaran » Tue May 16, 2017 6:45 am

Hi,

Can you bit explain why the tunnel mode has to be changed ipip ? I will try changing the mode and check. meanwhile Just wanted to know.

Thank you

PAM

Post Reply