Site-to-Site VPN - Dynamic Virtual Tunnel Interface (DVTI) 1

[cflcrosland]

The Problem
Hi,

I am trying to create a site to site vpn using Dynamic VTI interfaces.

I have followed the guides here

http://stack.nil.com/ipcorner/IPsecVPN3/

The reason I want to use a Dynamic VTI on the router "MAIN-SITE" is because router "REMOTE" has a dynamic IP WAN IP that changes daily.

I have managed to configure and setup a site-to-site connection using Static VTI's on both ends and my config is below.

When i create the dynamic tunnel The connection comes up between the sites but I cannot pass any traffic, I think it is as simple as a routing issue, for testing purposes I only want static routes (no routing protocols).

Can someone help me adapt the working static VTI config's below to enable dynamic VTI's - I think the bulk of the changes need to be made on the router "MAIN-SITE"

Main Site Config
MAIN-SITE#sh run
Building configuration...

Current configuration : 1379 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAIN-SITE
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxx
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
!
interface Tunnel0
ip address 192.168.10.1 255.255.255.0
tunnel source 92.237.119.115
tunnel destination 92.22.178.247
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
ip address 92.237.119.115 255.255.255.248
ip mtu 1460
half-duplex
!
interface FastEthernet0/0
ip address 192.168.75.1 255.255.255.0
speed auto
!
interface Serial1/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 92.237.119.113
ip route 10.0.0.0 255.0.0.0 192.168.10.2
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
password XXXXXX
login
transport input telnet
line vty 5 15
exec-timeout 30 0
password XXXXX
login
transport input telnet
!
end

Remote Site Config
REMOTE#sh run
Building configuration...

Current configuration : 1843 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REMOTE
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.2
!
ip dhcp pool KILN
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 8.8.4.4
!
!
ip name-server 8.8.4.4
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source Dialer1
tunnel destination 92.237.119.115
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
no ip address
half-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
speed 100
full-duplex
!
interface Serial1/0
no ip address
shutdown
!
interface Dialer1
ip address negotiated previous
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX
ppp chap password 0 XXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.75.0 255.255.255.0 192.168.10.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
end

 

[unclerico]

have you tried specifying the tunnel interfaces as the exit points for the routes?? are you planning on using a routing protocol or any multicast traffic across the tunnel?? If not, have you just considered using a policy-based VPN with a dynamic crypto map on the central site and a static crypto map on the remote site?? just trying to get a feel for where you're at.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[cflcrosland]

We currently use dynamic crypto maps but we have to define alot of route maps etc to get the traffic to go where we want it. Yes we intend to run a routing protocol etc. And I also want to do it because it can be done!

the configs above work and the static VTI's work, I can use the tunnel0 interface as the next hop an that works also, when using the DVTI setup there are no tunnel interfaces created only virtual-access interfaces.

This is the example config from the NIL webpage and I have adapted it for my MAIN-SITE router:

MAIN-SITE#sh run
Building configuration...

Current configuration : 1445 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAIN-SITE
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxx
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
!
!
!
!
crypto keyring WPSK
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxxx
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile DVTI
keyring WPSK
match identity address 0.0.0.0
virtual-template 1
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TS
!
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 92.237.119.115 255.255.255.248
ip mtu 1460
half-duplex
!
interface FastEthernet0/0
ip address 192.168.75.1 255.255.255.0
speed auto
no keepalive
!
interface Serial1/0
no ip address
shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
ip route 0.0.0.0 0.0.0.0 92.237.119.113
ip route 10.0.0.0 255.0.0.0 192.168.10.2
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
password xxxxxxxxx
login
transport input telnet
line vty 5 15
exec-timeout 30 0
password xxxxxxx
login
transport input telnet
!
end

Connection is coming up on both ends

MAIN-SITE#sh crypto session det
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Virtual-Access2
Session status: UP-ACTIVE
Peer: 92.22.141.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 92.22.141.205
Desc: (none)
IKE SA: local 92.237.119.115/500 remote 92.22.141.205/500 Active
Capabilitiesnone) connid:9 lifetime:23:53:05
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 87 drop 0 life (KB/Sec) 4507358/3187
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4507368/3187

REMOTE Site

REMOTE#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 92.237.119.115 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 92.237.119.115
Desc: (none)
IKE SA: local 92.22.141.205/500 remote 92.237.119.115/500 Active
Capabilities connid:1 lifetime:23:52:01
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4566938/3122
Outbound: #pkts enc'ed 100 drop 0 life (KB/Sec) 4566926/3122


What am i missing to get traffic flowing from the main site to the remote site????? looking at the session data above it looks like the remote site is sending some traffic and it is being recived on the main site as packets are being en'ed and dec'ed but only one way!

I think its somthing to do with the loopback interface and how it borrowes the IP in the virtual template and also how to correctly set up the routing!

any idea's anyone?

 

[unclerico]

Well, I guess the problem is that you can't actually specify a next-hop for virtual-tunnel interface. Enable EIGRP for the VT and the Tunnel interfaces and see if the neighborship is formed. Remove your static routes.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[cflcrosland]

Yes your right, I happened to just try settin up RIPv2 to see what would happen and hey presto I could ping both ends(also changed the loopback addresses).... I guess what I found confusing is how can RIP or any routing protocol be able to communicate with the other end if I cant? I know they use multicast.....

Below is the working config's if anyone is interested!

MAIN-SITE#sh run
Building configuration...

Current configuration : 1527 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MAIN-SITE
!
boot-start-marker
boot-end-marker
!
enable secret 5 xx
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
!
!
!
!
crypto keyring WPSK
pre-shared-key address 0.0.0.0 0.0.0.0 key TESTTEST
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
crypto isakmp profile DVTI
keyring WPSK
match identity address 0.0.0.0
virtual-template 1
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TS
!
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface Ethernet0/0
ip address 92.237.119.115 255.255.255.248
ip mtu 1460
half-duplex
!
interface FastEthernet0/0
ip address 192.168.75.1 255.255.255.0
speed auto
no keepalive
!
interface Serial1/0
no ip address
shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
router rip
version 2
network 192.168.10.0
network 192.168.75.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 92.237.119.113
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
password xxx
login
transport input telnet
line vty 5 15
exec-timeout 30 0
password xxx
login
transport input telnet
!
end


REMOTE#sh run
Building configuration...

Current configuration : 4210 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname REMOTE
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxx
!
no aaa new-model
ip cef
!
!
ip inspect name FIREWALL-INSP cuseeme
ip inspect name FIREWALL-INSP ftp
ip inspect name FIREWALL-INSP h323
ip inspect name FIREWALL-INSP icmp
ip inspect name FIREWALL-INSP netshow
ip inspect name FIREWALL-INSP rcmd
ip inspect name FIREWALL-INSP realaudio
ip inspect name FIREWALL-INSP rtsp
ip inspect name FIREWALL-INSP sqlnet
ip inspect name FIREWALL-INSP streamworks
ip inspect name FIREWALL-INSP tftp
ip inspect name FIREWALL-INSP tcp
ip inspect name FIREWALL-INSP udp
ip inspect name FIREWALL-INSP vdolive
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.2
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.1.2
ip dhcp excluded-address 172.16.5.1
!
ip dhcp pool KILN
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1
dns-server 8.8.4.4
!
ip dhcp pool WORK
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 8.8.4.4
!
ip dhcp pool TALKTALK
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 8.8.4.4
!
!
ip name-server 8.8.4.4
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TESTTEST address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
interface Loopback0
description IP ADDRESS FOR TUNNEL0
ip address 192.168.10.2 255.255.255.255
!
interface Tunnel0
description CONNECTION TO MAIN_SITE ROUTER
ip unnumbered Loopback0
tunnel source Dialer1
tunnel destination 92.237.119.115
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Ethernet0/0
description PPPOE WAN INTERFACE - CONNECTED TO DIALER1
no ip address
half-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
speed 100
full-duplex
!
interface FastEthernet0/0.1
description LAN 1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface FastEthernet0/0.172
description LAN 2
encapsulation dot1Q 172
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface FastEthernet0/0.500
description LAN 3
encapsulation dot1Q 500
ip address 172.16.5.1 255.255.255.0
ip access-group ACL_BLOCK_UNTRUSTED in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Serial1/0
no ip address
shutdown
!
interface Dialer1
ip address negotiated previous
ip access-group WAN_IN in
ip mtu 1492
ip inspect FIREWALL-INSP out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password xxx
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.10.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended ACL_BLOCK_UNTRUSTED
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
ip access-list extended WAN_IN
permit udp any eq domain any
permit tcp 92.237.119.112 0.0.0.7 any eq telnet
permit icmp any any echo-reply
permit udp host 92.237.119.115 any eq isakmp
permit esp host 92.237.119.115 any
deny ip any any
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 1 permit 172.16.5.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 30 0
password xxx
login
transport input telnet
line vty 5 15
exec-timeout 30 0
password xxx
login
transport input telnet
!
ntp server 128.138.188.172
end

 

[unclerico]

It just has to do with the fact that you can't specify a virtual-template as an exit interface like you can with a tunnel. The fact that the routing protcol traffic is multicast really has no bearing on whether or not the tunnel comes up and traffic can pass. Once the IPSec SA's are established and the routing protocol is enabled for the interface the respective routing protocols take care of the rest. One of the major points of using SVTI/DVTI is to support the multicast traffic.

Anyway, glad you got it sorted.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)