ip local polices und EIGRP in Verbindung mit crypto

Anmelka · 1. Oktober 2008

Hallo,

nachdem ich das Forum nun schon länger regelmäßig Besuche wird es zeit für meinen ersten Post.

Ich teste zur Zeit DMVPN phase 3 auf mehreren 3725 Routern (IOS c3725-advipservicesk9-mz.124-15.T7.bin). Habe auch alles soweit am laufen, aber leider nur mit static routes. Da das ganze am Ende um die 80 spokes haben wird, müsste ich um die 80 static routes auf jedem Hub anlegen. Muss nicht sein (hoffentlich).

Aufgrund des Designs kann ich keine default route auf den Hub und Spoke routern verwenden.

Meine Idee war also eine "ip local policy" zu verwenden. Anbei die config.

ip local policy route-map DMVPN

access-list 123 permit ip host 123.123.123.1 any

route-map DMVPN permit 10

match ip address 123

set ip next-hop 123.123.123.2

Mein Problem bei der Verwendung der ip local policy ist das zwar crypto aufgebaut wird, aber keine EIGRP adjacencies.

--------

EU-HUB(config)#do sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 123.123.123.1 172.26.170.1 NHRP 00:08:15 S

EU-HUB(config)#

EU-HUB(config)#do sh crypto isakm sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

123.123.123.1 123.123.123.5 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

EU-HUB(config)#

EU-HUB(config)#do sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5

protected vrf: (none)

local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0)

current_peer 123.123.123.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 652, #pkts encrypt: 652, #pkts digest: 652

#pkts decaps: 342, #pkts decrypt: 342, #pkts verify: 342

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x6753A659(1733535321)

inbound esp sas:

spi: 0x549C5B13(1419533075)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561584/1793)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6753A659(1733535321)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561545/1793)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Anmelka · 1. Oktober 2008

interface: Tunnel2

Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5

protected vrf: (none)

local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0)

current_peer 123.123.123.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 652, #pkts encrypt: 652, #pkts digest: 652

#pkts decaps: 342, #pkts decrypt: 342, #pkts verify: 342

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x6753A659(1733535321)

inbound esp sas:

spi: 0x549C5B13(1419533075)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561584/1792)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6753A659(1733535321)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561545/1792)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

EU-HUB(config)#

EU-HUB(config)#do sh ip eigrp neigh

IP-EIGRP neighbors for process 999

EU-HUB(config)#

---------

Hellos werden gesendet, kommen aber nie an.

Anmelka · 1. Oktober 2008

Füge ich auf auf dem Hub und Spoke eine static route hinzu, klappts es sofort mit den EIGRP adjacencies.

Siehe:

--

EU-HUB(config)#do sh dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea

N - NATed, L - Local, X - No Socket

# Ent --> Number of NHRP entries with same NBMA peer

Tunnel1, Type:Spoke, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 123.123.123.1 172.26.170.1 UP 00:00:50 S

Tunnel2, Type:Hub, NHRP Peers:1,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb

----- --------------- --------------- ----- -------- -----

1 123.123.123.1 172.26.180.1 UP never D

EU-HUB(config)#

EU-HUB(config)#do sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

123.123.123.1 123.123.123.5 QM_IDLE 1001 0 ACTIVE

IPv6 Crypto ISAKMP SA

EU-HUB(config)#

EU-HUB(config)#do sh crypto ipsec sa

interface: Tunnel1

Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5

protected vrf: (none)

local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0)

current_peer 123.123.123.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 221, #pkts encrypt: 221, #pkts digest: 221

#pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x6753A659(1733535321)

inbound esp sas:

spi: 0x549C5B13(1419533075)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561615/2882)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6753A659(1733535321)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561599/2882)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Anmelka · 1. Oktober 2008

interface: Tunnel2

Crypto map tag: DMVPN1-head-1, local addr 123.123.123.5

protected vrf: (none)

local ident (addr/mask/prot/port): (123.123.123.5/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (123.123.123.1/255.255.255.255/47/0)

current_peer 123.123.123.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 222, #pkts encrypt: 222, #pkts digest: 222

#pkts decaps: 87, #pkts decrypt: 87, #pkts verify: 87

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 123.123.123.5, remote crypto endpt.: 123.123.123.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x6753A659(1733535321)

inbound esp sas:

spi: 0x549C5B13(1419533075)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 1, flow_id: SW:1, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561615/2881)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6753A659(1733535321)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2, flow_id: SW:2, crypto map: DMVPN1-head-1

sa timing: remaining key lifetime (k/sec): (4561599/2881)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

EU-HUB(config)#

EU-HUB(config)#do sh ip eigrp neigh

IP-EIGRP neighbors for process 999

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

1 172.26.170.1 Tu1 12 00:07:54 465 2790 0 3

0 172.26.180.1 Tu2 10 00:08:05 388 2328 0 6

EU-HUB(config)

-----

Also:

Wenn ich das ganze ohne static routes und ohne crypto versuche (also mit ip local policy), klappts mit den EIGPR adjacencies.

Bei Verwendung von crypto und static route klappts mit den EIGRP adjacencies.

In Verbindung crypto und ip local policy (ohne static routes), klappt es nicht mit den EIGRP adjacencies.

Irgendwie muss es an der Verbindung crypto, ip local policy und EIGRP liegen. Komme aber nicht drauf.

Übrigens habe ich ein ähnliches Problem mit ntp und ip local policy. Nur mit static routes verbinden sich die router zum ntp server, ohne static routes nicht. Wie wenn die ip local policy nicht funktioniert.

Danke für eure Hilfe

Gruß Anmelka

P.S.: Entschuldigung wegen dem deutsch-englisch mix. Manchmal fallen mir einfach die deutschen Wörter nicht ein.

Otaku19 · 1. Oktober 2008

mit der config tut man sich wesentlich leichter

Anmelka · 2. Oktober 2008

Hallo,

anbei die 2 configs. 2 Hubs ohne static routes.

US-HUB:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname US-HUB

!

boot-start-marker

boot-end-marker

!

logging buffered 64000

!

no aaa new-model

memory-size iomem 5

clock timezone EST -5

clock summer-time EDT recurring

ip cef

!

no ip domain lookup

ip domain name login

!

multilink bundle-name authenticated

!

crypto pki trustpoint RootCA

enrollment url http://123.123.123.30:80

revocation-check crl

!

crypto pki certificate chain RootCA

certificate 0A nvram:RootCA#A.cer

certificate ca 01 nvram:RootCA#3CA.cer

!

archive

log config

hidekeys

!

crypto isakmp policy 20

encr 3des

group 2

lifetime 14400

crypto isakmp keepalive 10 3

!

crypto ipsec transform-set 3DES esp-3des esp-sha-hmac

mode transport

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile DMVPN1

set transform-set 3DES

!

interface Loopback0

ip address 172.29.254.254 255.255.255.255

!

interface Tunnel1

description DMVPN Cloud 1 - US

bandwidth 1024

ip address 172.26.170.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 120

ip nhrp redirect

ip tcp adjust-mss 1360

no ip split-horizon eigrp 999

ip summary-address eigrp 999 172.29.0.0 255.255.0.0 5

ip summary-address eigrp 999 172.26.0.0 255.255.0.0 5

delay 50000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN1 shared

!

interface Tunnel2

description DMVPN Cloud 2 - US HUB Spoke to DMVPN2

bandwidth 1024

ip address 172.26.180.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test2

ip nhrp map multicast dynamic

ip nhrp map multicast 123.123.123.5

ip nhrp map 172.26.180.2 123.123.123.5

ip nhrp network-id 200000

ip nhrp holdtime 120

ip nhrp nhs 172.26.180.2

ip nhrp shortcut

ip tcp adjust-mss 1360

delay 100000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 200000

tunnel protection ipsec profile DMVPN1 shared

!

interface Tunnel100

description Hub Link

ip address 10.1.1.1 255.255.255.0

no ip redirects

ip nhrp authentication test

ip nhrp map multicast 123.123.234.2

ip nhrp map 10.1.1.2 123.123.234.2

ip nhrp network-id 100000

ip nhrp redirect

shutdown

tunnel source FastEthernet1/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN1

!

interface FastEthernet0/0

description Internet Connection

ip address 123.123.123.1 255.255.255.252

ip policy route-map DMVPN

speed 100

full-duplex

!

interface FastEthernet0/1

description LAN

ip address 172.26.123.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

description :Hub link

ip address 123.123.234.1 255.255.255.0

duplex auto

speed 100

!

router eigrp 999

redistribute static

network 10.1.1.0 0.0.0.255

network 172.26.123.0 0.0.0.255

network 172.26.170.0 0.0.0.255

network 172.26.180.0 0.0.0.255

no auto-summary

!

ip local policy route-map DMVPN

ip forward-protocol nd

!

ip http server

no ip http secure-server

!

access-list 100 permit icmp any any

access-list 123 permit ip host 123.123.123.1 any

!

route-map DMVPN permit 10

match ip address 123

set ip next-hop 123.123.123.2

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

ntp clock-period 17179652

ntp server 123.123.123.30

!

end

Anmelka · 2. Oktober 2008

und EU-HUB:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname EU-HUB

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

clock timezone CET 1

clock summer-time CEST recurring

ip cef

!

ip domain name login

!

multilink bundle-name authenticated

!

crypto pki trustpoint RootCA

enrollment url http://123.123.123.30:80

revocation-check crl

!

crypto pki certificate chain RootCA

certificate 0B nvram:RootCA#B.cer

certificate ca 01 nvram:RootCA#3CA.cer

!

Anmelden

ip local polices und EIGRP in Verbindung mit crypto

Empfohlene Beiträge

Anmelka 10

Link zu diesem Kommentar

Anmelka 10

Link zu diesem Kommentar

Anmelka 10

Link zu diesem Kommentar

Anmelka 10

Link zu diesem Kommentar

Otaku19 33

Link zu diesem Kommentar

Anmelka 10

Link zu diesem Kommentar

Anmelka 10

Link zu diesem Kommentar

Schreibe einen Kommentar

Menu

Aktivitäten