Introduction
Normal IP Security (IPSec) configurations cannot transfer routing protocols, such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF), or non-IP traffic, such as Internetwork Packet Exchange (IPX) and AppleTalk. This document illustrates how to route between different networks that use a routing protocol and non-IP traffic with IPSec. This example uses generic routing encapsulation (GRE) in order to accomplish routing between the different networks.
Refer to Configuring IPsec Router-to-Router Hub and Spoke with Communication Between the Spokes for information on how to configure a hub and spoke IPSec design between three routers.
Refer to Configuring Router-to-Router IPSec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT for information on how to configure the basic Cisco IOS® Firewall configuration on a GRE tunnel with Network Address Translation (NAT).
Refer to PIX/ASA 7.x and later : VPN/IPsec with OSPF Configuration Example for more information on how to configure for a VPN/IPsec with Open Shortest Path First (OSPF) on Cisco PIX Security Appliance Software Version 7.x or Cisco Adaptive Security Appliance (ASA).
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
-
Make sure that the tunnel works before you apply the crypto maps.
-
Refer to Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems for information about possible Maximum Transmission Unit (MTU) issues.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco 3600 that runs Cisco IOS Software Release 12.4(8)
-
Cisco 2600 that runs Cisco IOS Software Release 12.4(8)
-
PIX Firewall Software Release 6.3(5)
-
PIX Firewall Software Release 6.3(5)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information used to configure the features described in this document.
Note: Use the Command Lookup Tool ( registered customers only) to find more information on the commands used in this document.
Network Diagram
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. These are RFC 1918 addresses which have been used in a lab environment.
Configurations
This document uses these configurations.
PIX Lion |
---|
PIX Version 6.3(5) |
PIX Tiger |
---|
PIX Version 6.3(5) |
Router Rodney |
---|
version 12.4 |
Router House |
---|
version 12.4 |
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPSec Tunnel for additional information on troubleshooting a PIX and IPSec tunnel.
Troubleshooting Commands
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
PIX IPSec Good Debug
-
show crypto isakmp sa—Shows the Internet Security Association Management Protocol (ISAKMP) Security Association (SA) built between peers.
Lion#show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
10.64.10.15 10.64.10.16 QM_IDLE 0 1
Tiger#show crypto isakmp sa
Total SAs : 1
Embryonic : 0
dst src state pending created
10.64.10.15 10.64.10.16 QM_IDLE 0 1 -
show crypto engine connection active—Shows each Phase 2 SA built and the amount of traffic sent.
Lion#show crypto engine connection active
Crypto Engine Connection Map:
size = 8, free = 6, used = 2, active = 2
Tiger#show crypto engine connection active
Crypto Engine Connection Map:
size = 8, free = 6, used = 2, active = 2 -
show debug—Displays the debug output.
Lion#show debug
debug crypto ipsec
debug crypto isakmp
debug crypto engine
crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR#
crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1220019031:48b80357IPSEC(key.
IPSEC(spi_response): getting spi 0xa67177c5(2792454085) for SA
from 10.64.10.15 to 10.64.10.16 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1220019031
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part,
(key eng. msg.) dest= 10.64.10.15, src= 10.64.10.16,
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 1220019031
ISAKMP (0): processing ID payload. message ID = 1220019031
ISAKMP (0): processing ID payload. message ID = 1220019031map_alloc_entry: allo2
map_alloc_entry: allocating entry 1
ISAKMP (0): Creating IPSec SAs
inbound SA from 10.64.10.15 to 10.64.10.16 (proxy 192.168.3)
has spi 2792454085 and conn_id 2 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from 10.64.10.16 to 10.64.10.15 (proxy 192.168.)
has spi 285493108 and conn_id 1 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 10.64.10.16, src= 10.64.10.15,
dest_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0xa67177c5(2792454085), conn_id= 2, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 10.64.10.16, dest= 10.64.10.15,
src_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x11044774(285493108), conn_id= 1, keysize= 0, flags= 0x4
return status is IKMP_NO_ERROR
Router GRE Passing Routing and Ping
-
show ip route—Displays IP routing table entries.
rodney#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.4.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C 10.20.20.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.22.22.0 is directly connected, Loopback1
C 192.168.4.0/24 is directly connected, Ethernet0/1
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.10.0 is directly connected, Tunnel0
10.0.0.0/32 is subnetted, 1 subnets
O 10.11.11.11 [110/11112] via 10.1.1.1, 03:34:01, Tunnel0
S* 0.0.0.0/0 [1/0] via 192.168.4.1
rodney#
rodney#ping 10.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.11.11.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
house#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
S 10.20.20.0 is directly connected, Tunnel0
10.0.0.0/32 is subnetted, 1 subnets
O 10.22.22.22 [110/11112] via 10.1.1.2, 03:33:39, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.11.11.0 is directly connected, Loopback1
C 192.168.3.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.3.1
house#ping 10.22.22.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.22.22.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms