IP/GRE Packet
|
Router A sends a keepalive, via the tunnel interface, to router B. Router B decapsulates the packet (strips the outer header) and sends the resulting packet back to router A.
However, if VRFs are used, the keepalive is sent inside the VRF, and the peer will have to send it to the global VRF ... somehow. The obvious approach of simply routing it to a global destination may work for certain border cases, but IOS manages to send the GRE reply packet plain over the wire instead through an IPSec tunnel.
The most generic solution I've found so far is to configure a secondary tunnel interface to interconnect VRF and global routing table, and add a route to the tunnel interface for the keepalive destinations destinations inside the VRF.
| GRE Router 0 | GRE Router 1 |
! version 12.4 ! hostname gre0 ! ip cef ! ip vrf vpn rd 1:100 ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key test address 2.0.0.1 no-xauth ! crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac ! crypto map CRYPTOMAP 10 ipsec-isakmp set peer 2.0.0.1 set transform-set DES-MD5 match address cryptoacl ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! interface Tunnel0 ip vrf forwarding vpn ip address 172.16.0.1 255.255.255.252 keepalive 5 3 tunnel source Loopback0 tunnel destination 10.0.0.2 ! interface Tunnel10 description helper tunnel to forward keepalives to global vrf ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 10.0.0.1 ! interface FastEthernet0 description internet uplink ip address 1.0.0.1 255.255.255.0 crypto map CRYPTOMAP ! router eigrp 100 address-family ipv4 vrf vpn network 172.16.0.0 no auto-summary autonomous-system 100 eigrp router-id 172.16.0.1 exit-address-family ! ! If the EIGRP tunnel flaps for no apparent reason, try adding: ! ip route 172.16.0.0 255.255.255.252 Tunnel0 ! Some IOS versions seem to leak EIGRP packets to the global VRF. ! ip route 0.0.0.0 0.0.0.0 1.0.0.254 ip route vrf vpn 10.0.0.2 255.255.255.255 Tunnel10 ! ip access-list extended cryptoacl permit ip host 10.0.0.1 host 10.0.0.2 ! |
! version 12.4 ! hostname gre1 ! ip cef ! ip vrf vpn rd 1:100 ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key test address 1.0.0.1 no-xauth ! crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac ! crypto map CRYPTOMAP 10 ipsec-isakmp set peer 1.0.0.1 set transform-set DES-MD5 match address cryptoacl ! interface Loopback0 ip address 10.0.0.2 255.255.255.255 ! interface Tunnel0 ip vrf forwarding vpn ip address 172.16.0.2 255.255.255.252 keepalive 5 3 tunnel source Loopback0 tunnel destination 10.0.0.1 ! interface Tunnel10 description helper tunnel to forward keepalives to global vrf ip unnumbered Loopback0 tunnel source Loopback0 tunnel destination 10.0.0.2 ! interface FastEthernet0 description internet uplink ip address 2.0.0.1 255.255.255.0 crypto map CRYPTOMAP ! router eigrp 100 address-family ipv4 vrf vpn network 172.16.0.0 no auto-summary autonomous-system 100 eigrp router-id 172.16.0.2 exit-address-family ! ! If the EIGRP tunnel flaps for no apparent reason, try adding: ! ip route 172.16.0.0 255.255.255.252 Tunnel0 ! Some IOS versions seem to leak EIGRP packets to the global VRF. ! ip route 0.0.0.0 0.0.0.0 2.0.0.254 ip route vrf vpn 10.0.0.1 255.255.255.255 Tunnel10 ! ip access-list extended cryptoacl permit ip host 10.0.0.2 host 10.0.0.1 ! |