http://www.pro-bono-publico.de/misc/vrf-aware-gre-tunnel-keepalives/

VRF-aware GRE Tunnel Keepalives

The Problem

One of the major annoyances with Cisco's GRE tunnels is that Keepalives aren't working if the tunnel is in a VRF. The keepalive packets are sent inside the VRF, and while it's entirely possible to route them to the global VRF, IOS won't send them through an IPSec tunnel.

The Workaround

First, revisit how a GRE keepalive from router A to router B is actually constructed:
IP/GRE Packet
From: Router A To: Router B
IP/GRE Packet
From: Router B To: Router A

Router A sends a keepalive, via the tunnel interface, to router B. Router B decapsulates the packet (strips the outer header) and sends the resulting packet back to router A.

However, if VRFs are used, the keepalive is sent inside the VRF, and the peer will have to send it to the global VRF ... somehow. The obvious approach of simply routing it to a global destination may work for certain border cases, but IOS manages to send the GRE reply packet plain over the wire instead through an IPSec tunnel.

The most generic solution I've found so far is to configure a secondary tunnel interface to interconnect VRF and global routing table, and add a route to the tunnel interface for the keepalive destinations destinations inside the VRF.

An Example

Here's a sample configuration for a VRF-EIGRP-GRE-IPSec setup. The configuration snippets highlight the actual changes that make GRE keepalives for VRF tunnels work:
GRE Router 0 GRE Router 1
!
version 12.4
!
hostname gre0
!
ip cef
!
ip vrf vpn
 rd 1:100
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key test address 2.0.0.1 no-xauth
!
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 2.0.0.1
 set transform-set DES-MD5
 match address cryptoacl
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding vpn
 ip address 172.16.0.1 255.255.255.252
 keepalive 5 3
 tunnel source Loopback0
 tunnel destination 10.0.0.2
!
interface Tunnel10
 description helper tunnel to forward keepalives to global vrf
 ip unnumbered Loopback0
 tunnel source Loopback0
 tunnel destination 10.0.0.1
!
interface FastEthernet0
 description internet uplink
 ip address 1.0.0.1 255.255.255.0
 crypto map CRYPTOMAP
!
router eigrp 100
 address-family ipv4 vrf vpn
  network 172.16.0.0
  no auto-summary
  autonomous-system 100
  eigrp router-id 172.16.0.1
 exit-address-family
!
! If the EIGRP tunnel flaps for no apparent reason, try adding:
! ip route 172.16.0.0 255.255.255.252 Tunnel0
! Some IOS versions seem to leak EIGRP packets to the global VRF.
!
ip route 0.0.0.0 0.0.0.0 1.0.0.254
ip route vrf vpn 10.0.0.2 255.255.255.255 Tunnel10
!
ip access-list extended cryptoacl
 permit ip host 10.0.0.1 host 10.0.0.2
!
!
version 12.4
!
hostname gre1
!
ip cef
!
ip vrf vpn
 rd 1:100
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key test address 1.0.0.1 no-xauth
!
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
 set peer 1.0.0.1
 set transform-set DES-MD5
 match address cryptoacl
!
interface Loopback0
 ip address 10.0.0.2 255.255.255.255
!
interface Tunnel0
 ip vrf forwarding vpn
 ip address 172.16.0.2 255.255.255.252
 keepalive 5 3
 tunnel source Loopback0
 tunnel destination 10.0.0.1
!
interface Tunnel10
 description helper tunnel to forward keepalives to global vrf
 ip unnumbered Loopback0
 tunnel source Loopback0
 tunnel destination 10.0.0.2
!
interface FastEthernet0
 description internet uplink
 ip address 2.0.0.1 255.255.255.0
 crypto map CRYPTOMAP
!
router eigrp 100
 address-family ipv4 vrf vpn
  network 172.16.0.0
  no auto-summary
  autonomous-system 100
  eigrp router-id 172.16.0.2
 exit-address-family
!
! If the EIGRP tunnel flaps for no apparent reason, try adding:
! ip route 172.16.0.0 255.255.255.252 Tunnel0
! Some IOS versions seem to leak EIGRP packets to the global VRF.
!
ip route 0.0.0.0 0.0.0.0 2.0.0.254
ip route vrf vpn 10.0.0.1 255.255.255.255 Tunnel10
!
ip access-list extended cryptoacl
 permit ip host 10.0.0.2 host 10.0.0.1
!

 Made with VI 
 Valid CSS 
 Valid HTML 4.0 
 NO ePATENTS 
 Datenschutz 
 Impressum