Hello everyone,
Today I will share with you how to deal with the network problem when goes through DSVPN tunnel.
Network Topology
Figure 1-1 Network problem when traffic goes through DSVPN tunnel
Fault Description
Customer can't ping from one side (101.1.1.1) to the other side (202.1.1.1).
Configuration Files
l AR1
#
pki realm default
enrollment self-signed
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
#
ike peer p1 v1
pre-shared-key cipher %^%#1"4j#17n2'.c\"3q3#g4NGy|1\9Rj%Y{5Y)r$o>$%^%#
ike-proposal 1
#
ipsec profile profile1
ike-peer p1
proposal 1
#
interface GigabitEthernet0/0/0
ip address 10.220.7.39 255.255.254.0
#
interface GigabitEthernet0/0/2
ip address 192.168.1.2 255.255.255.0
#
interface LoopBack0
ip address 101.1.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 111.1.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/2
ipsec profile profile1
nhrp entry multicast dynamic
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 172.168.1.0 255.255.255.0 192.168.1.1
ip route-static 202.1.1.0 255.255.255.0 Tunnel0/0/0
#
l AR2
#
pki realm default
enrollment self-signed
#
ipsec proposal 1
esp authentication-algorithm sha2-256
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm des-cbc
dh group2
authentication-algorithm sha1
prf hmac-sha2-256
#
ike peer p1 v1
pre-shared-key cipher %^%#Xb=f+J<Up&;zprO9<Ik5s6EOIQoPDV~{U)*.bw:J%^%#
ike-proposal 1
#
ipsec profile profile1
ike-peer p1
proposal 1
#
interface Vlanif999
description MANAGEMENT-DO-NOT-TOUCH
ip address 192.168.80.3 255.255.224.0
#
interface GigabitEthernet0/0/0
ip address 172.16.1.6 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 172.168.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.220.7.40 255.255.254.0
#
interface LoopBack0
ip address 172.16.3.3 255.255.255.255
#
interface LoopBack1
ip address 172.16.113.1 255.255.255.255
#
interface LoopBack3
ip address 202.1.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 111.1.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet0/0/1
ipsec profile profile1
nhrp entry 111.1.1.1 192.168.1.2
#
bgp 65502
peer 172.16.1.5 as-number 65501
peer 172.16.1.14 as-number 65502
#
ipv4-family unicast
undo synchronization
preference 5 255 255
network 172.16.3.3 255.255.255.255
network 172.16.3.5 255.255.255.255
network 172.16.3.6 255.255.255.255
network 172.16.3.7 255.255.255.255
network 172.16.3.8 255.255.255.255
network 172.16.3.9 255.255.255.255
network 172.16.3.10 255.255.255.255
network 172.16.3.11 255.255.255.255
network 172.16.3.12 255.255.255.255
network 172.16.3.13 255.255.255.255
network 172.16.5.0 255.255.255.0
network 172.16.6.0 255.255.255.0
network 172.16.7.0 255.255.255.0
network 172.16.8.0 255.255.255.0
network 172.16.10.0 255.255.255.0
network 172.16.12.0 255.255.255.0
network 172.16.13.0 255.255.255.0
network 172.16.113.1 255.255.255.255
peer 172.16.1.5 enable
peer 172.16.1.14 enable
#
ospf 10 router-id 172.16.3.3
import-route bgp type 1
area 0.0.0.0
network 172.16.1.12 0.0.0.3
network 172.16.1.16 0.0.0.3
network 172.16.3.3 0.0.0.0
#
ftp server enable
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 101.1.1.0 255.255.255.0 111.1.1.1
ip route-static 172.1.0.0 255.255.0.0 192.168.64.1 description MANAGEMENT-DO-NOT-TOUCH
ip route-static 192.168.1.0 255.255.255.0 172.168.1.1
ip route-static 192.168.10.0 255.255.255.0 192.168.64.1 description MANAGEMENT-DO-NOT-TOUCH
#
Troubleshooting Location
Step 1 Analyze the configuration, we can find the scenario is DSVPN OVER IPSEC.
Run the display ike sa command in any view of the AR2 device to check IPSEC tunnel first.
<R2U21-AR3200> display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase
--------------------------------------------------------------------
390 0.0.0.2 0 1
Number of IKE SA : 1
--------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
Step 2 If the IPSEC tunnel is not established, check and modify the parameters of IPSEC to make it success.
<R2U25-AR3200> display ike sa
IKE SA information :
Conn-ID Peer VPN Flag(s) Phase
--------------------------------------------------------------------
540 172.168.1.2 0 RD 2
539 172.168.1.2 0 RD 1
Number of IKE SA : 2
--------------------------------------------------------------------
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE NEG--NEGOTIATING
Step 3 Check whether DSVPN tunnel is ok.
Step 4 Check the configuration, we can find on spoke, one command is wrong. After modify it, DSVPN is ok.
Step 5 Test again when the DSVPN OVER IPSEC tunnel ok. If still can’t ping, let’s check the route. For DSVPN tunnel, the nexthop should not be a interface but a specified ip address.
Solution:
l Check the IPSEC tunnel.
l Check NHRP after checked IPSEC tunnel. If the NHRP is not normal, Check the parameter of DSVPN.
l Check the router after NHRP is ok.
Root Cause
DSVPN over IPSEC tunnel can’t be established because of the parameter not matched.
After the tunnel established, the traffic still can’t forward because of the incorrect router.
That is all I want to share with you! Thank you!