Monday, April 27, 2020

VTI Site-to-Site VPN help needed!

Greetings everyone,

I am having some problems with setting up the VTI configs between my 2 routers (R1 and R3)

IPsec phase 1 and 2 comes up everything works like a charm.

However, the whole reason we use VTI for is that we can have separate policies between encrypted and un-encrypted traffic.

So my problem is:

I wrote the following Policies (One for the VTI interface and one for the physical interface):

R3:
conf t

!
class-map match-all VTI-CLASS

match any

exit

policy-map VTI-MAP

class VTI-CLASS

set precedence 2

exit

interface tunnel1

service-policy output VTI-MAP

exit

!

!

class-map match-all Physical-CLASS

match any

exit

policy-map Physical-MAP

class Physical-CLASS

set precedence 4

exit

interface ethernet1/0

service-policy output Physical-MAP

exit

!

---------------------------------------------------------------------

I have done a packet capture in wireshark and I see that every single traffic leaving the router (R3) is having the QoS value "Precedence 4"

But packets going through the VTI tunnel interface also have "precedence 4" QoS markings (But it supposed to be having "precedence 2" markings.

As soon as I give out:
interface ethernet1/0
no service-policy output Physical-MAP
exit
!

So basicly removing the physical policy, traffic going through the VTI tunnel instantly turns into "precedence 2" marked QoS values.

But for some reason, if both policies are applied the physical interface policy simply overwrites the VTI tunnel policy.

--------------------------

Just to buy some time I will also post my Ipsec config aswell: (Which is mirrored in both routers):

R1:

conf t

interface loopback0

ip address 1.1.1.1 255.255.255.255

exit

!

!

!

crypto isakmp policy 5

encryption aes 256

authentication pre-share

group 14

exit

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac

mode tunnel

exit

crypto ipsec profile P2P-PROFILE

set transform-set P2P-SET

exit

interface tunnel1

ip unnumbered loopback0

tunnel source ethernet 1/0

tunnel destination 35.0.0.3

tunnel mode ipsec ipv4

tunnel protection ipsec profile P2P-PROFILE

exit

-------------------------------------------------------------

Might this be a bug with my GNS3 IOU images? Or with Wireshark?

Or is this working as intended and I screwed up something?

Thanks for the answer in advance.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)