Hello my networking fellows,
I need some experts to look over my Topology and Configuration because i am exhausted of not being able to find the problem.
So im trying to configure GRE over IPSec. IPSec is configured on the ASA (which works fine) and the GRE Tunnel terminates on the router behind. The tunnel is up/up but there is no traffic going through it. Wireshark captures show that GRE packets arrive at the ASA on the inside interface but dont leave on the outside interface.
I permit all traffic from inside as well from the outside.
We have following Topology: https://imgur.com/a/VDSjb3B
ASA1 interface GigabitEthernet0/0 nameif OUTSIDE security-level 0 ip address 10.0.1.1 255.255.255.0 interface GigabitEthernet0/1.1 vlan 10 nameif inside security-level 80 ip address 10.0.10.1 255.255.255.0 object network REMOTE subnet 10.0.20.0 255.255.255.0 object network LOCAL subnet 10.0.10.0 255.255.255.0 access-list LAN1-LAN2 extended permit gre any any access-list LAN1-LAN2 extended permit ip 10.0.10.0 255.255.255.0 10.0.20.0 255.255.255.0 access-list SPLIT_TUNNEL standard permit 10.0.10.0 255.255.255.0 access-list OUTSIDE_access_in extended permit gre any any access-list OUTSIDE_access_in extended permit ip any any access-list inside_access_in_1 extended permit gre any any access-list inside_access_in_1 extended permit ip any any access-group OUTSIDE_access_in in interface OUTSIDE access-group inside_access_in_1 in interface inside route OUTSIDE 0.0.0.0 0.0.0.0 10.0.1.2 1 route mgmt 20.0.30.0 255.255.255.0 20.0.20.1 1 crypto ipsec ikev1 transform-set TSET esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map CMAP 10 match address LAN1-LAN2 crypto map CMAP 10 set peer 10.0.2.1 crypto map CMAP 10 set ikev1 transform-set TSET crypto map CMAP 10 set security-association lifetime seconds 3600 crypto map CMAP 10 set trustpoint MY_CA crypto map CMAP interface OUTSIDE crypto isakmp identity address crypto ikev1 enable OUTSIDE crypto ikev1 policy 10 authentication rsa-sig encryption aes hash sha group 2 lifetime 3600
Switch3 interface Loopback0 ip address 128.0.0.1 255.255.255.255 #SW4 Lo0 - 128.0.1.1/32 ! interface Tunnel0 ip address 100.0.0.1 255.255.255.0 #SW4 - 100.0.0.2 ip mtu 1400 ip tcp adjust-mss 1360 ip ospf 1 area 0 tunnel source Loopback0 tunnel destination 128.0.1.1 #SW4 - 128.0.0.1 ! interface GigabitEthernet0/0 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan10 ip address 10.0.10.2 255.255.255.0 #SW4 - 10.0.20.2 ! router ospf 1 network 128.0.0.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 10.0.10.1 #SW4 - NH 10.0.20.1 Switch3#show ip rout Gateway of last resort is 10.0.10.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.0.10.1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.0.10.0/24 is directly connected, Vlan10 L 10.0.10.2/32 is directly connected, Vlan10 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 100.0.0.0/24 is directly connected, Tunnel0 L 100.0.0.1/32 is directly connected, Tunnel0 128.0.0.0/32 is subnetted, 1 subnets C 128.0.0.1 is directly connected, Loopback0 
No comments:
Post a Comment