Back Story
We had this thing up at some point but the senior manager in charge left the company and took both the AWS account with him and wiped the configuration for the Router in the data center because he owned the license and he was the one paying the AWS bill. Now another senior network guy is in charge of the project but gets laid off. He wipes the router on the data center (something about the license) and now a third senior network guy is in charge. He put in his two weeks’ yesterday and now I’m the sucker in charge and also the junior-most member in the entire team.
The problem
I have OSPF along with an IPSEC tunnel to transport LISP securely (per what little documentation was left and the example on AWS). The subnet is extended through the data center and AWS. I can see the host at each site (AWS and Datacenter) but I can’t ping them unless I use the source command “ping 10.10.15.101 source tunnel 2” and they can’t ping each other.
Everything was configured mostly following this guide here
The local router(c2900) and the AWS router are different models
Local Router Config (Redacted)
crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 5 crypto isakmp key 6 secrekey address 22.255.255.22 ! ! crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC set transform-set TS ! ! ! ! ! ! ! interface Loopback1 ip address 11.11.11.11 255.255.255.255 ! interface Tunnel2 ip address 30.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 22.255.255.22 tunnel protection ipsec profile IPSEC ! interface LISP0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 10.0.2.1 255.255.255.0 duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.0.15.2 255.255.255.0 duplex auto speed auto lisp mobility ISA nbr-proxy-reply requests 3 ! ! router lisp locator-set dmz 11.11.11.11 priority 1 weight 100 exit ! eid-table default instance-id 0 dynamic-eid ISA database-mapping 10.0.15.0/24 locator-set dmz map-notify-group 239.0.0.1 exit ! exit ! site site1 authentication-key 6 secrekey eid-prefix 10.0.0.0/16 accept-more-specifics exit ! ipv4 map-server ipv4 map-resolver ipv4 itr map-resolver 11.11.11.11 ipv4 itr ipv4 etr map-server 11.11.11.11 key 6 secrekey ipv4 etr exit ! router ospf 11 network 11.11.11.11 0.0.0.0 area 11 network 30.0.0.1 0.0.0.0 area 11 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.0.2.200 ip ssh version 2 ! ip access-list extended VPN permit ip 10.10.15.0 0.0.0.255 192.168.15.0 0.0.0.255 log ! ! ! control-plane ! ! line con 0 exec-timeout 60 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 180 0 logging synchronous login local transport input ssh line vty 5 15 exec-timeout 180 0 logging synchronous login local transport input ssh
AWS Router Config (redacted)
crypto isakmp policy 1 encryption aes 256 hash sha256 authentication pre-share group 5 crypto isakmp key 6 secrekey address 44.255.255.44 ! ! crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile IPSEC set transform-set TS responder-only ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip address 33.33.33.33 255.255.255.255 ! interface Tunnel2 ip address 30.0.0.2 255.255.255.0 tunnel source GigabitEthernet1 tunnel mode ipsec ipv4 tunnel destination 44.255.255.44 tunnel protection ipsec profile IPSEC ! interface LISP0 ! interface VirtualPortGroup0 vrf forwarding GS ip address 192.168.135.10 255.255.255.0 ip nat inside no mop enabled no mop sysid ! interface GigabitEthernet1 ip address dhcp ip nat outside negotiation auto no mop enabled no mop sysid ! interface GigabitEthernet2 ip address 10.10.15.192 255.255.255.0 negotiation auto lisp mobility ISA nbr-proxy-reply requests 3 no mop enabled no mop sysid ! router lisp locator-set aws 33.33.33.33 priority 1 weight 100 exit-locator-set ! service ipv4 itr map-resolver 11.11.11.11 itr etr map-server 11.11.11.11 key 6 gGGZDfQTTfHUF^aADFMENKQDReEAAB etr exit-service-ipv4 ! instance-id 0 dynamic-eid ISA database-mapping 10.10.15.0/24 locator-set aws map-notify-group 239.0.0.1 exit-dynamic-eid ! service ipv4 eid-table default exit-service-ipv4 ! exit-instance-id ! exit-router-lisp ! router ospf 11 network 30.0.0.2 0.0.0.0 area 11 network 33.33.33.33 0.0.0.0 area 11 ! iox ip forward-protocol nd ip tcp window-size 8192 ip http server ip http authentication local ip http secure-server ! ip nat inside source list GS_NAT_ACL interface GigabitEthernet1 vrf GS overload ip ssh rsa keypair-name ssh-key ip ssh version 2 ! ip access-list standard GS_NAT_ACL 10 permit 192.168.135.10 0.0.0.255 ! ip access-list extended ISAVPN 10 permit ip 10.10.15.0 0.0.0.255 10.10.15.0 0.0.0.255 log ! ! ! ! ! ! control-plane ! ! ! ! ! ! line con 0 stopbits 1 line vty 0 4 login local transport input ssh line vty 5 20 login local transport input ssh
No comments:
Post a Comment