Multiples tunnels over the same interfaces.

Problema: Cuando traté de levantar dos túneles GRE sobre la misma interfaz física (con el mismo tunnel source y mismo tunnel destination) solo uno de los dos levantó.

En el forum de Cisco encontré varios casos parecidos, el que más de acercaba decía:

“I am attempting to create two GRE tunnels, both tunnels have the same source and destination. No problem creating the first tunnel but creating the second I get the error\warning
Warning: Using same source IP for more than one IP/GRE tunnels may cause software switching packets for tunnels using this address. If possible, use a unique tunnel source for Interface Tunnelxxx” (source)

Dentro de las soluciones propuestas, las dos mejores son:
-Cambiar los tunnels source y destination utilizando interfaces loopbacks.
-Usar “tunnel key”

Topología:

Configuración inicial:

R1:
!
hostname R1
!
no ip domain lookup
!
interface Ethernet1/0
 ip address 10.22.26.1 255.255.255.224
!
interface Ethernet1/1
 ip address 10.22.8.1 255.255.255.0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
line con 0
 logging synchronous
!
R2:
!
hostname R2
!
no ip domain lookup
!
interface Ethernet1/0
 ip address  10.22.26.2 255.255.255.224
!
interface Ethernet1/1
 ip address10.22.9.1 255.255.255.0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
line con 0
 logging synchronous
!

Comprobación inicial:

R1#sh ip route
Gateway of last resort is not set
      10.22.0.0/16 is variably subnetted, 5 subnets, 4 masks
C        10.22.8.0/24 is directly connected, Ethernet1/1
L        10.22.8.1/32 is directly connected, Ethernet1/1
O        10.22.9.0/24 [110/20] via 10.22.26.2, 01:14:24, Ethernet1/0
C        10.22.26.0/27 is directly connected, Ethernet1/0
L        10.22.26.1/32 is directly connected, Ethernet1/0

Configuración del primer tunnel:

Añadido en R1:
!
interface Tunnel100
 ip address 10.22.26.130 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 10.22.26.2
!

Añadido en R2:
!
interface Tunnel100
 ip address 10.22.26.129 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 10.22.26.1
!

Comprobación:

*Jun 26 11:22:56.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
*Jun 26 11:22:56.771: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Jun 26 11:23:35.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to down
R1#
*Jun 26 11:28:05.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
*Jun 26 11:28:05.603: %OSPF-5-ADJCHG: Process 1, Nbr 10.22.26.2 on Tunnel100 from LOADING to FULL, Loading Done

R1#sh ip route
Gateway of last resort is not set
      10.22.0.0/16 is variably subnetted, 7 subnets, 4 masks
C        10.22.8.0/24 is directly connected, Ethernet1/1
L        10.22.8.1/32 is directly connected, Ethernet1/1
O        10.22.9.0/24 [110/20] via 10.22.26.129, 00:00:43, Tunnel100
                                     [110/20] via 10.22.26.2, 01:39:08, Ethernet1/0
C        10.22.26.0/27 is directly connected, Ethernet1/0
L        10.22.26.1/32 is directly connected, Ethernet1/0
C        10.22.26.128/30 is directly connected, Tunnel100
L        10.22.26.130/32 is directly connected, Tunnel100
R1#sh ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Tu100        1     0               10.22.26.130/30   10    P2P   1/1
Et1/1        1     0               10.22.8.1/24      10    DR    0/0
Et1/0        1     0               10.22.26.1/27     10    DR    1/1

Configuración del segundo tunnel:

Añadido en R1:
!
interface Tunnel101
 ip address 10.22.26.134 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 10.22.26.2
!

Añadido en R2:
!
interface Tunnel101
 ip address 10.22.26.133 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 10.22.26.1
!

Comprobación del problema:

*Jun 26 11:46:54.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel101, changed state to up
R1(config-if)#
*Jun 26 11:47:03.651: %OSPF-5-ADJCHG: Process 1, Nbr 10.22.26.2 on Tunnel101 from LOADING to FULL, Loading Done
R1(config-if)#^Z
*Jun 26 11:47:10.523: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Jun 26 11:47:25.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to down
*Jun 26 11:47:25.303: %OSPF-5-ADJCHG: Process 1, Nbr 10.22.26.2 on Tunnel100 from FULL to DOWN, Neighbor Down: Interface down or detached

Mientras uno levanta, el otro se cae.

1ra Solución: Cambiar los tunnels source y destination utilizando interfaces loopbacks.

R1(cambios de configuración):
!
hostname R1
!
no ip domain lookup
!
interface Loopback0
 ip address 10.22.26.240 255.255.255.255
!
interface Loopback1
 ip address 10.22.26.241 255.255.255.255
!
interface Tunnel100
 ip address 10.22.26.130 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 10.22.26.242
!
interface Tunnel101
 ip address 10.22.26.134 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.22.26.243
!
interface Ethernet1/0
 ip address 10.22.26.1 255.255.255.224
!
interface Ethernet1/1
 ip address 10.22.8.1 255.255.255.0
!
router ospf 1
 network 10.22.8.0 0.0.0.255 area 0
 network 10.22.26.0 0.0.0.31 area 0
 network 10.22.26.128 0.0.0.3 area 0
 network 10.22.26.132 0.0.0.3 area 0
!
ip route 10.22.26.242 255.255.255.255 10.22.26.2
ip route 10.22.26.243 255.255.255.255 10.22.26.2
!
line con 0
 logging synchronous
!
R2(cambios de configuración):
!
hostname R2
!
no ip domain lookup
!
interface Loopback0
 ip address 10.22.26.242 255.255.255.255
!
interface Loopback1
 ip address 10.22.26.243 255.255.255.255
!
interface Tunnel100
 ip address 10.22.26.129 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Loopback0
 tunnel destination 10.22.26.240
!
interface Tunnel101
 ip address 172.22.26.133 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 172.22.26.241
!
interface Ethernet1/0
 ip address 172.22.26.2 255.255.255.224
!
interface Ethernet1/1
 ip address 172.22.9.1 255.255.255.0
!
router ospf 1
 network 172.22.9.0 0.0.0.255 area 0
 network 172.22.26.0 0.0.0.31 area 0
 network 172.22.26.128 0.0.0.3 area 0
 network 172.22.26.132 0.0.0.3 area 0
!
ip route 172.22.26.240 255.255.255.255 172.22.26.1
ip route 172.22.26.241 255.255.255.255 172.22.26.1
!
line con 0
 logging synchronous
!

Comprobación:

R1#sh ip route
Gateway of last resort is not set
      172.22.0.0/16 is variably subnetted, 13 subnets, 4 masks
C        172.22.8.0/24 is directly connected, Ethernet1/1
L        172.22.8.1/32 is directly connected, Ethernet1/1
O        172.22.9.0/24 [110/20] via 172.22.26.133, 00:04:04, Tunnel101
                                     [110/20] via 172.22.26.129, 00:05:27, Tunnel100
                                     [110/20] via 172.22.26.2, 00:10:19, Ethernet1/0
C        172.22.26.0/27 is directly connected, Ethernet1/0
L        172.22.26.1/32 is directly connected, Ethernet1/0
C        172.22.26.128/30 is directly connected, Tunnel100
L        172.22.26.130/32 is directly connected, Tunnel100
C        172.22.26.132/30 is directly connected, Tunnel101
L        172.22.26.134/32 is directly connected, Tunnel101
C        172.22.26.240/32 is directly connected, Loopback0
C        172.22.26.241/32 is directly connected, Loopback1
S        172.22.26.242/32 [1/0] via 172.22.26.2
S        172.22.26.243/32 [1/0] via 172.22.26.2
R1#sh ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Tu101        1     0               172.22.26.134/30   10    P2P   1/1
Tu100        1     0               172.22.26.130/30   10    P2P   1/1
Et1/0        1     0               172.22.26.1/27     10    DR    1/1
Et1/1        1     0               172.22.8.1/24      10    DR    0/0

Funciona!

2da Solución: Usar “tunnel key”

tunnel key: To enable an ID key for a tunnel interface, use the tunnel key command in interface configuration mode. To remove the ID key, use the no form of this command. (source)

This document describes the IPsec secured GRE based VPN demultiplexing problem statement. When two or more IPsec SAs are used to protect GRE encapsulated VPN network between the same pair of edge router, the current GRE based VPN does not support the edge router to demultiplex data for different IPsec SA. GRE key provides one solution to demultiplex the VPNs secured by IPsec. (source)

R1(cambios de configuración):
!
hostname R1
!
no ip domain lookup
!
interface Tunnel100
 ip address 172.22.26.130 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 172.22.26.2
 tunnel key 2
!
interface Tunnel101
 ip address 172.22.26.134 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 172.22.26.2
 tunnel key 3
!
interface Ethernet1/0
 ip address 172.22.26.1 255.255.255.224
!
interface Ethernet1/1
 ip address 172.22.8.1 255.255.255.0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
line con 0
 logging synchronous
!
R2(cambios de configuración):
!
hostname R2
!
no ip domain lookup
!
interface Tunnel100
 ip address 172.22.26.129 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 172.22.26.1
 tunnel key 2
!
interface Tunnel101
 ip address 172.22.26.133 255.255.255.252
 ip ospf cost 10
 keepalive 10 3
 tunnel source Ethernet1/0
 tunnel destination 172.22.26.1
 tunnel key 3
!
interface Ethernet1/0
 ip address 172.22.26.2 255.255.255.224
!
interface Ethernet1/1
 ip address 172.22.9.1 255.255.255.0
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
line con 0
 logging synchronous
!

Comprobación:

R1#sh ip route
Gateway of last resort is not set
      172.22.0.0/16 is variably subnetted, 9 subnets, 4 masks
C        172.22.8.0/24 is directly connected, Ethernet1/1
L        172.22.8.1/32 is directly connected, Ethernet1/1
O        172.22.9.0/24 [110/20] via 172.22.26.133, 00:03:58, Tunnel101
                                     [110/20] via 172.22.26.129, 00:03:00, Tunnel100
                                     [110/20] via 172.22.26.2, 00:28:49, Ethernet1/0
C        172.22.26.0/27 is directly connected, Ethernet1/0
L        172.22.26.1/32 is directly connected, Ethernet1/0
C        172.22.26.128/30 is directly connected, Tunnel100
L        172.22.26.130/32 is directly connected, Tunnel100
C        172.22.26.132/30 is directly connected, Tunnel101
L        172.22.26.134/32 is directly connected, Tunnel101
R1#sh ip ospf interface brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Tu101        1     0               172.22.26.134/30   10    P2P   1/1
Tu100        1     0               172.22.26.130/30   10    P2P   1/1
Et1/0        1     0               172.22.26.1/27     10    DR    1/1
Et1/1        1     0               172.22.8.1/24      10    DR    0/0

3ra Solución:

Crear subinterfaces de la física.
No lo voy a probar pero funciona!

La mejor parece ser el tunnel key!!!

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.