Hello, I'm upgrading a router autoconfiguration program to support tunnels and I have some problems with configuring the GRE over IPSec tunnel over BGP protocol. The program automatically deploys iBGP,OSPF as internal protocols and eBGP as external. My sample test network looks like this:
Attachment:
File comment: Test network
Screenshot_1.jpg [ 14.97 KiB | Viewed 4646 times ]
. The 3 routers on the left belong to ASN 1 and the 3 on the right to ASN2. The routers in the middle (3 and 5) use eBGP to connect the ASNs.
The configuration files for the tunnel router 1 (and same for 6) is:
Code:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key VAULT address 1.0.0.11
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set MYTRANS
!
!
interface Loopback0
description Loopback
ip address 1.0.0.1 255.255.255.255
!
interface f0/0
description 1 to 3
ip address 10.0.0.5 255.255.255.252
ip ospf cost 1
duplex auto
speed auto
no shutdown
!
interface f1/0
description 1 to 2
ip address 10.0.0.1 255.255.255.252
ip ospf cost 1
duplex auto
speed auto
no shutdown
!
interface tunnel16
description tunnel to 6
ip address 10.0.0.9 255.255.255.252
tunnel source loopback 0
tunnel destination 1.0.0.11
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROTECT
!
!
router ospf 1
# Loopback
network 1.0.0.1 0.0.0.0 area 0
log-adjacency-changes
passive-interface Loopback0
network 10.0.0.4 0.0.0.3 area 0
network 10.0.0.0 0.0.0.3 area 0
!
!
router bgp 1
bgp router-id 1.0.0.1
no synchronization
network 1.0.0.1 mask 255.255.255.255
! ibgp
! ibgp peers
!
neighbor 1.0.0.2 remote-as 1
neighbor 1.0.0.2 description iBGP peer 3
neighbor 1.0.0.2 update-source Loopback0
!
neighbor 1.0.0.3 remote-as 1
neighbor 1.0.0.3 description iBGP peer 2
neighbor 1.0.0.3 update-source Loopback0
The routers in the middle use additional eBGP configurations:
Code:
interface Loopback0
description Loopback
ip address 1.0.0.2 255.255.255.255
!
interface f0/0
description 3 to 1
ip address 10.0.0.6 255.255.255.252
ip ospf cost 1
duplex auto
speed auto
no shutdown
!
interface f1/0
description 3 to 2
ip address 10.0.0.14 255.255.255.252
ip ospf cost 1
duplex auto
speed auto
no shutdown
!
interface f2/0
description 3 to 5
ip address 10.0.128.1 255.255.255.252
duplex auto
speed auto
no shutdown
!
!
router ospf 1
# Loopback
network 1.0.0.2 0.0.0.0 area 0
log-adjacency-changes
passive-interface Loopback0
network 10.0.0.4 0.0.0.3 area 0
network 10.0.0.12 0.0.0.3 area 0
!
!
router bgp 1
bgp router-id 1.0.0.2
no synchronization
network 1.0.0.2 mask 255.255.255.255
! ibgp
! ibgp peers
!
neighbor 1.0.0.1 remote-as 1
neighbor 1.0.0.1 description iBGP peer 1
neighbor 1.0.0.1 update-source Loopback0
neighbor 1.0.0.1 next-hop-self
!
neighbor 1.0.0.3 remote-as 1
neighbor 1.0.0.3 description iBGP peer 2
neighbor 1.0.0.3 update-source Loopback0
neighbor 1.0.0.3 next-hop-self
!
! ebgp
!
neighbor 10.0.128.2 remote-as 2
neighbor 10.0.128.2 description eBGP to 5
neighbor 10.0.128.2 send-community
neighbor 10.0.128.2 next-hop-self
While I can ping from router 1 to the tunnel interface across (10.0.0.10), I cant ping from loopback to loopback although I can see them in the IP BGP tables. That means that if a router was attached to router 1 it cannot use the tunnel to deliver traffic to the other side of the tunnel. My question is: is there any way to configure the tunnel routers so that they can send any traffic across the tunnel using BGP? Please consider that the program works mostly with loopbacks (using a pool so all loopbacks are different) as it doesnt "know" any network routes when its executed, so it cant just ip route to a physical interface across because it doesnt know that interface. Thanks.