Converting crypto map to unnumbered VTI

Mike,

Hi.

Before you go any further I would recommend that you find out what you are connecting to.

Using VTI's is different from using static crypto maps. On a VTI you do not define (AFAIK) a crypto ACL. Using a VTI is like saying permit ip any any in a crypto acl.

On the remote end if they are running e.g a PIX or router with a standard crypto map, there will be a crypto-acl which you should be mirroring, I suspect this is not the case though.

Any reason why you wanted to use a VTI ?

Regards

Darren

You may want to compare debug isakmp form working and non-working setups:

1. post show version and show interface tu 0

1. return to original config

2. capture debug isakmp sa

4.configure IPSEC profile with crypto map

1. capture debug isakmp sa with this setup

1. config new config with VTI setup

7.capture debug isakmp sa with this setup

In main mode, there will be an exchange of 6 IIKE packets.

The VTI tunnel interface will not come up until the SA are built (i.e it will be in up - down state)

Actually, not knowing what's on the other end is part of the exercise. My employer has thought it a good idea to offer VPN connectivity to our clients. Clients can mean a large corporation and a proper networking team, but mostly it means a small to medium sized business with limited network skills. Then... there can also be a language barrier as we're a global company.

I understand what you mean about not having a crypto ACL on a VTI. There is a permit ip any any (you'll see it if you do a show crypto sesseion), but you can apply an ACL to the tun interface to simulate one. This is how I suspect one would mirror the crypto ACL.

I want to use a VTI for monitoring purposes. Since it is an interface, it can be monitored (both state and bandwith). I'm trying to make what could turn into a large number of VPNs much easier for our support team to support. With a VTI, we can show support a green or red light per VPN tunnel. We can't really do that with a crypto map (that I'm aware of).

Thanks for the reply BTW. Appreciate it Farren.

Regards,

MikeG

-- Router#sho ver Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version

12.4(12), RELEASE SOFTWARE (fc1) Technical Support: (c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 17-Nov-06 12:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

qsv-cvpnc1 uptime is 3 days, 15 hours, 28 minutes System returned to ROM by reload at 00:39:57 UTC Thu Nov 8 2007 System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to snipped-for-privacy@cisco.com.

Cisco 2811 (revision 53.50) with 249856K/12288K bytes of memory. Processor board ID FTX1048A3RX

2 FastEthernet interfaces 2 Serial interfaces 2 Virtual Private Network (VPN) Modules DRAM configuration is 64 bits wide with parity enabled. 239K bytes of non-volatile configuration memory. 62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

IOBTW IOS 12.4(12) has been yanked by Cisco.

You should upgrade to a newer maintenance version of 12.4

. . .I've done just this.

I did that, but the only error I was seeing was

=========================================

Mike, it looks like your reply got clipped.

Did you see any issues in the output of debug isakmp sa for the original config ?

Weird. My post did get clipped.

The only error I saw from my debug isakmp was the following.

ISAKMP0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)

I'd get QM_IDLE for a second and then that error. I see nothing in Phase

1. No send errors, no encrypt/decrypt errors. Nothing.

Got your email BTW. Thank you.

MikeG

Mike,

1. Upgrade IOS software to a supported maintenance release

1. test IPSEC profile using crypto map command on the FastEtherent interface crypto map V1TEST 10 ipsec-isakmp profile V1

Also try disable agressive mode to see if it make any difference

crypto isakmp aggressive-mode disable

Mike,

Take a ook at this VTI config example;

It shows the tunnel interface CONFIGURED with ip nat inside and the phyiscal outside interface with ip nat outside

I've grabbed some spare 3825s that were destined for a data center upgrade in Europe. I built a small lab network today and will be testing several different aspects of VTIs, crypto maps, and NAT tomorrow.

Thank you for your help Merv. Quite helpful, unfortunately, nothing seemed to help. Do you think PFS could have anything to do with it? This particular VPN uses it. Ah... I'll save for the playground tomorrow.

Thanks again.

MikeG

Mike,

Please post your results as the Cisco docs are pretty thin when it comes to VTI especially in the presence of NAT.

Merv

Most definitely will. Hope to have something to post by the end of the day (unless more fires erupt... seems to always happen when I *WANT* to do a particular thing).

MikeG

It's been one fire after another this week (down lines in the Philippines, AC out in our lab, etc.). Hopefully I'll get to play around on Friday.

MikeG

I was finally able to devote some time to this! YAY!

Here is my bottom line: monitoring VPN status on IOS routers pretty much sucks.

I cannot convert my crypto maps to static VTIs because the crypto ACL cannot be modified. Usually this would not be a big deal, but I do not control the other end of the tunnel. Because of the static VTIs inherent "permit ip any any" encryption domain, this is not an option.

I tried to use dynamic VTIs, but the encryption domain is a problem with this as well. With a DVTI, one can have *ONLY* a single line crypto ACL. Again, a problem because I do not control the other end of the tunnel.

It really looks to me like it's best if I stick with the crypto map tunnels. They are definitely the most flexible and are pretty much guaranteed to work with whatever may be on the other end (given it does proper IPSEC).

So... my new problem. My lab router is running 12.4(17) (c3825- advipservicek9-mz.124-17.bin). I have a working crypto map VPN running. I make the VPN go up. I make the VPN go down (clear crypto session). What happened to the %CRYPTO-5-SESSION_STATUS log messages? They used to show up (I set crazy debugging, but they're gone). I guess this no longer applies?

How can I monitor these tunnels now without the log entries?

Thanks again for the help Merv. If anyone can shed some light on this, I'd really appreciate it.

MikeG

After speaking with TAC and their doing a little research, it turns out that the CRYPTO-5-SESSION_STATUS log messages must be turned on. According to TAC, this doesn't appear to be documented anywhere. Huh... interesting.

conf t crypto logging session end

Mike