New Member
Posts: 16
Registered: ‎05-19-2017

ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

Hi Community,

I am trying to setup in my lab a router with 2 ipsec point to point sites with ospf. End point are dynamic ips, found a nice tutorial how to archieve that and for 1 it works. The other ones is identical, except the router id , rsa key and ips. I compared configs etc etc, but i think i am getting config blind. Can someone push me in the right direction. Even if i disconnect site 1, site 2 still doesnt wanna do any ospf 

 

Thank you

 

PS. sorry somehow my configs lost their tabs.

 

Router config

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 93.157.xxx.xxx/24
description Internet
duplex auto
speed auto
}
ethernet eth1 {
address 192.168.155.155/20
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 10.0.0.1/24
description "Local 2"
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
address 192.168.254.1/32
}
tunnel tun002 {
address 172.16.0.1/30
description "Kantoor"
encapsulation gre
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 192.168.254.1
multicast disable
remote-ip 192.168.254.2
ttl 255
}
tunnel tun003 {
address 172.16.0.5/30
description "klant 1"
encapsulation gre
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 192.168.254.1
multicast disable
remote-ip 192.168.254.3
ttl 255
}
}
protocols {
ospf {
area 0 {
network 172.16.0.0/30
network 192.168.144.0/20
network 172.16.0.4/30
}
parameters {
abr-type cisco
router-id 255.255.255.255
}
redistribute {
kernel {
metric 2
metric-type 2
}
static {
metric 2
metric-type 2
}
}
}
static {
table 1 {
}
}
}
service {
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
}
}
gui {
https-port 443
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 93.157.xxx.xxx
host-name ubnt
login {
user Mike {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name "Mike"
level admin
}
user backupuser {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name Backupuser
level admin
}
}
name-server 93.157.xxx.xxx
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
ipsec enable
ipv4 {
forwarding enable
gre enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
traffic-analysis {
dpi disable
export disable
}
}
vpn {
ipsec {
esp-group esp-tunnel {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike-tunnel {
dead-peer-detection {
action restart
interval 15
timeout 60
}
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer @tun002 {
authentication {
id @HUBROUTER-TO-tun002
mode rsa
rsa-key-name tun002_KEY
}
connection-type respond
default-esp-group esp-tunnel
description "Kantoor"
ike-group ike-tunnel
local-address 93.157.xxx.xxx
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.254.1/32
}
remote {
prefix 192.168.254.2/32
}
}
}
peer @tun003 {
authentication {
id @HUBROUTER-TO-tun003
mode rsa
rsa-key-name tun003_KEY
}
connection-type respond
default-esp-group esp-tunnel
description "Klant 1"
ike-group ike-tunnel
local-address 93.157.xxx.xxx
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.254.1/32
}
remote {
prefix 192.168.254.3/32
}
}
}
}
}
rsa-keys {
local-key {
file /config/ipsec.d/rsa-keys/localhost.key
}
rsa-key-name tun002_KEY {
rsa-key ****************
}
rsa-key-name tun003_KEY {
rsa-key ****************
}
}
}

Site 1 config (working)

interfaces {
ethernet eth0 {
address 192.168.0.250/24
address 10.0.5.250/24
duplex auto
speed auto
}
ethernet eth1 {
address 10.0.5.1/24
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
address 192.168.254.2/32
}
switch switch0 {
mtu 1500
}
tunnel tun002 {
address 172.16.0.2/30
description "Kantoor"
encapsulation gre
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 192.168.254.2
multicast disable
remote-ip 192.168.254.1
ttl 255
}
}
protocols {
ospf {
area 0 {
area-type {
normal
}
network 10.0.5.0/24
network 172.16.0.0/30
}
log-adjacency-changes {
}
parameters {
abr-type cisco
router-id 1.1.1.25
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name local {
authoritative disable
subnet 10.0.5.0/24 {
default-router 10.0.5.1
lease 86400
start 10.0.5.150 {
stop 10.0.5.199
}
}
}
use-dnsmasq disable
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 192.168.0.1
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name ""
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
esp-group esp-tunnel {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike-tunnel {
dead-peer-detection {
action restart
interval 15
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 93.157.xxx.xxx {
authentication {
id @tun002
mode rsa
remote-id @HUBROUTER-TO-tun002
rsa-key-name HUB_KEY
}
connection-type initiate
default-esp-group esp-tunnel
ike-group ike-tunnel
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.254.2/32
}
remote {
prefix 192.168.254.1/32
}
}
}
}
}
rsa-keys {
local-key {
file /config/ipsec.d/rsa-keys/localhost.key
}
rsa-key-name HUB_KEY {
rsa-key ****************
}
}
}

Site 2 config (not working)

interfaces {
ethernet eth0 {
address 192.168.0.251/24
address 10.0.6.250/24
duplex auto
speed auto
}
ethernet eth1 {
address 10.0.6.1/24
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
address 192.168.254.3/32
}
switch switch0 {
mtu 1500
}
tunnel tun003 {
address 172.16.0.6/30
description "klant 1"
encapsulation gre
ip {
ospf {
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
local-ip 192.168.254.3
multicast disable
remote-ip 192.168.254.1
ttl 255
}
}
protocols {
ospf {
area 0 {
area-type {
normal
}
network 10.0.6.0/24
network 172.16.0.4/30
}
log-adjacency-changes {
}
parameters {
abr-type cisco
router-id 1.1.1.3
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name local {
authoritative disable
subnet 10.0.6.0/24 {
default-router 10.0.6.1
lease 86400
start 10.0.6.150 {
stop 10.0.6.199
}
}
}
use-dnsmasq disable
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
ssh {
port 22
protocol-version v2
}
}
system {
gateway-address 192.168.0.1
host-name ubnt
login {
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
full-name ""
level admin
}
}
name-server 8.8.8.8
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
esp-group esp-tunnel {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group ike-tunnel {
dead-peer-detection {
action restart
interval 15
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 93.157.xxx.xxx {
authentication {
id @tun003
mode rsa
remote-id @HUBROUTER-TO-tun003
rsa-key-name HUB_KEY
}
connection-type initiate
default-esp-group esp-tunnel
ike-group ike-tunnel
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 192.168.254.3/32
}
remote {
prefix 192.168.254.1/32
}
}
}
}
}
rsa-keys {
local-key {
file /config/ipsec.d/rsa-keys/localhost.key
}
rsa-key-name HUB_KEY {
rsa-key ****************
}
}
}

 

Veteran Member
Posts: 8,106
Registered: ‎03-24-2016
Kudos: 2129
Solutions: 930

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

1st question:  Is VPN up?

Try pinging from 192.168.254.1 to .2 and .3

New Member
Posts: 16
Registered: ‎05-19-2017

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

Yes, vpn is up.

 

 

Ping those internal ips not working, and that doesnt have to.

 

I see one thing (marked red)

 

Mike@ubnt:~$ show vpn ipsec sa
peer-tun002-tunnel-1: #3, ESTABLISHED, IKEv1, 10286808bd703047:56c13aba44be79a7
  local  'HUBROUTER-TO-tun002' @ 93.157.xxx.xxx
  remote 'tun002' @ 92.111.xxx.xxx
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 9174s ago
  peer-tun002-tunnel-1: #2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1128 ago
    in  c7977704,  23676 bytes,   191 packets,     4s ago
    out cf190af8,  19518 bytes,   191 packets,     4s ago
    local  192.168.254.1/32
    remote 192.168.254.2/32
peer-tun003-tunnel-1: #2, ESTABLISHED, IKEv1, d135598bac6e4eb7:0c50b0e3605c7a48
  local  'HUBROUTER-TO-tun003' @ 93.157.xxx.xxx
  remote 'tun003' @ 92.111.xxx.xxx
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 10352s ago
  peer-tun003-tunnel-1: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 2076 ago
    in  c4610b91,  33540 bytes,   341 packets
    out c8cab57c,      0 bytes,     0 packets
    local  192.168.254.1/32
    remote 192.168.254.3/32

ip route router

show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [1/0] via 93.157.xxx.xxx, eth0
O    *> 10.0.5.0/24 [110/11] via 172.16.0.2, tun002, 02:35:53
C    *> 93.157.6.0/24 is directly connected, eth0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 172.16.0.0/30 is directly connected, tun002
C    *> 172.16.0.4/30 is directly connected, tun003
C    *> 192.168.144.0/20 is directly connected, eth1
C    *> 192.168.254.1/32 is directly connected, lo

ip route site 1 (working)

ubnt@ubnt:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [1/0] via 192.168.0.1, eth0
C    *> 10.0.5.0/24 is directly connected, eth0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 172.16.0.0/30 is directly connected, tun002
O    *> 172.16.0.4/30 [110/20] via 172.16.0.1, tun002, 02:36:49
C    *> 192.168.0.0/24 is directly connected, eth0
O    *> 192.168.144.0/20 [110/20] via 172.16.0.1, tun002, 02:36:49
C    *> 192.168.254.2/32 is directly connected, lo

ip route site 2 (not working)

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       > - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
S    *> 0.0.0.0/0 [1/0] via 192.168.0.1, eth0
C    *> 10.0.6.0/24 is directly connected, eth0
C    *> 127.0.0.0/8 is directly connected, lo
C    *> 172.16.0.4/30 is directly connected, tun003
C    *> 192.168.0.0/24 is directly connected, eth0
C    *> 192.168.254.3/32 is directly connected, lo

show ip ospf (router)

Mike@ubnt:~$ show ip ospf
 Routing Process "ospf 0" with ID 255.255.255.255
 Process uptime is 13 hours 25 minutes
 Process bound to VRF default
 Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Graceful Restart
 This router is an ASBR (injecting external routing information)
 SPF schedule delay initial 0 secs 500 msecs
 SPF schedule delay min 0 secs 500 msecs
 SPF schedule delay max 50 secs 0 msecs
 Refresh timer 10 secs
 Number of incomming current DD exchange neighbors 0/64
 Number of outgoing current DD exchange neighbors 0/64
 Initial LSA throttle delay 0 secs 0 msecs
 Minimum hold time for LSA throttle 5 secs 0 msecs
 Maximum wait time for LSA throttle 5 secs 0 msecs
 Minimum LSA arrival 1 secs 0 msecs
 Number of external LSA 0. Checksum 0x000000
 Number of opaque AS LSA 0. Checksum 0x000000
 Number of non-default external LSA 0
 External LSA database is unlimited.
 Number of LSA originated 15
 Number of LSA received 86
 Number of areas attached to this router: 1
    Area 0.0.0.0 (BACKBONE)
        Number of interfaces in this area is 3(3)
        Number of fully adjacent neighbors in this area is 1
        Area has no authentication
        SPF algorithm last executed 02:37:56.370 ago
        SPF algorithm executed 8 times
        Number of LSA 6. Checksum 0x03a5ca

show ip osfp site 1 (working)

 Routing Process "ospf 0" with ID 1.1.1.25
 Process uptime is 2 hours 39 minutes
 Process bound to VRF default
 Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Graceful Restart
 SPF schedule delay initial 0 secs 500 msecs
 SPF schedule delay min 0 secs 500 msecs
 SPF schedule delay max 50 secs 0 msecs
 Refresh timer 10 secs
 Number of incomming current DD exchange neighbors 0/64
 Number of outgoing current DD exchange neighbors 0/64
 Initial LSA throttle delay 0 secs 0 msecs
 Minimum hold time for LSA throttle 5 secs 0 msecs
 Maximum wait time for LSA throttle 5 secs 0 msecs
 Minimum LSA arrival 1 secs 0 msecs
 Number of external LSA 0. Checksum 0x000000
 Number of opaque AS LSA 0. Checksum 0x000000
 Number of non-default external LSA 0
 External LSA database is unlimited.
 Number of LSA originated 3
 Number of LSA received 19
 Number of areas attached to this router: 1
    Area 0.0.0.0 (BACKBONE)
        Number of interfaces in this area is 2(3)
        Number of fully adjacent neighbors in this area is 1
        Area has no authentication
        SPF algorithm last executed 02:38:46.722 ago
        SPF algorithm executed 4 times
        Number of LSA 6. Checksum 0x03a5ca

show ip ospf site 2 (not working)

 Routing Process "ospf 0" with ID 1.1.1.3
 Process uptime is 3 hours 6 minutes
 Process bound to VRF default
 Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
 Supports only single TOS(TOS0) routes
 Supports opaque LSA
 Supports Graceful Restart
 SPF schedule delay initial 0 secs 500 msecs
 SPF schedule delay min 0 secs 500 msecs
 SPF schedule delay max 50 secs 0 msecs
 Refresh timer 10 secs
 Number of incomming current DD exchange neighbors 0/64
 Number of outgoing current DD exchange neighbors 0/64
 Initial LSA throttle delay 0 secs 0 msecs
 Minimum hold time for LSA throttle 5 secs 0 msecs
 Maximum wait time for LSA throttle 5 secs 0 msecs
 Minimum LSA arrival 1 secs 0 msecs
 Number of external LSA 0. Checksum 0x000000
 Number of opaque AS LSA 0. Checksum 0x000000
 Number of non-default external LSA 0
 External LSA database is unlimited.
 Number of LSA originated 1
 Number of LSA received 0
 Number of areas attached to this router: 1
    Area 0.0.0.0 (BACKBONE)
        Number of interfaces in this area is 2(3)
        Number of fully adjacent neighbors in this area is 0
        Area has no authentication
        SPF algorithm last executed 03:05:59.628 ago
        SPF algorithm executed 2 times
        Number of LSA 1. Checksum 0x00b183

pinging the tunnel networks from the router

 

site 3 end point is not responding

 

Mike@ubnt:~$ ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_req=1 ttl=64 time=0.110 ms
^C
--- 172.16.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.110/0.110/0.110/0.000 ms

Mike@ubnt:~$ ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_req=1 ttl=64 time=20.7 ms
^C
--- 172.16.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 20.788/20.788/20.788/0.000 ms

Mike@ubnt:~$ ping 172.16.0.5
PING 172.16.0.5 (172.16.0.5) 56(84) bytes of data.
64 bytes from 172.16.0.5: icmp_req=1 ttl=64 time=0.110 ms
^C
--- 172.16.0.5 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.110/0.110/0.110/0.000 ms


Mike@ubnt:~$ ping 172.16.0.6
PING 172.16.0.6 (172.16.0.6) 56(84) bytes of data.
^C
--- 172.16.0.6 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3004ms

 

New Member
Posts: 16
Registered: ‎05-19-2017

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

root@ubnt:~# /bin/ping 192.168.254.2 -I tun002
PING 192.168.254.2 (192.168.254.2) from 172.16.0.1 tun002: 56(84) bytes of data.
64 bytes from 192.168.254.2: icmp_req=1 ttl=64 time=21.5 ms
64 bytes from 192.168.254.2: icmp_req=2 ttl=64 time=18.1 ms

 

root@ubnt:~# /bin/ping 192.168.254.3 -I tun003
PING 192.168.254.3 (192.168.254.3) from 172.16.0.5 tun003: 56(84) bytes of data.
^C
--- 192.168.254.3 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Veteran Member
Posts: 8,106
Registered: ‎03-24-2016
Kudos: 2129
Solutions: 930

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

@Mikeynlwrote:

 

 

Ping those internal ips not working, and that doesnt have to.

It should work , the GRE tunnel requires connectivity between 192.168.254.1 and 192.168.254.3

For ping to work specify source interface lo

 

New Member
Posts: 16
Registered: ‎05-19-2017

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

OK, any idea why the 2nd isnt working ?
New Member
Posts: 16
Registered: ‎05-19-2017

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

if i specify lo, none is pingable. But site to site 1 is working
Veteran Member
Posts: 8,106
Registered: ‎03-24-2016
Kudos: 2129
Solutions: 930

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

Some troubleshooting commands:

 

show vpn ipsec sa

Will show tunnels, and en/de-crypted packet count

 

sudo swanctl --log

will show IPSEC live-log

 

tcpdump on gre interface will show packets on gre tunnel

 

Worth trying:

Instead of using lo interface, you could try to use LAN interface IP instead. adjust tunnel accordingly.

 

give each peer its own ike and esp settings (can be identical)

 

Can both branches use same rsa-key ?

New Member
Posts: 16
Registered: ‎05-19-2017

Re: ipsec ospf router and 2 sites. 1 site works perfect, other identical ospf not

Fixed !

 

Somehow, it ended up in the NAT table. Absolute no CLUE why....

 

 

Mike@ubnt:~$ show nat translations
Pre-NAT              Post-NAT             Type  Prot  Timeout
192.168.254.3        93.157.xxx.xxx         snat  gre   24
Mike@ubnt:~$ show conntrack table ipv4 source 192.168.254.3
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
                 FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
                 TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONN ID    Source                 Destination            Protocol         TIMEOUT
2380358576 192.168.254.3          192.168.254.4          gre [47]         24
Mike@ubnt:~$ delete conntrack table ipv4 conn-id 2380358576
Deleting the following conntrack table entries:

CONN ID    Source                 Destination            Protocol
2380358576 192.168.254.3          192.168.254.4          gre [47]
Mike@ubnt:~$ show nat translations
Pre-NAT              Post-NAT             Type  Prot  Timeout
Mike@ubnt:~$ show vpn ipsec sa
peer-tun002-tunnel-1: #2, ESTABLISHED, IKEv1, c792a1721f56b23f:97a98b3fbf45754e
  local  'HUBROUTER-TO-tun002' @ 93.157.xxx.xxx
  remote 'tun002' @ 92.111.xxx.xxx
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 643s ago
  peer-tun002-tunnel-1: #2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 643 ago
    in  c8b24a8e,   6632 bytes,    71 packets,     4s ago
    out c574f877,   7140 bytes,    74 packets,     5s ago
    local  192.168.254.1/32
    remote 192.168.254.2/32
peer-tun003-tunnel-2: #1, ESTABLISHED, IKEv1, 52c1c568a1ed5b0c:308296a9bc1f7811
  local  'HUBROUTER-TO-tun003' @ 93.157.xxx.xxx
  remote 'tun003' @ 92.111.xxx.xxx
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 646s ago
  peer-tun003-tunnel-2: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 645 ago
    in  c7bb9d20,   7420 bytes,    78 packets,    10s ago
    out c681fd16,   5676 bytes,    55 packets,     3s ago
    local  192.168.254.3/32
    remote 192.168.254.4/32

As you can see in red, out counter of tunnel 3 is now increasing.