Recursive routing caused by GRE OVER IPSEC

Today, I encountered a very interesting topic, recursive routing. Although gre over ipsec is configured, the routing interface is down back and forth,

* Mar 4 15:08:34. 435: % OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

* Mar 4 15:08:42. 003: % TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
* Mar 4 15:08:43. 003: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
* Mar 4 15:08:43. 015: % OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached
 

This problem was not found in previous experiments, but I found that due to recursive routing
This sentence is important,Recursive RoutingLet's take a look at the topology.

 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0U0125F1-0.png "/>

Requirements: 1. Use gre over ipsec

2. Ensure that all ping operations can be performed.

3. r2 cannot have a configured routing protocol equivalent to a network Cloud

Simple configuration

R1: interface Loopback0
Ip address 1.1.1.1 255.255.255.255
Interface Loopback1
Ip address 2.2.2.2 255.255.255.255
Interface Tunnel0
Ip address 172.16.1.1 255.255.255.0
Keepalive 10 3
Tunnel source Ethernet1/0
Tunnel destination 193.1.1.3

Router ospf 10
Log-adjacency-changes
Network 1.1.1.1 0.0.0.0 area 0
Network 2.2.2.2 0.0.0.0 area 0
Network 172.16.1.0 0.0.0.255 area 0
Network 192.1.1.0 0.0.0.255 area 0

Crypto isakmp policy 10
Authentication pre-share
Group 2
Crypto isakmp key cisco123 address 193.1.1.3
Crypto ipsec transform-set rt3 esp-des esp-md5-hmac
Mode transport
Crypto map mymap 10 ipsec-isakmp
Set peer 193.1.1.3
Set transform-set rt3
Match address rt3

Access-list extended permiter
Permit esp host 193.1.1.3 host 192.1.1.1
Permit gre host 193.1.1.3 host 192.1.1.1
Permit udp host 193.1.1.3 host 192.1.1.1
Permit ip host 3.3.3.3 host 1.1.1.1
Permit ip host 3.3.3.3 host 2.2.2.2
Permit ip host 4.4.4 host 2.2.2.2
Permit ip host 4.4.4 host 1.1.1.1
Permit udp host 193.1.1.3 host 192.1.1.1 eq isakmp
Ip access-list extended rt3
Permit gre host 192.1.1.1 host 193.1.1.3

Ip route 0.0.0.0 0.0.0.0 192.1.1.2

R3 configuration: crypto isakmp policy 10
Authentication pre-share
Group 2
Crypto isakmp key cisco123 address 192.1.1.1
Crypto ipsec transform-set rt1 esp-des esp-md5-hmac
Mode transport
Crypto map mymap 10 ipsec-isakmp
Set peer 192.1.1.1
Set transform-set rt1
Match address rt1interface Loopback0
Ip address 3.3.3.3 255.255.255.0
Interface Loopback1
Ip address 4.4.4.4 255.255.255.255
Interface Tunnel0
Ip address 172.16.1.2 255.255.255.0
Keepalive 10 3
Tunnel source Ethernet1/1
Tunnel destination 192.1.1.1

Interface Ethernet1/1
Ip address 193.1.1.3 255.255.255.0
Ip access-group permiter in

Router ospf 10
Log-adjacency-changes
Network 3.3.3.3 0.0.0.0 area 1
Network 4.4.4.4 0.0.0.0 area 1
Network 172.16.1.0 0.0.0.255 area 0
Network 193.1.1.0 0.0.0.255 area 1

Ip access-list extended permiter
Permit esp host 192.1.1.1 host 193.1.1.3
Permit gre host 192.1.1.1 host 193.1.1.3
Permit udp host 192.1.1.1 host 193.1.1.3 eq isakmp
Permit ip host 1.1.1.1 host 3.3.3.3
Permit ip host 1.1.1.1 host 4.4.4.4
Permit ip host 2.2.2.2 host 4.4.4
Permit ip host 2.2.2.2 host 3.3.3.3
Ip access-list extended rt1
Permit gre host 193.1.1.3 host 192.1.1.1

Ip route 0.0.0.0 0.0.0.0 193.1.1.2

Alas, I found that the route is connected.

Center # show ip rou
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2
I-IS, su-IS summary, L1-IS-level-1, L2-IS level-2
Ia-IS inter area, *-candidate default, U-per-user static route
O-ODR, P-periodic downloaded static route

Gateway of last resort is 192.1.1.2 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback1
3.0.0.0/32 is subnetted, 1 subnets
O ia 3.3.3.3 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0
4.0.0.0/32 is subnetted, 1 subnets
O ia 4.4.4.4 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Tunnel0
193.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
O ia 193.1.1.0/24 [110/11121] via 172.16.1.2, 00:30:59, Tunnel0
S 193.1.1.3/32 [1/0] via 192.1.1.2
C 192.1.1.0/24 is directly connected, Ethernet1/0
S * 0.0.0.0/0 [0, 1/0] via 192.1.1.2

But it will be troublesome soon.

* Mar 4 15:08:34. 435: % OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

* Mar 4 15:08:42. 003: % TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
* Mar 4 15:08:43. 003: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
* Mar 4 15:08:43. 015: % OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached

Unable to connect to the route table, only the direct connection route

Let's analyze the problem.

Assume that 1.1.1.1 to 3.3.3.3

First, the traffic passes through the tunnel port through the gre encapsulation, and the route table needs to be sent through the e1/0 port. Therefore, an ip header o ia 3.3.3.3 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0

Because we only use the default route, the problem is solved. encryption and decryption are always encapsulated, so we can't get out of the route, and we can't get to the destination if we know how to get the route! Not to mention that a router is just a dumb. It's just a waste of money! In fact, we can add a default route.

Ip route 193.1.1.3 255.255.255.0 192.1.1.2

Ip route 192.1.1.1 255.255.255.0 193.1.1.2

This is what we say in the official cisco documentation.

Now, observe the routing table after the tunnel interface goes up, shown below.
R1 # show ip route
Codes: C & #8722; connected, S & #8722; static, I & #8722; IGRP, R & #8722; RIP, M & #8722; mobile, B & #8722; BGP
D & #8722; OSPF, EX & #8722; OSPF external, O & #8722; OSPF, IA & #8722; OSPF inter area
N1 & #8722; ospf nssa external type 1, N2 & #8722; ospf nssa external type 2
E1 & #8722; OSPF external type 1, E2 & #8722; OSPF external type 2, E & #8722; EGP
I & #8722; IS & #8722; IS, L1 & #8722; IS & #8722; IS level & #8722; 1, L2 & #8722; IS & #8722; IS level & #8722; 2, ia & #8722; IS & #8722; IS inter area
* & #8722; candidate default, U & #8722; per & #8722; user static route, o & #8722; ODR
P & #8722; periodic downloaded static route
Gateway of last resort is 172.16.15.2 to network 0.0.0.0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
D 172.16.25.0/24 [90/297756416] via 192.168.1.3, 00:00:00, Tunnel0
C 172.16.15.2/32 is directly connected, Serial0
C 172.16.15.0/24 is directly connected, Serial0
10.0.0.0/24 is subnetted, 2 subnets
D 10.3.3.0 [90/297372416] via 192.168.1.3, 00:00:00, Tunnel0
C 10.1.1.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, Tunnel0
S * 0.0.0.0/0 [1/0] via 172.16.15.2
In this case, if the router receives the packet destined for 10.3.3.0, It routes the packet to tunnel0, queues it, and encapsulates the GRE, on R1:
Interface Tunnel0
Ip address 192.168.1.1 255.255.255.0
Tunnel source Loopback0
Tunnel destination 10.3.3.3
When the router finds the route 10.3.3.3, it still finds that D 10.3.3.0 [90/297372416] via 192.168.1.3, 00:00:00, Tunnel0
This package cannot be routed at all. Therefore, a recursive Routing Error occurs.
Solution: R1 (config) # ip route 10.3.3.3 255.255.255.255 serial 0

 

 

 

 

This article is from the "cisco network" blog. For more information, contact the author!