IPSec GRE Tunnel Encryption over MPLS VPN

Hi,

I’ve setup a simulated core SP network with CSR1KVs, and at the customer edge I want to have an encrypted GRE tunnel end to end, from CE1-Richmond to CE1-Maine for example.
I have the gre tunnel up and active, I source the same loopback interface I use for ebgp peering with my PE routers as the source for the tunnel. I can ping end to end no issue, but I’m not seeing any encrypted packets in the crypto show command output.
I’m patently missing something here

Configs and outputs are below from CE1 and CE2:

CE1-Richmond#show crypto ipsec sa 

interface: Loopback0
    Crypto map tag: MYMAP, local addr 7.7.7.7

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 11.11.11.11 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 7.7.7.7, remote crypto endpt.: 11.11.11.11
     plaintext mtu 1514, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

CE1-Richmond#show running-config | section ipsec
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto map MYMAP 10 ipsec-isakmp 
 set peer 11.11.11.11
 set transform-set TRANS 
 match address 100

CE1-Richmond#show running-config interface lo0
Building configuration...

Current configuration : 81 bytes
!
interface Loopback0
 ip address 7.7.7.7 255.255.255.255
 crypto map MYMAP
end

CE1-Richmond#show ip access-lists 
Extended IP access list 100
    10 permit gre any any

CE1-Maine:

CE1-Maine#show crypto ipsec sa 

interface: Loopback0
    Crypto map tag: MYMAP, local addr 11.11.11.11

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
   current_peer 7.7.7.7 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 11.11.11.11, remote crypto endpt.: 7.7.7.7
     plaintext mtu 1514, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

CE1-Maine#show running-config | section ipsec
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto map MYMAP 10 ipsec-isakmp 
 set peer 7.7.7.7
 set transform-set TRANS 
 match address 100
CE1-Maine#
interface Loopback0
 ip address 11.11.11.11 255.255.255.255
 crypto map MYMAP
end

CE1-Maine#debug crypto ipsec shows nothing, and I can ping end to end

CE1-Maine#show running-config | section bgp
router bgp 1
 bgp log-neighbor-changes
 network 11.11.11.11 mask 255.255.255.255
 neighbor 60.60.60.1 remote-as 234

Thanks
-Shane

Hi Shane,

Try moving your crypto map command from the loopback interface to outside (WAN) physical interface. It won’t work on the loopback interfaces

Rene

Thanks Rene, I’ll use the physical interface and give it a go :). But if its a routable IP and apologies if not a correct question, but why can’t it be used as a source and destination for the tunnel?

-Shane

Hello Shane

The loopback is used by the crypto map for the router to identity itself to IPSec peers and used for SA (used as the local address for IPSEC (and IKE) traffic originating from or destined to the interface). It cannot be used for routing traffic. The interfaces the crypto map is applied to should take care of that.

I hope this has been helpful!

Laz