關于GRE OVER IPSEC 引起的recursive routing

今天做實驗碰到一個很有意思的話題，遞歸路由。雖然gre over ipsec 配好了 但路由接口來回down掉，

*Mar  4 15:08:34.435: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

*Mar  4 15:08:42.003: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

*Mar  4 15:08:43.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

*Mar  4 15:08:43.015: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached

以前也做過實驗沒有發現這個問題，一時蒙了，但細看下發現due to recursive routing

這句是個重點，遞歸路由我們先看下拓撲圖

<a href="http://blog.51cto.com/attachment/201103/152425983.png" target="_blank"></a>

要求：1.運用gre over ipsec

             2.保證能通全部ping通

           3.r2不能有配置路由協定相當與一個網絡雲

簡單我們就開始配置

r1：interface Loopback0

 ip address 1.1.1.1 255.255.255.255

interface Loopback1

 ip address 2.2.2.2 255.255.255.255

interface Tunnel0

 ip address 172.16.1.1 255.255.255.0

 keepalive 10 3

 tunnel source Ethernet1/0

 tunnel destination 193.1.1.3

router ospf 10

 log-adjacency-changes

 network 1.1.1.1 0.0.0.0 area 0

 network 2.2.2.2 0.0.0.0 area 0

 network 172.16.1.0 0.0.0.255 area 0

 network 192.1.1.0 0.0.0.255 area 0

crypto isakmp policy 10

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 193.1.1.3

crypto ipsec transform-set rt3 esp-des esp-md5-hmac 

 mode transport

crypto map mymap 10 ipsec-isakmp 

 set peer 193.1.1.3

 set transform-set rt3 

 match address rt3

 access-list extended permiter

 permit esp host 193.1.1.3 host 192.1.1.1

 permit gre host 193.1.1.3 host 192.1.1.1

 permit udp host 193.1.1.3 host 192.1.1.1

 permit ip host 3.3.3.3 host 1.1.1.1

 permit ip host 3.3.3.3 host 2.2.2.2

 permit ip host 4.4.4.4 host 2.2.2.2

 permit ip host 4.4.4.4 host 1.1.1.1

 permit udp host 193.1.1.3 host 192.1.1.1 eq isakmp

ip access-list extended rt3

 permit gre host 192.1.1.1 host 193.1.1.3

ip route 0.0.0.0 0.0.0.0 192.1.1.2

r3配置：crypto isakmp policy 10

crypto isakmp key cisco123 address 192.1.1.1

crypto ipsec transform-set rt1 esp-des esp-md5-hmac 

 set peer 192.1.1.1

 set transform-set rt1 

 match address rt1interface Loopback0

 ip address 3.3.3.3 255.255.255.0

 ip address 4.4.4.4 255.255.255.255

 ip address 172.16.1.2 255.255.255.0

 tunnel source Ethernet1/1

 tunnel destination 192.1.1.1

interface Ethernet1/1

 ip address 193.1.1.3 255.255.255.0

 ip access-group permiter in

 network 3.3.3.3 0.0.0.0 area 1

 network 4.4.4.4 0.0.0.0 area 1

 network 193.1.1.0 0.0.0.255 area 1

ip access-list extended permiter

 permit esp host 192.1.1.1 host 193.1.1.3

 permit udp host 192.1.1.1 host 193.1.1.3 eq isakmp

 permit ip host 1.1.1.1 host 3.3.3.3

 permit ip host 1.1.1.1 host 4.4.4.4

 permit ip host 2.2.2.2 host 4.4.4.4

 permit ip host 2.2.2.2 host 3.3.3.3

ip access-list extended rt1

ip route 0.0.0.0 0.0.0.0 193.1.1.2

唉 發現通了 路由也起來了

center#show ip rou 

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.1.1.2 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets

C       1.1.1.1 is directly connected, Loopback0

     2.0.0.0/32 is subnetted, 1 subnets

C       2.2.2.2 is directly connected, Loopback1

     3.0.0.0/32 is subnetted, 1 subnets

O IA    3.3.3.3 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0

     4.0.0.0/32 is subnetted, 1 subnets

O IA    4.4.4.4 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Tunnel0

     193.1.1.0/24 is variably subnetted, 2 subnets, 2 masks

O IA    193.1.1.0/24 [110/11121] via 172.16.1.2, 00:30:59, Tunnel0

S       193.1.1.3/32 [1/0] via 192.1.1.2

C    192.1.1.0/24 is directly connected, Ethernet1/0

S*   0.0.0.0/0 [1/0] via 192.1.1.2

但不一會麻煩來了

*Mar 4 15:08:34.435: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

*Mar 4 15:08:42.003: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

*Mar 4 15:08:43.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

*Mar 4 15:08:43.015: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached

連路由表也起不來了，隻有直連路由

我們來分析下問題

假如 1.1.1.1 到3.3.3.3

首先流量通過gre封裝 走tunnel口，通過查找路由表要通過e1/0口發送于是有加個ip頭O IA 3.3.3.3 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0

由于我們隻做了預設路由，問題就出來了，一直加密解密封裝，就是出不去，知道路怎麼走就是到不了目的地！别說路由器就是個傻瓜一樣的東西，各掃門前雪，不管他人瓦上霜！其實我們加上條預設路由就好了

ip route 193.1.1.3 255.255.255.0 192.1.1.2 

ip route 192.1.1.1 255.255.255.0 193.1.1.2 

在cisco官方文檔上是這樣說的

Now, observe the routing table after the tunnel interface goes up, shown below. 

R1# show ip route 

Codes: C &amp;#8722; connected, S &amp;#8722; static, I &amp;#8722; IGRP, R &amp;#8722; RIP, M &amp;#8722; mobile, B &amp;#8722; BGP

D &amp;#8722; EIGRP, EX &amp;#8722; EIGRP external, O &amp;#8722; OSPF, IA &amp;#8722; OSPF inter area 

N1 &amp;#8722; OSPF NSSA external type 1, N2 &amp;#8722; OSPF NSSA external type 2 

E1 &amp;#8722; OSPF external type 1, E2 &amp;#8722; OSPF external type 2, E &amp;#8722; EGP 

i &amp;#8722; IS&amp;#8722;IS, L1 &amp;#8722; IS&amp;#8722;IS level&amp;#8722;1, L2 &amp;#8722; IS&amp;#8722;IS level&amp;#8722;2, ia &amp;#8722; IS&amp;#8722;IS inter area 

* &amp;#8722; candidate default, U &amp;#8722; per&amp;#8722;user static route, o &amp;#8722; ODR 

P &amp;#8722; periodic downloaded static route 

Gateway of last resort is 172.16.15.2 to network 0.0.0.0 

172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks 

D 172.16.25.0/24 [90/297756416] via 192.168.1.3, 00:00:00, Tunnel0 

C 172.16.15.2/32 is directly connected, Serial0 

C 172.16.15.0/24 is directly connected, Serial0 

10.0.0.0/24 is subnetted, 2 subnets 

D 10.3.3.0 [90/297372416] via 192.168.1.3, 00:00:00, Tunnel0 

C 10.1.1.0 is directly connected, Loopback0 

C 192.168.1.0/24 is directly connected, Tunnel0 

S* 0.0.0.0/0 [1/0] via 172.16.15.2 

此時如果路由器收到要到達10.3.3.0網絡的資料包，他将包路由到tunnel0，然後排隊，并進行GRE的封裝，R1上： 

interface Tunnel0 

ip address 192.168.1.1 255.255.255.0 

tunnel source Loopback0 

tunnel destination 10.3.3.3 

路由器查找到10.3.3.3的的路由，還是發現D 10.3.3.0 [90/297372416] via 192.168.1.3, 00:00:00, Tunnel0 

這個包根本路由不出去。是以出現了遞歸路由錯誤。 

解決方法是R1(config)# ip route 10.3.3.3 255.255.255.255 serial 0

 本文轉自q狼的誘惑 51CTO部落格，原文連結：http://blog.51cto.com/liangrui/506565，如需轉載請自行聯系原作者