After a beer or two and spending some time on the white board I came up with a solution that used series VTIs and routing to control traffic flow. Everything looked plausible so it was time to lab out a proof of concept. After fiddling with the routing a little bit I was able to ping loopback interfaces between routers A and C and was able to verify complete traversal by checking the tunnel statistics and ipsec packet encaps and decaps. Success!
Had a lot of fun doing this one, never had to work with nested tunnels before so it was a great experience.
Here is how it looked on the white board.
And now for the router configs.
-------------R1------------
Router(config)#do show run
Building configuration...
Current configuration : 1779 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 10.10.50.2
!
!
crypto ipsec transform-set vpntransform esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vti-profile
set transform-set vpntransform
!
!
!
!
!
interface Loopback0
ip address 192.168.4.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.50.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 10.10.50.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile vti-profile
!
interface Tunnel1
ip address 172.16.51.1 255.255.255.252
tunnel source Tunnel0
tunnel destination 172.16.50.2
!
interface Tunnel2
ip address 172.16.52.1 255.255.255.252
tunnel source Tunnel1
tunnel destination 10.10.60.2
!
interface FastEthernet0/0
ip address 10.10.50.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 10.10.60.0 255.255.255.252 Tunnel1
ip route 192.168.6.0 255.255.255.0 Tunnel2
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
no login
!
!
end
-------------R2------------
Router(config)#do show run
Building configuration...
Current configuration : 1549 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 10.10.50.1
!
!
crypto ipsec transform-set vpntransform esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vti-profile
set transform-set vpntransform
!
!
!
!
!
interface Loopback0
ip address 192.168.5.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.50.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 10.10.50.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vti-profile
!
interface Tunnel1
ip address 172.16.51.2 255.255.255.252
tunnel source Tunnel0
tunnel destination 172.16.50.1
!
interface FastEthernet0/0
ip address 10.10.50.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.60.1 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
no login
!
!
end
-------------R3------------
Router(config-if)#do show run
Building configuration...
Current configuration : 1177 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.6.1 255.255.255.0
!
interface Tunnel2
ip address 172.16.52.2 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 172.16.51.1
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.60.2 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
ip route 172.16.51.0 255.255.255.252 10.10.60.1
ip route 192.168.4.0 255.255.255.0 Tunnel2
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
no login
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
no login
!
!
end