今天做实验碰到一个很有意思的话题，递归路由。虽然gre over ipsec 配好了 但路由接口来回down掉，

*Mar  4 15:08:34.435: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

*Mar  4 15:08:42.003: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

*Mar  4 15:08:43.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down *Mar  4 15:08:43.015: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached  

以前也做过实验没有发现这个问题，一时蒙了，但细看下发现due to recursive routing

这句是个重点，递归路由我们先看下拓扑图

 

要求：1.运用gre over ipsec

             2.保证能通全部ping通

           3.r2不能有配置路由协议相当与一个网络云

简单我们就开始配置

r1：interface Loopback0

 ip address 1.1.1.1 255.255.255.255 interface Loopback1  ip address 2.2.2.2 255.255.255.255 interface Tunnel0  ip address 172.16.1.1 255.255.255.0  keepalive 10 3  tunnel source Ethernet1/0  tunnel destination 193.1.1.3

router ospf 10

 log-adjacency-changes  network 1.1.1.1 0.0.0.0 area 0  network 2.2.2.2 0.0.0.0 area 0  network 172.16.1.0 0.0.0.255 area 0  network 192.1.1.0 0.0.0.255 area 0

crypto isakmp policy 10

 authentication pre-share  group 2 crypto isakmp key cisco123 address 193.1.1.3 crypto ipsec transform-set rt3 esp-des esp-md5-hmac   mode transport crypto map mymap 10 ipsec-isakmp   set peer 193.1.1.3  set transform-set rt3   match address rt3

 access-list extended permiter

 permit esp host 193.1.1.3 host 192.1.1.1  permit gre host 193.1.1.3 host 192.1.1.1  permit udp host 193.1.1.3 host 192.1.1.1  permit ip host 3.3.3.3 host 1.1.1.1  permit ip host 3.3.3.3 host 2.2.2.2  permit ip host 4.4.4.4 host 2.2.2.2  permit ip host 4.4.4.4 host 1.1.1.1  permit udp host 193.1.1.3 host 192.1.1.1 eq isakmp ip access-list extended rt3  permit gre host 192.1.1.1 host 193.1.1.3

ip route 0.0.0.0 0.0.0.0 192.1.1.2

r3配置：crypto isakmp policy 10

 authentication pre-share  group 2 crypto isakmp key cisco123 address 192.1.1.1 crypto ipsec transform-set rt1 esp-des esp-md5-hmac   mode transport crypto map mymap 10 ipsec-isakmp   set peer 192.1.1.1  set transform-set rt1   match address rt1interface Loopback0  ip address 3.3.3.3 255.255.255.0 interface Loopback1  ip address 4.4.4.4 255.255.255.255 interface Tunnel0  ip address 172.16.1.2 255.255.255.0  keepalive 10 3  tunnel source Ethernet1/1  tunnel destination 192.1.1.1

interface Ethernet1/1

 ip address 193.1.1.3 255.255.255.0  ip access-group permiter in

router ospf 10

 log-adjacency-changes  network 3.3.3.3 0.0.0.0 area 1  network 4.4.4.4 0.0.0.0 area 1  network 172.16.1.0 0.0.0.255 area 0  network 193.1.1.0 0.0.0.255 area 1

ip access-list extended permiter

 permit esp host 192.1.1.1 host 193.1.1.3  permit gre host 192.1.1.1 host 193.1.1.3  permit udp host 192.1.1.1 host 193.1.1.3 eq isakmp  permit ip host 1.1.1.1 host 3.3.3.3  permit ip host 1.1.1.1 host 4.4.4.4  permit ip host 2.2.2.2 host 4.4.4.4  permit ip host 2.2.2.2 host 3.3.3.3 ip access-list extended rt1  permit gre host 193.1.1.3 host 192.1.1.1

ip route 0.0.0.0 0.0.0.0 193.1.1.2

唉 发现通了 路由也起来了

center#show ip rou 

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2        ia - IS-IS inter area, * - candidate default, U - per-user static route        o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.1.1.2 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets

C       1.1.1.1 is directly connected, Loopback0      2.0.0.0/32 is subnetted, 1 subnets C       2.2.2.2 is directly connected, Loopback1      3.0.0.0/32 is subnetted, 1 subnets O IA    3.3.3.3 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0      4.0.0.0/32 is subnetted, 1 subnets O IA    4.4.4.4 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0      172.16.0.0/24 is subnetted, 1 subnets C       172.16.1.0 is directly connected, Tunnel0      193.1.1.0/24 is variably subnetted, 2 subnets, 2 masks O IA    193.1.1.0/24 [110/11121] via 172.16.1.2, 00:30:59, Tunnel0 S       193.1.1.3/32 [1/0] via 192.1.1.2 C    192.1.1.0/24 is directly connected, Ethernet1/0 S*   0.0.0.0/0 [1/0] via 192.1.1.2

但不一会麻烦来了

*Mar 4 15:08:34.435: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from LOADING to FULL, Loading Done

*Mar 4 15:08:42.003: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

*Mar 4 15:08:43.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down *Mar 4 15:08:43.015: %OSPF-5-ADJCHG: Process 10, Nbr 4.4.4.4 on Tunnel0 from FULL to DOWN, Neighbor Down: Interface down or detached

连路由表也起不来了，只有直连路由

我们来分析下问题

假如 1.1.1.1 到3.3.3.3

首先流量通过gre封装 走tunnel口，通过查找路由表要通过e1/0口发送于是有加个ip头O IA 3.3.3.3 [110/11112] via 172.16.1.2, 00:30:59, Tunnel0

由于我们只做了默认路由，问题就出来了，一直加密解密封装，就是出不去，知道路怎么走就是到不了目的地！别说路由器就是个傻瓜一样的东西，各扫门前雪，不管他人瓦上霜！其实我们加上条默认路由就好了

ip route 193.1.1.3 255.255.255.0 192.1.1.2 

ip route 192.1.1.1 255.255.255.0 193.1.1.2 

在cisco官方文档上是这样说的

Now, observe the routing table after the tunnel interface goes up, shown below. 

R1# show ip route  Codes: C − connected, S − static, I − IGRP, R − RIP, M − mobile, B − BGP D − EIGRP, EX − EIGRP external, O − OSPF, IA − OSPF inter area  N1 − OSPF NSSA external type 1, N2 − OSPF NSSA external type 2  E1 − OSPF external type 1, E2 − OSPF external type 2, E − EGP  i − IS−IS, L1 − IS−IS level−1, L2 − IS−IS level−2, ia − IS−IS inter area  * − candidate default, U − per−user static route, o − ODR  P − periodic downloaded static route  Gateway of last resort is 172.16.15.2 to network 0.0.0.0  172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks  D 172.16.25.0/24 [90/297756416] via 192.168.1.3, 00:00:00, Tunnel0  C 172.16.15.2/32 is directly connected, Serial0  C 172.16.15.0/24 is directly connected, Serial0  10.0.0.0/24 is subnetted, 2 subnets  D 10.3.3.0 [90/297372416] via 192.168.1.3, 00:00:00, Tunnel0  C 10.1.1.0 is directly connected, Loopback0  C 192.168.1.0/24 is directly connected, Tunnel0  S* 0.0.0.0/0 [1/0] via 172.16.15.2  此时如果路由器收到要到达10.3.3.0网络的数据包，他将包路由到tunnel0，然后排队，并进行GRE的封装，R1上：  interface Tunnel0  ip address 192.168.1.1 255.255.255.0  tunnel source Loopback0  tunnel destination 10.3.3.3  路由器查找到10.3.3.3的的路由，还是发现D 10.3.3.0 [90/297372416] via 192.168.1.3, 00:00:00, Tunnel0  这个包根本路由不出去。所以出现了递归路由错误。  解决方法是R1(config)# ip route 10.3.3.3 255.255.255.255 serial 0

 

 本文转自q狼的诱惑 51CTO博客，原文链接：http://blog.51cto.com/liangrui/506565，如需转载请自行联系原作者