Any known issue with VPN and MetroEthernet?

ggalteroo · ‎03-08-2007

Hello, guys. After updating from 12.2(37) -GD- on 7200 to a 12.3(22) only peers on Frame relay links are able to terminate IPSec tunnels to this 7200. The routers connected to the metroE cannot. If we go back and boot with the 12.2(37) the problem disappears. The configuration is the same. Any suggestions? We are authenticating using RSA and we have 2600s and 2800s as spokes.

Thanks in advance!

ggilbert · ‎03-12-2007

Hello,

Did you get this resolved?

If not, can you send me the exact code you tried to upgrade to and the code you are running

Eg: c7200.......

Thanks

Gilbert

ggalteroo · ‎03-12-2007

Hello

I didn't.

Here are the images and the results.

c2600-ik8s-mz.122-6.bin (spoke a -testing-)

c7200-ik8s-mz.122-37.bin (hub a)

This is what we had for some time and it worked fine.

c7200-ik9s-mz.123-22.bin

This is the upgrade we have installed after a crash and the one that causes the problem.

Last, we upgraded the testing spoke.

c2600-ik8s-mz.122-40.bin (spoke a)

c7200-ik9s-mz.123-22.bin (hub a)

With the last upgrade running, the following tests were made:

- DIfferent transforms-sets with many proposals.

- PFS grupo2 on and off.

- IKE with PSK.

I hope this helps and thanks a lot!

Guido

ggalteroo · ‎03-14-2007

Hello

I have new date that might help us all to figure this out.

- We tested MTU and though we verified 1500 bytes, we set it to a value of 1300 just to make sure. Extended ping confirmed the new setting.

- We changed to PSK instead of RSA-Sig.

- And here I have attached a partial output from a "debug crypto isakmp".

I hope this helps and thanks again!

Guido

Danilo Dy · ‎03-16-2007

The error is NOTIFY PROPOSAL_NOT_CHOSEN. This means that the transform sets or access list

do not match on the peers.

Check the configuration on both peers and verify that they match. Check the access list in either side and make sure that they are symmetric (or mirror of the other side)

ggalteroo · ‎03-16-2007

Medan

Thanks for your reply.

My mistake not to post the tests we've run and the items checked. One of the elements we first looked into was the ACL on both sides and they match (mirrored). The thing is, with the very same config, we boot with 12.3(xx) and the issue arises. With 12.2(xx) and without touching the configuration, the problem goes away.

This is what we tried so far with 12.3(22)

on the hub router.

- Different transforms-sets Des and 3des.

- Crypto ACLs ok.

- Upgrade spoke to 12.2(40).

- PFS grupo 2.

- Without PFS and IKE PSK.

- 1500 bytes MTU checked but set it to 1300 for testing porposes.

Note: Tens of other routers (same platforms and IOS release) terminate their tunnels over frame relay links without problem. 20 routers (over metro) out of 120 have this problem.

Thanks a lot!