Gre tunnel Down, ipsec is up

Unanswered Question
Apr 20th, 2008
User Badges:

Hi. I have such of configuration R1(Gre/Ipsec) --> Pix ( Ipsec) - R2 ( Gre).

On my side is only R1. I've attached the R1 CONFIGURATION. Ipsec is up but GRE is not . I can not ping the loopback interfaces. Keepalive is fine and when i debug the tunnel , it sends keepalive. Can anyone help me?



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ardian.sinani Tue, 04/22/2008 - 07:49
User Badges:

sho cry ipse sa pee y.y.y.y

interface: FastEthernet0/0

Crypto map tag: credins, local addr z.z.z.z


protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.5.23/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.5.22/255.255.255.255/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 11009, #pkts encrypt: 11009, #pkts digest: 11009

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0


local crypto endpt.: z.z.z.z, remote crypto endpt.: y.y.y.y

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x33BC72B3(867988147)


inbound esp sas:

spi: 0xE53E1082(3846049922)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 93, flow_id: 93, crypto map: credins

sa timing: remaining key lifetime (k/sec): (4598391/1770)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE


inbound ah sas:


inbound pcp sas:


outbound esp sas:

spi: 0x33BC72B3(867988147)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 94, flow_id: 94, crypto map: credins

sa timing: remaining key lifetime (k/sec): (4598369/1763)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE


outbound ah sas:


outbound pcp sas:


interface: Tunnel1

Crypto map tag: credins, local addr 192.168.5.23


protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.5.23/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.5.22/255.255.255.255/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 192.168.5.23, remote crypto endpt.: y.y.y.y

path mtu 1476, ip mtu 1476, ip mtu idb Tunnel1

current outbound spi: 0x0(0)


inbound esp sas:


inbound ah sas:


inbound pcp sas:

outbound esp sas:


outbound ah sas:


outbound pcp sas:


ardian.sinani Tue, 04/22/2008 - 07:55
User Badges:

Unfortunately no. But they say that they have 35 clients and they've run the configurations properly. I've seen a lot of configurations with GRE/IPSEC and all were like this one ( i've configured ). I don't know what else to do. Let's say that now i'm a little confused. In fact i suspect about there configuration. May be they missed smth.

In all honesty - without the other half, the problem will be difficult to solve. Here's the thing - the VPN is established....so 30% of the config is OK. The ACL's in the remote device ASA that indicate interesting traffic is needed, the crypto map/match list is required/and no-nat ACL. And of course, the tunnel/loopback and static routes related to this are needed from their router.


I am sure if you asked for a "Sanitised" config - i.e only the config that relates to this VPN/GRE tunnel from the ASA & Router, they might have no objections??

ardian.sinani Tue, 04/22/2008 - 08:09
User Badges:

Unfortunately they can't give me the schema of connection between their router and Pix. I have only some data of the Gre and ipsec their configuration. Here they are:

Router:

interface Loopback17

ip address 192.168.5.22 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow


interface Tunnel17

ip unnumbered Loopback17

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

keepalive 10 3

tunnel source Loopback17

tunnel destination 192.168.5.23


I don't know anything about their internal routes.


Pix:

crypto ipsec transform-set zzzzzz esp-aes-256 esp-sha-hmac

crypto map transacty-map 46 ipsec-isakmp

crypto map transacty-map 46 match address zzzzz

crypto map transacty-map 46 set peer zzzzz

crypto map transacty-map 46 set transform-set zzzzzz

crypto map transacty-map 46 set security-association lifetime seconds 3600 kilobytes 4608000

access-list zzzzzz permit ip host 192.168.5.22 host 192.168.5.23

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400


Smth else. Did you see my router configuration attached. Did i missed smth. I don't know if i must add any routing.

The config is missing key information:-


1) The no-nat ACL in the PIX

2) The static routes in the PIX - you tunnel IP should be pointing outside, so the PIX know to encrypt it.

3) The static routes in the Router - your tunnel IP should be pointing to the PIX.


And of couse - if they could priovide a vital peice of information the "show crypto ipsec sa peer x.x.x.x" from the PIX, this would reveal a great deal?

ardian.sinani Tue, 04/22/2008 - 08:25
User Badges:

I have only the router on my side. The pix and the other router for ending the GRE are on their property. At this moment they aren't avaible. At my router the ip address of their loopback for GRE should be routed at my external gateway or at their external ip address wich is y.y.y.y???

Actions

This Discussion