VPN LAN-LAN IPSEC & GRE TUNNEL

Unanswered Question
Feb 2nd, 2009
User Badges:

Dear Friends,


I am trying to setup a VPN LAN - LAN TUNNEL between our branch office abd Head Office. First I will explain my existing setup, we have Leased line 512k between these offices and this acts Primary link with OSPF routing protocol. Now our management wants backup for this LL 512k. So I planned to built a LAN-LAN GRE over IPSEC tunnel through Internet for backup. We have Internet Leased line in Head office and ADSL in our branch office which coming through Internet Router and terminating on Cisco PIX at both the ends. We achieved Phase 1 ISAKMP but still Phase II IPSEC still down. When we check out the pix logs, we can see only Encrypted traffic at one end of pix and only Decrypted traffic at other end of pix, its not happening vice versa. Even OSPF is showing INIT at one end of Router and other end is showing nothing. Please find attached the configuration and logs of this scenario. Kindly analyse this problem and give us a feedback.


Thanks in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
celiocarreto Tue, 02/03/2009 - 00:08
User Badges:

Hi,


you do not have a problem with the Phase2. It's something else.

It seem that packets from site B to site A are not encrypted (put in the tunnel). Do you have an access-list applied on inside interface of PixB?


Regards, Celio

parthibanp Tue, 02/03/2009 - 00:23
User Badges:

Hi,


Thanks a lot for your quick response.


No we dont have any acccess-list applied on the inside interface of PIXB. since this interface is having security 100 we did not put any access-list.


Do u want me to paste the pix configs?


Thanks in advance


parthibanp Tue, 02/03/2009 - 03:04
User Badges:

Hi,


Please find the sh ipsec debug message from B end pix




IPSEC(key_engine_delete_sas): delete all SAs shared with 217.17.X.X


IPSEC(key_engine): got a queue event...


IPSEC(key_engine): got a queue event...


IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP


IPSEC(key_engine_delete_sas): delete all SAs shared with 217.17.X.X


IPSEC(key_engine): got a queue event...



IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP


IPSEC(key_engine_delete_sas): delete all SAs shared with 217.17.X.X


IPSEC(validate_proposal_request): proposal part #1,


(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,


dest_proxy= 10.10.13.9/255.255.255.255/0/0 (type=1),


src_proxy= 10.10.13.1/255.255.255.255/0/0 (type=1),


protocol= ESP, transform= esp-3des esp-md5-hmac ,


lifedur= 0s and 0kb,


spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4


IPSEC(key_engine): got a queue event...


IPSEC(spi_response): getting spi 0x8f461dcf(2403737039) for SA


from 217.17.X.X to 77.69.X.X for prot 3


IPSEC(key_engine): got a queue event...


IPSEC(initialize_sas): ,


(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,


dest_proxy= 10.10.13.9/0.0.0.0/0/0 (type=1),


src_proxy= 10.10.13.1/0.0.0.0/0/0 (type=1),


protocol= ESP, transform= esp-3des esp-md5-hmac ,


lifedur= 28800s and 4608000kb,





IPSEC(validate_proposal_request): proposal part #1,


(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,


dest_proxy= 10.10.13.9/255.255.255.255/0/0 (type=1),


src_proxy= 10.10.13.1/255.255.255.255/0/0 (type=1),


protocol= ESP, transform= esp-3des esp-md5-hmac ,


lifedur= 0s and 0kb,


spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4


IPSEC(key_engine): got a queue event...


IPSEC(spi_response): getting spi 0xbaab8d0a(3131804938) for SA


from 217.17.X.X to 77.69.X.X for prot 3


IPSEC(key_engine): got a queue event...


IPSEC(initialize_sas): ,


(key eng. msg.) dest= 77.69.X.X, src= 217.17.X.X,


dest_proxy= 10.10.13.9/0.0.0.0/0/0 (type=1),


src_proxy= 10.10.13.1/0.0.0.0/0/0 (type=1),


protocol= ESP, transform= esp-3des esp-md5-hmac ,


lifedur= 28800s and 4608000kb,


spi= 0xbaab8d0a(3131804938), conn_id= 3, keysize= 0, flags= 0x4


IPSEC(initialize_sas): ,


(key eng. msg.) src= 77.69.X.X, dest= 217.17.X.X,


src_proxy= 10.10.13.9/0.0.0.0/0/0 (type=1),


dest_proxy= 10.10.13.1/0.0.0.0/0/0 (type=1),


protocol= ESP, transform= esp-3des esp-md5-hmac ,


lifedur= 28800s and 4608000kb,


spi= 0xa87f66ad(2826921645), conn_id= 4, keysize= 0, flags= 0x4




Thanks for your time..please check

parthibanp Tue, 02/03/2009 - 07:28
User Badges:

Hi,


please check whats wrong in our configs and kindly get back


Thanks

Actions

This Discussion