IPSEC between 2821 physical interface and 1812 subint dot1Q and in a vrf

Unanswered Question
Mar 11th, 2009

Can this be done? I wasn't sure if its possible to encrypt on a sub interface that then adds a dot1Q header. We are running vrf lite on our CE's connected to an MPLS core. Only one vrf on the trunk needs encryption. Many Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 03/11/2009 - 09:28

If I am not wrong, this should work as long as this subinterface has an ip address that the remote can get to, as long this is reachable pingeable and routeable on your environment there should not be a problem.

websterc Wed, 03/11/2009 - 09:50

Thanks, I have added some config / output

Terminating router just in one mpls vrf

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key XXXXXX address 10.81.3.146

!

!

crypto ipsec transform-set GCSX esp-3des esp-md5-hmac

!

crypto map GCSX-vpn 1 ipsec-isakmp

set peer 10.81.3.146

set transform-set GCSX

match address GCSX

!

ping 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ping 10.81.3.146

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.81.3.146, timeout is 2 seconds:

!!!!!

ping 1.1.1.1 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 2.2.2.2

.....

Success rate is 0 percent (0/5)

EAG-GB-MA-GCSX-2821-1#sho crypto session

Crypto session current status

Interface: GigabitEthernet0/0

Session status: DOWN-NEGOTIATING

Peer: 10.81.3.146 port 500

IKE SA: local 10.81.3.150/500 remote 10.81.3.146/500 Inactive

IPSEC FLOW: permit ip host 2.2.2.2 host 1.1.1.1

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit 1 host 2.2.2.2 host 1.1.1.1

Active SAs: 0, origin: crypto map

===================================================================

remote end

ip vrf GCSX

rd XXX:1

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key XXXXX address 10.81.3.150

!

!

crypto ipsec transform-set GCSX esp-3des esp-md5-hmac

!

crypto map GCSX-vpn 1 ipsec-isakmp

set peer 10.81.3.150

set transform-set GCSX

match address GCSX

!

interface FastEthernet0.450

encapsulation dot1Q 450

ip vrf forwarding GCSX

ip address 10.81.3.146 255.255.255.252

crypto map GCSX-vpn

!

ping vrf GCSX 2.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

!!!!!

!

sho crypto sess

Crypto session current status

Interface: FastEthernet0.450

Session status: DOWN-NEGOTIATING

Peer: 10.81.3.150 port 500

IKE SA: local 10.81.3.146/500 remote 10.81.3.150/500 Inactive

IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2

Active SAs: 0, origin: crypto map

!

ping vrf GCSX 2.2.2.2 source loopbck10 fails

loopback 10 is in vrf GCSX IP 1.1.1.1

Ivan Martinon Wed, 03/11/2009 - 09:52

Please get the output of:

show crypto isakmp sa

show crypto ipsec sa

debug crypto isakmp

Try to ping again with a source ping and get those.

websterc Thu, 03/12/2009 - 02:14

Hi thanks for looking at this, here is the output, once the session has been torn down on re-establishment we get the following error

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.81.3.146.....

sho crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

10.81.3.146 10.81.3.150 MM_NO_STATE 0 0 ACTIVE

IPv6 Crypto ISAKMP SA

#sho crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: GCSX-vpn, local addr 10.81.3.150

protected vrf: (none)

local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

current_peer 10.81.3.146 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 8, #recv errors 0

local crypto endpt.: 10.81.3.150, remote crypto endpt.: 10.81.3.146

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)

current_peer 10.81.3.146 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 50, #recv errors 0

local crypto endpt.: 10.81.3.150, remote crypto endpt.: 10.81.3.146

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Ivan Martinon Thu, 03/12/2009 - 20:31

I see the message yet that is just a message displayed on the log, can you get the actual debug I asked you? as far as this log it seems the identification exchange fails

websterc Fri, 03/13/2009 - 02:02

Hi, I added the debug as an attachement not sure where it went though !! I'll paste it in in chunks.

*Mar 12 08:52:18.321: ISAKMP:(0): SA request profile is (NULL)

*Mar 12 08:52:18.321: ISAKMP: Created a peer struct for 10.81.3.146, peer port 500

*Mar 12 08:52:18.321: ISAKMP: New peer created peer = 0x4760B8C0 peer_handle = 0x8000000E

*Mar 12 08:52:18.321: ISAKMP: Locking peer struct 0x4760B8C0, refcount 1 for isakmp_initiator

*Mar 12 08:52:18.325: ISAKMP: local port 500, remote port 500

*Mar 12 08:52:18.325: ISAKMP: set new node 0 to QM_IDLE

*Mar 12 08:52:18.325: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 47A36AFC

*Mar 12 08:52:18.325: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Mar 12 08:52:18.325: ISAKMP:(0):found peer pre-shared key matching 10.81.3.146

*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar 12 08:52:18.325: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 12 08:52:18.325: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

websterc Fri, 03/13/2009 - 02:03

*Mar 12 08:52:18.325: ISAKMP:(0): beginning Main Mode exchange

*Mar 12 08:52:18.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 12 08:52:18.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 12 08:52:18.329: ISAKMP (0:0): received packet from 10.81.3.146 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar 12 08:52:18.329: ISAKMP:(0):Notify has no hash. Rejected.

*Mar 12 08:52:18.329: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1

*Mar 12 08:52:18.329: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 12 08:52:18.329: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Mar 12 08:52:18.329: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.81.3.146.....

Success rate is 0 percent (0/5)

websterc Fri, 03/13/2009 - 02:03

*Mar 12 08:52:28.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 12 08:52:28.325: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar 12 08:52:28.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 12 08:52:28.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 12 08:52:28.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 12 08:52:38.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 12 08:52:38.325: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar 12 08:52:38.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 12 08:52:38.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 12 08:52:38.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 12 08:52:48.321: ISAKMP: set new node 0 to QM_IDLE

*Mar 12 08:52:48.321: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.81.3.150, remote 10.81.3.146)

*Mar 12 08:52:48.321: ISAKMP: Error while processing SA request: Failed to initialize SA

*Mar 12 08:52:48.321: ISAKMP: Error while processing KMI message 0, error 2.

*Mar 12 08:52:48.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 12 08:52:48.325: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Mar 12 08:52:48.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 12 08:52:48.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 12 08:52:48.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 12 08:52:51.669: ISAKMP:(0):purging node 521064155

*Mar 12 08:52:51.669: ISAKMP:(0):purging node -802388080

*Mar 12 08:52:58.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 12 08:52:58.325: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Mar 12 08:52:58.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 12 08:52:58.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 12 08:52:58.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 12 08:53:01.669: ISAKMP:(0):purging SA., sa=469FFD7C, delme=469FFD7C

*Mar 12 08:53:08.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 12 08:53:08.325: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar 12 08:53:08.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Mar 12 08:53:08.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 12 08:53:08.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 12 08:53:18.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Mar 12 08:53:18.325: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar 12 08:53:18.325: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.81.3.146)

*Mar 12 08:53:18.325: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.81.3.146)

*Mar 12 08:53:18.325: ISAKMP: Unlocking peer struct 0x4760B8C0 for isadb_mark_sa_deleted(), count 0

*Mar 12 08:53:18.325: ISAKMP: Deleting peer node by peer_reap for 10.81.3.146: 4760B8C0

*Mar 12 08:53:18.325: ISAKMP:(0):deleting node -989294726 error FALSE reason "IKE deleted"

*Mar 12 08:53:18.325: ISAKMP:(0):deleting node 1109265098 error FALSE reason "IKE deleted"

*Mar 12 08:53:18.325: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 12 08:53:18.325: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Ivan Martinon Fri, 03/13/2009 - 08:25

Yep something's missing on the phase 1 setup on the remote end somehow:

*Mar 12 08:52:18.329: ISAKMP (0:0): received packet from 10.81.3.146 dport 500 sport 500 Global (I) MM_NO_STATE

*Mar 12 08:52:18.329: ISAKMP:(0):Notify has no hash. Rejected

can you poste both complete configs?

Actions

This Discussion