03-11-2009 07:57 AM - edited 02-21-2020 04:10 PM
Can this be done? I wasn't sure if its possible to encrypt on a sub interface that then adds a dot1Q header. We are running vrf lite on our CE's connected to an MPLS core. Only one vrf on the trunk needs encryption. Many Thanks
03-11-2009 09:28 AM
If I am not wrong, this should work as long as this subinterface has an ip address that the remote can get to, as long this is reachable pingeable and routeable on your environment there should not be a problem.
03-11-2009 09:50 AM
Thanks, I have added some config / output
Terminating router just in one mpls vrf
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key XXXXXX address 10.81.3.146
!
!
crypto ipsec transform-set GCSX esp-3des esp-md5-hmac
!
crypto map GCSX-vpn 1 ipsec-isakmp
set peer 10.81.3.146
set transform-set GCSX
match address GCSX
!
ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ping 10.81.3.146
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.81.3.146, timeout is 2 seconds:
!!!!!
ping 1.1.1.1 source loopback0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
EAG-GB-MA-GCSX-2821-1#sho crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 10.81.3.146 port 500
IKE SA: local 10.81.3.150/500 remote 10.81.3.146/500 Inactive
IPSEC FLOW: permit ip host 2.2.2.2 host 1.1.1.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit 1 host 2.2.2.2 host 1.1.1.1
Active SAs: 0, origin: crypto map
===================================================================
remote end
ip vrf GCSX
rd XXX:1
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key XXXXX address 10.81.3.150
!
!
crypto ipsec transform-set GCSX esp-3des esp-md5-hmac
!
crypto map GCSX-vpn 1 ipsec-isakmp
set peer 10.81.3.150
set transform-set GCSX
match address GCSX
!
interface FastEthernet0.450
encapsulation dot1Q 450
ip vrf forwarding GCSX
ip address 10.81.3.146 255.255.255.252
crypto map GCSX-vpn
!
ping vrf GCSX 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
!
sho crypto sess
Crypto session current status
Interface: FastEthernet0.450
Session status: DOWN-NEGOTIATING
Peer: 10.81.3.150 port 500
IKE SA: local 10.81.3.146/500 remote 10.81.3.150/500 Inactive
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.2
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit 1 host 1.1.1.1 host 2.2.2.2
Active SAs: 0, origin: crypto map
!
ping vrf GCSX 2.2.2.2 source loopbck10 fails
loopback 10 is in vrf GCSX IP 1.1.1.1
03-11-2009 09:52 AM
Please get the output of:
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp
Try to ping again with a source ping and get those.
03-12-2009 02:14 AM
Hi thanks for looking at this, here is the output, once the session has been torn down on re-establishment we get the following error
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.81.3.146.....
sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.81.3.146 10.81.3.150 MM_NO_STATE 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
#sho crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: GCSX-vpn, local addr 10.81.3.150
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.81.3.146 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 0
local crypto endpt.: 10.81.3.150, remote crypto endpt.: 10.81.3.146
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/1/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/1/0)
current_peer 10.81.3.146 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50, #recv errors 0
local crypto endpt.: 10.81.3.150, remote crypto endpt.: 10.81.3.146
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
03-12-2009 08:31 PM
I see the message yet that is just a message displayed on the log, can you get the actual debug I asked you? as far as this log it seems the identification exchange fails
03-13-2009 02:02 AM
Hi, I added the debug as an attachement not sure where it went though !! I'll paste it in in chunks.
*Mar 12 08:52:18.321: ISAKMP:(0): SA request profile is (NULL)
*Mar 12 08:52:18.321: ISAKMP: Created a peer struct for 10.81.3.146, peer port 500
*Mar 12 08:52:18.321: ISAKMP: New peer created peer = 0x4760B8C0 peer_handle = 0x8000000E
*Mar 12 08:52:18.321: ISAKMP: Locking peer struct 0x4760B8C0, refcount 1 for isakmp_initiator
*Mar 12 08:52:18.325: ISAKMP: local port 500, remote port 500
*Mar 12 08:52:18.325: ISAKMP: set new node 0 to QM_IDLE
*Mar 12 08:52:18.325: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 47A36AFC
*Mar 12 08:52:18.325: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 12 08:52:18.325: ISAKMP:(0):found peer pre-shared key matching 10.81.3.146
*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 12 08:52:18.325: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 12 08:52:18.325: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 12 08:52:18.325: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
03-13-2009 02:03 AM
*Mar 12 08:52:18.325: ISAKMP:(0): beginning Main Mode exchange
*Mar 12 08:52:18.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 12 08:52:18.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 12 08:52:18.329: ISAKMP (0:0): received packet from 10.81.3.146 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 12 08:52:18.329: ISAKMP:(0):Notify has no hash. Rejected.
*Mar 12 08:52:18.329: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Mar 12 08:52:18.329: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 12 08:52:18.329: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Mar 12 08:52:18.329: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 10.81.3.146.....
Success rate is 0 percent (0/5)
03-13-2009 02:03 AM
*Mar 12 08:52:28.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 12 08:52:28.325: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 12 08:52:28.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 12 08:52:28.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 12 08:52:28.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 12 08:52:38.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 12 08:52:38.325: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 12 08:52:38.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 12 08:52:38.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 12 08:52:38.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 12 08:52:48.321: ISAKMP: set new node 0 to QM_IDLE
*Mar 12 08:52:48.321: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.81.3.150, remote 10.81.3.146)
*Mar 12 08:52:48.321: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 12 08:52:48.321: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 12 08:52:48.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 12 08:52:48.325: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 12 08:52:48.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 12 08:52:48.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 12 08:52:48.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 12 08:52:51.669: ISAKMP:(0):purging node 521064155
*Mar 12 08:52:51.669: ISAKMP:(0):purging node -802388080
*Mar 12 08:52:58.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 12 08:52:58.325: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 12 08:52:58.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 12 08:52:58.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 12 08:52:58.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 12 08:53:01.669: ISAKMP:(0):purging SA., sa=469FFD7C, delme=469FFD7C
*Mar 12 08:53:08.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 12 08:53:08.325: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 12 08:53:08.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 12 08:53:08.325: ISAKMP:(0): sending packet to 10.81.3.146 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 12 08:53:08.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 12 08:53:18.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 12 08:53:18.325: ISAKMP:(0):peer does not do paranoid keepalives.
*Mar 12 08:53:18.325: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.81.3.146)
*Mar 12 08:53:18.325: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.81.3.146)
*Mar 12 08:53:18.325: ISAKMP: Unlocking peer struct 0x4760B8C0 for isadb_mark_sa_deleted(), count 0
*Mar 12 08:53:18.325: ISAKMP: Deleting peer node by peer_reap for 10.81.3.146: 4760B8C0
*Mar 12 08:53:18.325: ISAKMP:(0):deleting node -989294726 error FALSE reason "IKE deleted"
*Mar 12 08:53:18.325: ISAKMP:(0):deleting node 1109265098 error FALSE reason "IKE deleted"
*Mar 12 08:53:18.325: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 12 08:53:18.325: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
03-13-2009 08:25 AM
Yep something's missing on the phase 1 setup on the remote end somehow:
*Mar 12 08:52:18.329: ISAKMP (0:0): received packet from 10.81.3.146 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 12 08:52:18.329: ISAKMP:(0):Notify has no hash. Rejected
can you poste both complete configs?
03-16-2009 05:51 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: