Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
1
Replies

My IPSEC tunnel failed to go up

chris.lau
Level 1
Level 1

‎03-21-2009 01:16 AM - edited ‎02-21-2020 04:11 PM

Hello,

I have 2 routers, R1 (had end) and R2 (remote) connected via the public cloud.

The config is as soecified in the document attached.

The link latency is about 1500ms. HOwever, I have the following issue.

My issue is R1 and R2 failed to ping each.

When R2 senr traffic via tunnel can be seen by my firewall at the headend site. However, the return traffic back to R2 also been seen by my firewall.

I enable the ip accouting on the tunnel interface on R1 router, it shown that the traffic is being put into the tunnel.

HOwever, I also enable ip accounting on the R2 router, but, I did not see any output traffic.

It seems to me that the traffic sent to the tunnel went missing in the cloud.

From, the firewall, I noticead that the return traffic sent by the R1 router is GRE traffic instead of ESP...

Can I know why? I can't ping the tunnel ip and also the ipsec peer IP.

Can I know why?

Labels:
Preview file
61 KB
Preview file
40 KB
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎03-21-2009 08:17 AM

It would seem that the first and most important problem is whether you can ping the peer address. You need to fix that first. After that there are some configuration issues to address. I have looked and note these issues which should be fixed:

- both routers use exactly the same address in the crypto isakmp key statement

crypto isakmp key QuU2d

they can not both point to 144.199.1.6 (Which seems to be the outbound interface on R2)

- in their crypto map they both set exactly the same address as the address of the peer

set peer 144.199.1.6

that can not be correct.

- on R1 the tunnel source is loopback0 but you do not show the configuration of that interface. The crypto access list on R1 shows two source addresses 144.199.1.1 or 144.199.4.1. one of them is not valid but we can not tell which. The crypto access list on R2 implies that the valid address is probably 144.199.1.1

- But R1 tunnel configuration specifies the tunnel destination as 144.199.1.1 as the tunnel destination.

- the crypto access list on R1 has multiple statements while the crypto access list on R2 has only a single line. The crypto access lists should be inverse mirrors of each other and mismatches in access list construction will frequently produce errors in the operation of the VPN.

- both routers put the crypto map on both the tunnel interface and on a physical interface. Unless you are running pretty old code the crypto map should be on only the outbound physical interface.

Correct these issues and the VPN may work. If it does not work then post updated/corrected configs and we will look for additional issues.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents