cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3507
Views
0
Helpful
11
Replies

Tunnel GRE over IPSec can not pass traffic through it

ochalmers
Level 1
Level 1

    I'm trying to configure a tunnel GRE over IPSec between to sites, we are using cisco router 7613 SUP720 (IOS: s72033-advipservicesk9_wan-mz.122-18.SXF15a.bin) and router 3845 (IOS:c3845-advsecurityk9-mz.124-25c.bin), we are facing problems when we use the tunnel   because the traffic is not passing through it. the configuration was working when we were using two cisco routers 3845 (IOS:c3845-advsecurityk9-mz.124-25c.bin) but for some reason it is not working anymore when I paste the configuration on the new router 7613.

Headquarter

crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key T3ST001 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set IPSec_PLC esp-aes esp-sha-hmac
mode transport
!
crypto map PLC-CUM 10 ipsec-isakmp
set peer 167.134.216.89
set transform-set IPSec_PLC
match address 100
!
!
!
interface Tunnel1
bandwidth 1984
ip address 167.134.216.94 255.255.255.252
ip mtu 1476
load-interval 30
tunnel source Serial0/1/0:0
tunnel destination 167.134.216.89

interface Serial0/1/0:0
ip address 167.134.216.90 255.255.255.252
crypto map PLC-CUM

access-list 100 permit gre host 167.134.216.90 host 167.134.216.8

router eigrp 100
network 167.134.216.92 0.0.0.3

Branch

crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key T3ST001 address 0.0.0.0 0.0.0.0
!        
!        
crypto ipsec transform-set IPSec_PLC esp-aes esp-sha-hmac
mode transport
!        
crypto map PLC-CUM 10 ipsec-isakmp
set peer 167.134.216.90
set transform-set IPSec_PLC
match address 100

interface Tunnel1
bandwidth 1984
ip address 167.134.216.93 255.255.255.252
ip mtu 1476
load-interval 30
tunnel source Serial1/0/0:1
tunnel destination 167.134.216.90

interface Serial1/0/0:1
bandwidth 1984
ip address 167.134.216.89 255.255.255.252
ip access-group 101 in
load-interval 30
no fair-queue
crypto map PLC-CUM

access-list 100 permit gre host 167.134.216.89 host 167.134.216.90

er-7600#sh crypto isakmp sa
dst             src             state          conn-id slot
167.134.216.89  167.134.216.90  QM_IDLE              3    0

er-3845#sh crypto isakmp sa
dst             src             state          conn-id slot status
167.134.216.89  167.134.216.90  QM_IDLE              3    0 ACTIVE


er-3845#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   3 Serial0/1/0:0        167.134.216.90  set    HMAC_SHA+AES_CBC          0        0
3001 Serial0/1/0:0        167.134.216.90  set    AES+SHA                   0        0
3002 Serial0/1/0:0        167.134.216.90  set    AES+SHA                  61        0

er-7600#sh crypto engine connections active

ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
   3 Serial1/0/0:1   167.134.216.89  set    HMAC_SHA+AES_CBC          0        0
2000 Serial1/0/0:1   167.134.216.89  set    HMAC_SHA+AES_CBC          0       66
2001 Serial1/0/0:1   167.134.216.89  set    HMAC_SHA+AES_CBC          0        0

i got this error on the er-3845:   %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, and this one on the er-7600 IPSEC(epa_des_crypt): decrypted packet failed SA identity check

Please help, it is so frustrating...

Thanks in advance

Oscar

2 Accepted Solutions

Accepted Solutions

Here's a document from cisco , clearly mentioning to have a crypto map on both physical as well tunnel interface.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Hope it helps

manish

View solution in original post

Does your 7600 series router have IPSec SPA hardware ? as per cisco the 7600 series router do not support software based ipsec encryption and need some ipsec card on them ?

thanks

Manish


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#errorVPNTunnel

View solution in original post

11 Replies 11

manish arora
Level 6
Level 6

Try applying the crypto map on the tunnel interfaces also on both the routers.

thanks

manish

Hi manish

I followed your suggestion but it did not work...

Thanks

michael.leblanc
Level 4
Level 4

Oscar:

On the headquarters configuration your crypto map and tunnel destination are 167.134.216.89 (89), but your ACL says 167.134.216.8 (8).

Looks like you need to correct the ACL.

Perhaps that was just a typo. Now that I have reviewed the show command output (which I should have done before responding).

Best Regards,

Mike

Hi Michael, on my router is ok ( .89) when I paste the configuration, I did it wrong.

Best Regards

Hi Oscar ,

did you try using the crypto map statement on the tunnel interface as well on both routers. also reduce the mtu size on the tunnel interface to 1350, both sides. if still doesnt work , please port :-

1> debug crypto isakmp

2> debug crypto ipsec    

3> debug crypto engine

thanks

manish

crypto map on tunnel interface is not advised

you will need to use tunnel protection on tunnel interface

just to clarify when you put 7200 in network you removed the 3800 out of network right?

also clear the tunnels on both routers using clear cry sa for this peer and try to establish the tunnel again

Here's a document from cisco , clearly mentioning to have a crypto map on both physical as well tunnel interface.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Hope it helps

manish

Hi Jathaval

     I removed the 3845 out the network when i put the 7600 in the network, and i also clear the tunnels on both routers using clear crypto isakmp sa,

     what do you mean with use tunnel protection on the tunnel interface?  could you please explain me?

Thanks

Oscar

Hi Manish

I set up the mtu to 1350 on both sides, for what i observed the traffic passed for a 40 seconds then it went down, i think it might be a problem with the mtu but for some reason on the 7600 router, the show crypto ipsec sa shows me a different mtu. I append the output of the commands that you asked for it.

Thanks

Does your 7600 series router have IPSec SPA hardware ? as per cisco the 7600 series router do not support software based ipsec encryption and need some ipsec card on them ?

thanks

Manish


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#errorVPNTunnel

hi

firstly as requested please attach show cry ips sa

in the debug that you have attached i see that for some reason i see 2 diff spi in the debug for outbound sa


if we look at sh cry ips sa it will be clear as to what spi it is actually using

also please note clear crypto isa sa will only clear phase 1 in routers

you will need to do clear cry sa or the best is clear cry sess

i believe this should resolve the issue

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: