Issue with VPN/IPSEC/Gre/Life

Unanswered Question
Aug 22nd, 2010

Hello. I am wondering if anyone can be of any assistance. I am trying to set up point to point tunnels, but they are not coming up entirely. I am wondering if anyone notices anything obvious that I am missing. Any assistance would be GREATLY appreciated.


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
hostname DataCenter-3825
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000 notifications
logging rate-limit 10 except critical
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name kljhlh.local
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!

!
crypto pki trustpoint TP-self-signed-330666185
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-330666185
revocation-check none
rsakeypair TP-self-signed-330666185
!
!
crypto pki certificate chain TP-self-signed-330666185
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key abcdefg123 address <OUTSIDE IP OF PEER>
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set TUN-3DES-SHA esp-3des esp-sha-hmac
!
crypto map RMTIPSEC 100 ipsec-isakmp
  set peer <OUTSIDE IP OF PEER>
set security-association lifetime seconds 28800
set transform-set TUN-3DES-SHA
match address GRE2peer

!
!
!
!
no spanning-tree vlan 3
no spanning-tree vlan 4
no spanning-tree vlan 5
no spanning-tree vlan 6
no spanning-tree vlan 150
archive
log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 2
bridge irb
!
!
!
!
interface Loopback100
ip address 10.254.1.1 255.255.255.255
no ip redirects
no ip proxy-arp
ip route-cache flow
!
!
interface Tunnel33
description Tunnel to 847 Market/Akron Elem.
bandwidth 2048
ip address 10.254.253.29 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1338
ip hello-interval eigrp 10000 20
ip hold-time eigrp 10000 60
ip route-cache flow
ip tcp adjust-mss 1200
cdp enable
tunnel source Vlan2
tunnel destination <OUTSIDE IP OF PEER>
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description ** Data Center Network Interface **
ip address 10.0.0.1 255.255.0.0
no ip redirects
no ip proxy-arp
duplex full
speed 100
media-type rj45
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip proxy-arp
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet1/0
ip address 192.168.50.1 255.255.255.0
!
interface FastEthernet2/15
switchport access vlan 2
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.33.0.11 255.255.255.0
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1200
no mop enabled
crypto map RMTIPSEC
crypto ipsec df-bit clear
!
interface Vlan102
no ip address
shutdown
!
interface Vlan118
no ip address
shutdown
!
!
router eigrp 10000
passive-interface Vlan2
passive-interface Vlan3
passive-interface Vlan4
passive-interface Vlan5
passive-interface Vlan6
network 10.0.0.0
network 192.168.50.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route <OUTSIDE IP OF PEER> 255.255.255.0 10.33.0.1
!
!
ip http server
ip http secure-server
ip http max-connections 2
ip nat inside source list LIST1 interface Vlan2 overload
!
ip access-list extended GRE2847MARKET
permit gre host 10.33.0.11 host 24.123.34.11
ip access-list extended LIST1
permit tcp 10.1.38.0 0.0.0.255 gt 1024 any eq smtp
permit tcp 10.1.38.0 0.0.0.255 gt 1023 any eq pop3
!

Show crypto sessions yields:

Interface: Vlan2
Session status: DOWN
Peer: 24.123.34.11 port 500
  IPSEC FLOW: permit 47 host 10.33.0.11 host <OUTSIDE IP OF PEER>
        Active SAs: 0, origin: crypto map

Interface: Vlan2
Session status: UP-IDLE
Peer: <OUTSIDE IP OF PEER> port 4500
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Active
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Active
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Inactive
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Inactive
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Active
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Inactive
  IKE SA: local 10.33.0.11/4500 remote 24.123.34.11/4500 Inactive

And on the opposite end of the tunnel:

interface Tunnel0
bandwidth 2048
ip address 10.254.253.30 255.255.255.252
no ip redirects
no ip proxy-arp
ip mtu 1338
ip hello-interval eigrp 10000 20
ip hold-time eigrp 10000 60
ip route-cache flow
ip tcp adjust-mss 1200
cdp enable
tunnel source FastEthernet0/0
tunnel destination <OUTSIDE IP OF DESTINATION>
end

Thank you for any help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Sun, 08/22/2010 - 23:10

hey wesley,

could you please provide us more information likewhat is the crypto acl, what is the nat acl

if possible please paste the entire config (u can mask the pub ip's)

also please mention in which phase this is failing

you can give the command

show crypto isa sa

the general idea is as follows

crypto acl should be exact mirror image

crypto acl will be from tunnel source to tunel destination

peer would be public ip

here is an example config

http://tools.cisco.com/squish/E4A02

if this is a new setup i would first get gre up and then look into crypto

praprama Mon, 08/23/2010 - 00:02

Hi,

Please paste the output of "show crypto map". Also, please run "debug crypto isakmp" and paste it. We can see at which phase the tunnel is failing. Also, i see you have "pasive-interface Vlan2" entered in the eigrp process. That might cause problems when the tunnel finally comes up as no neighborship will be formed on with any device on Vlan2 interface. Try disbaling that as well to see if it makes any difference.

Regards,

Prapanch

Actions

This Discussion