12-14-2011 08:04 AM
This seems straight forward, haven't had any luck yet. On c7600s72033-adventerprisek9-mz.122-33.SRC3.bin with 2 Gbps IPSec SPA SPA-IPSEC-2G
I am wanting to terminate the tunnel onto a public IP on a loopback interface in the global routing table. From there, the interesting traffic is actually in a VRF on two separate VLANs. This is being done with crypto maps as the customer is using an ASA. Right now the crypto map is on the VLANs and the crypto engine slot inside command is on them with the outside command on the loopback.
crypto engine mode vrf
crypto keyring Test
pre-shared-key address "peer IP" key "password string"
pre-shared-key address "peer IP" key "password string"
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile Test
vrf Test
keyring Test
match identity address "public IP" 255.255.255.255
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto map IPSEC local-address Loopback1
crypto map IPSEC 10 ipsec-isakmp
set peer "public IP"
set transform-set 3DES-MD5
set isakmp-profile Test
match address ACL
interface Loopback1
ip address "public IP" 255.255.255.255
crypto engine slot 7/0 outside
interface Vlan 2
ip vrf forwarding Test
ip address "private IP" 255.255.255.248
crypto map IPSEC
crypto engine slot 7/0 inside
There is my config, I have rebooted after putting in the "crypto engine mode vrf" command. Below is the debug. I have sanitized the IPs since this is for a customer.
11:48:18: ISAKMP (0): received packet from "public IP" dport 500 sport 500 Global (N) NEW SA
11:48:18: ISAKMP: Created a peer struct for "public IP", peer port 500
11:48:18: ISAKMP: New peer created peer = 0x5B1C95AC peer_handle = 0x800008C0
11:48:18: ISAKMP: Locking peer struct 0x5B1C95AC, refcount 1 for crypto_isakmp_process_block
11:48:18: ISAKMP: local port 500, remote port 500
11:48:18: ISAKMP: Unable to allocate IKE SA
11:48:18: ISAKMP: Unlocking peer struct 0x5B1C95AC for isadb_unlock_peer_delete_sa(), count 0
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine SPA-IPSEC-2G[7/0] details: state = Active
Capability :
IPSEC: DES, 3DES, AES, RSA
IKE-Session : 0 active, 16383 max, 0 failed
DH : 0 active, 9999 max, 0 failed
IPSec-Session : 0 active, 65534 max, 0 failed
Does anyone have any ideas why it is throwing that error?
Solved! Go to Solution.
12-14-2011 08:25 AM
Have a looks at example - it's almost exactly what you're looking for.
Loopback is NOT the correct interface to apply crypto engine outside to.
"outside" identifies interface where encrypted packet are going out and in through (this is where we will do TCAM entry to redirect traffic to SPA module) - it's the first L3 interface - usually a SVI.
crypto map testtag local-address Vlan3 <--- need to change this to your loopback.
You should not apply any crypto features to loopback - although we do allow crypto to be source from loopback via local-address.
HTH,
M.
(edit: sorry didn't pay close attentiont o your current config, major thing you need to change is apply crypto engine outside to first L3 interface in global VRF).
12-14-2011 08:25 AM
Have a looks at example - it's almost exactly what you're looking for.
Loopback is NOT the correct interface to apply crypto engine outside to.
"outside" identifies interface where encrypted packet are going out and in through (this is where we will do TCAM entry to redirect traffic to SPA module) - it's the first L3 interface - usually a SVI.
crypto map testtag local-address Vlan3 <--- need to change this to your loopback.
You should not apply any crypto features to loopback - although we do allow crypto to be source from loopback via local-address.
HTH,
M.
(edit: sorry didn't pay close attentiont o your current config, major thing you need to change is apply crypto engine outside to first L3 interface in global VRF).
12-14-2011 08:33 AM
OK, moved it to our physical outside interfaces and it is negotiating. Thanks for the tip Marcin.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: