GRE over IPSEC tunnel won't ping after tunnel protection

mladendraganovic · ‎04-17-2014

Hi guys,

I'm in dire need of your help!!!

I'm trying to do a site-to-site VPN on two remote routers(Cisco 1941 ISR and Cisco 2800) and I can't get the tunnel to ping on the other side.

I did a

crypto isakmp policy 1

encryption aes 128

hash sha

authentication pre-share

group 2 (DH)

on both routers with same setup(checked it 15 times),

did the tranformset with esp-aes esp-sha-hmac,

crypto ipsec profile and tied it with the above transformset

Tunnel interfaces are up and running and UNTIL I apply tunnel protection ipsec profile PROFILE_NAME.......THE PING GOES FINE(INTERFACES AND WORKSTATIONS so NAT works fine)!!!

As soon as I encrypt the tunnel I CAN NOT PING anything!!!

When I do sh crypto session it shows STATUS: NEGOTIATING, when i do sh crypto isakmp sa it shows MM_NO_STATE so clearly peers can't agree on tunnel protection, right?

I really don't know what else to do, I've looked all over this site(and various others)!

Is port 500 blocked on my routers, how to check that? Does ISP block 500 or 4500 ports?

Please help.....THANK YOU

Poonam Garg · ‎04-17-2014

Reduce the mtu size to 1400 on your tunnel interface as ipsec encapsulation add additional 52 bytes overhead. Recommended MTU is 1400 on tunnel interface when using gre over ipsec.

HTH

"Please rate useful posts"

mladendraganovic · ‎04-17-2014

Hi Poonam,

I already did that ip mtu 1400 and ip tcp adjust-mss 1360

When i do sh control-plane host open-ports it says:

R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:23 192.168.1.33:1631 Telnet ESTABLIS
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:862 *:0 IPPM Server Process LISTEN
udp *:4500 *:0 ISAKMP LISTEN
udp *:1967 *:0 RTR control LISTEN
udp *:1975 *:0 IPC LISTEN
udp *:500 *:0 ISAKMP LISTEN

and on R2:

R2#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:22 95.156.165.173:29318 SSH-Server ESTABLIS
udp *:67 *:0 DHCPD Receive LISTEN
udp *:2887 *:0 DDP LISTEN

It seems that R2 is not listening on ports 500 or 4500, is one-click lockdown in place here(this my remote router)???

Thanks

syed kazim abbas · ‎04-21-2014

Hi,

@mladendraganovic

Its the game of routing and ACLs, so plz write your ACL for nat and for IPSEC as well as routing table.

Regards,

syed

mladendraganovic · ‎04-24-2014

Hi skmkazim552,

sorry for the late reply, didn't get an email.

R2 ip route:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is X.X.X.X to network 0.0.0.0

C    192.168.240.0/24 is directly connected, Loopback0
     81.0.0.0/30 is subnetted, 1 subnets
C       X.X.X.X is directly connected, FastEthernet0/1 ---- ISP /30 LAN
C    192.168.10.0/24 is directly connected, FastEthernet0/0.10
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, Tunnel0
C    192.168.4.0/24 is directly connected, FastEthernet0/0.4
C    192.168.21.0/24 is directly connected, FastEthernet0/0.21
     10.0.0.0/24 is subnetted, 2 subnets
C       10.10.10.0 is directly connected, FastEthernet0/0.2
C       10.10.12.0 is directly connected, FastEthernet0/0.101
C    192.168.23.0/24 is directly connected, FastEthernet0/0.23
C    192.168.22.0/24 is directly connected, FastEthernet0/0.22
S    192.168.1.0/24 is directly connected, Tunnel0
C    192.168.100.0/24 is directly connected, FastEthernet0/0.100
S*   0.0.0.0/0 [1/0] via X.X.X.X   ---- next hop ISP

R2 ACL:

Extended IP access list IPSEC_IN
    10 permit udp any eq isakmp any
    15 permit udp any eq 47 any
    20 permit ip any any (1296007 matches)
Extended IP access list IPSEC_OUT
    10 permit udp any eq isakmp any
    20 permit udp any eq 47 any
    30 permit ip any any (141223 matches)
Extended IP access list NAT_ACL
    10 deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255 (14 matches)
    20 deny ip 192.168.22.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255 (2 matches)
    40 permit ip 192.168.4.0 0.0.0.255 any (13880 matches)
    50 permit ip 192.168.10.0 0.0.0.255 any
    60 permit ip 10.10.10.0 0.0.0.255 any (4121843 matches)
    70 permit ip 192.168.21.0 0.0.0.255 any (263435 matches)
    80 permit ip 192.168.22.0 0.0.0.255 any (7711 matches)
    90 permit ip 192.168.23.0 0.0.0.255 any (27149 matches)
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log (70 matches)
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log (4706 matches)
    40 permit tcp any any eq 22 log

IPSEC_IN/OUT is applied only on Tunnel interface facing IN/OUT

192.168.1.0 is the remote LAN!

R1 ip route:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is X.X.X.X to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via X.X.X.X
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, Tunnel0
L        172.16.0.2/32 is directly connected, Tunnel0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.1/32 is directly connected, Vlan1
S     192.168.21.0/24 is directly connected, Tunnel0
      X.X.X.X/24 is variably subnetted, 2 subnets, 2 masks ----- ISP LAN
C        X.X.X.X/30 is directly connected, GigabitEthernet0/0 ----- ISP LAN
L        X.X.X.X/32 is directly connected, GigabitEthernet0/0 ----- ISP LAN

R1 ACL:

Extended IP access list NAT_ACL
    10 deny ip 192.168.1.0 0.0.0.255 192.168.21.0 0.0.0.255
    20 deny ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255
    30 deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
    40 permit ip 192.168.1.0 0.0.0.255 any (823729 matches)

No other ACL is applied on R1!!!

I'm only trying to ping 192.168.21.0 LAN and a static route is in place for that LAN on both routers

I can ping when there is no tunnel protection in place....as soon as I protect the tunnel it fails, all parameters of the encryption is supported and equal on both sides

Tnx for the help

syed kazim abbas · ‎04-24-2014

Hi,

you are missing a ACL for vpn interested traffic

Ip Access-list extended VPNTRAFFIC

Permit gre host x.x.x.x host y.y.y.y

x = your tunnel source

y = your tunnel destination

Crypto ipsec transform-set IPSECCRITERIA esp-3des esp-sha-hmac

Mode transport

Crypto map IPSECPOLICY 1 ipsec-isakmp

Match address VPNTRAFFIC

Set transform-set IPSECCRITERIA

Set peer x.x.x.x

Another thing you should do: in nat ACL

Extended IP access list NAT_ACL
X 10 deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255 (14 matches)
X 20 deny ip 192.168.22.0 0.0.0.255 192.168.1.0 0.0.0.255
X 30 deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255 (2 matches)

remove above acl and put this ACL

Extended ip access-list NAT_ACL

10 deny gre any any

20 permit a.b.c.d

30 permit x.x.y.z (or permit ip any any)

Thirdly, your ACL show me that you hav three sub nets that want to go to 192.168.1.0

so you have to put static route for each one pointing to tunnel 0

if u don,t solve the problem then post the config of both routers.

Regards,

syed

"Don,t forget to rate me if post helpful"

David_Che · ‎04-24-2014

The ISAKMP (IKEv1) service is not up as you suspected. so firstly please check ISAKMP service is down on router R2.

You can remove IPsec related config and restart the router R2 and try. after all, you should observe UDP 500/4500 is listening.

mladendraganovic · ‎04-24-2014

Tnx David,

Update:

I've deleted the IPSEC lists and made a new one with

permit esp any any

permit gre any any

permit udp any eq 500 4500 any

permit ip any any

and I've applied it on tunnel interfaces in both directions(nothng happened), then I also applied it on physical interfaces facing IN(guess that by default traffic facing OUT is allowed).....after sh crypto session ---> tunnel interface i DOWN_NEGOTIATING but physical interface is UP-IDLE(guessing thats my ssh connection on R2) but tunnels are still down.

Could ISP be the issue???

mladendraganovic · ‎09-18-2014

It was the case of pointing the tunnel to a right IP address, something so fundamental(basically a tipo)

So.....after creating a policy with all the same paramaters, transformset, ipsec protect policy for encrypting the tunnel and tunnel interfaces on wich you apply the tunnel protection....ALL IS WORKING

MARK AS ANSWERED

Thanks everyone for your help!