Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE over IPSEC tunnel won't ping after tunnel protection

Hi guys,

 

I'm in dire need of your help!!!

I'm trying to do a site-to-site VPN on two remote routers(Cisco 1941 ISR and Cisco 2800) and I can't get the tunnel to ping on the other side.

I did a 

             crypto isakmp policy 1

               encryption aes 128

               hash sha

               authentication pre-share

               group 2 (DH)

on both routers with same setup(checked it 15 times),

did the tranformset with esp-aes esp-sha-hmac, 

crypto ipsec profile and tied it with the above transformset

Tunnel interfaces are up and running and UNTIL I apply tunnel protection ipsec profile PROFILE_NAME.......THE PING GOES FINE(INTERFACES AND WORKSTATIONS so NAT works fine)!!!

As soon as I encrypt the tunnel I CAN NOT PING anything!!!

When I do sh crypto session it shows STATUS: NEGOTIATING, when i do sh crypto isakmp sa it shows MM_NO_STATE so clearly peers can't agree on tunnel protection, right?

 

I really don't know what else to do, I've looked all over this site(and various others)!

Is port 500 blocked on my routers, how to check that? Does ISP block 500 or 4500 ports?

Please help.....THANK YOU

 

8 REPLIES
Silver

Reduce the mtu size to 1400

Reduce the mtu size to 1400 on your tunnel interface as ipsec encapsulation add additional 52 bytes overhead. Recommended MTU is 1400 on tunnel interface when using gre over ipsec.

HTH

"Please rate useful posts"
 

New Member

Hi Poonam, I already did that

Hi Poonam,

 

I already did that ip mtu 1400 and ip tcp adjust-mss 1360

When i do sh control-plane host open-ports  it says:

 

R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                        *:23           192.168.1.33:1631                   Telnet ESTABLIS
 tcp                        *:80                         *:0                HTTP CORE   LISTEN
 tcp                        *:80                         *:0                HTTP CORE   LISTEN
 tcp                       *:862                         *:0      IPPM Server Process   LISTEN
 udp                      *:4500                         *:0                   ISAKMP   LISTEN
 udp                      *:1967                         *:0              RTR control   LISTEN
 udp                      *:1975                         *:0                      IPC   LISTEN
 udp                       *:500                         *:0                   ISAKMP   LISTEN

and on R2:

 

R2#sh control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:22                  *:0               SSH-Server   LISTEN
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp                 *:22 95.156.165.173:29318               SSH-Server ESTABLIS
 udp                 *:67                  *:0            DHCPD Receive   LISTEN
 udp               *:2887                  *:0                      DDP   LISTEN

 

It seems that R2 is not listening on ports 500 or 4500, is one-click lockdown in place here(this my remote router)???

 

Thanks

 

 

Hi,@mladendraganovic Its the

Hi,

@mladendraganovic

 

Its the game of routing and ACLs, so plz write your ACL for nat and for IPSEC as well as routing table.

 

Regards,

syed

New Member

Hi skmkazim552, sorry for the

Hi skmkazim552,

 

sorry for the late reply, didn't get an email.

R2 ip route:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is X.X.X.X to network 0.0.0.0

C    192.168.240.0/24 is directly connected, Loopback0
     81.0.0.0/30 is subnetted, 1 subnets
C       X.X.X.X is directly connected, FastEthernet0/1  ---- ISP /30 LAN
C    192.168.10.0/24 is directly connected, FastEthernet0/0.10
     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.0.0 is directly connected, Tunnel0
C    192.168.4.0/24 is directly connected, FastEthernet0/0.4
C    192.168.21.0/24 is directly connected, FastEthernet0/0.21
     10.0.0.0/24 is subnetted, 2 subnets
C       10.10.10.0 is directly connected, FastEthernet0/0.2
C       10.10.12.0 is directly connected, FastEthernet0/0.101
C    192.168.23.0/24 is directly connected, FastEthernet0/0.23
C    192.168.22.0/24 is directly connected, FastEthernet0/0.22
S    192.168.1.0/24 is directly connected, Tunnel0
C    192.168.100.0/24 is directly connected, FastEthernet0/0.100
S*   0.0.0.0/0 [1/0] via X.X.X.X   ---- next hop ISP

 

R2 ACL:

 

Extended IP access list IPSEC_IN
    10 permit udp any eq isakmp any
    15 permit udp any eq 47 any
    20 permit ip any any (1296007 matches)
Extended IP access list IPSEC_OUT
    10 permit udp any eq isakmp any
    20 permit udp any eq 47 any
    30 permit ip any any (141223 matches)
Extended IP access list NAT_ACL
    10 deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255 (14 matches)
    20 deny ip 192.168.22.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255 (2 matches)
    40 permit ip 192.168.4.0 0.0.0.255 any (13880 matches)
    50 permit ip 192.168.10.0 0.0.0.255 any
    60 permit ip 10.10.10.0 0.0.0.255 any (4121843 matches)
    70 permit ip 192.168.21.0 0.0.0.255 any (263435 matches)
    80 permit ip 192.168.22.0 0.0.0.255 any (7711 matches)
    90 permit ip 192.168.23.0 0.0.0.255 any (27149 matches)
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log (70 matches)
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log (4706 matches)
    40 permit tcp any any eq 22 log

 

IPSEC_IN/OUT is applied only on Tunnel interface facing IN/OUT

192.168.1.0 is the remote LAN!

 

R1 ip route:

 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is X.X.X.X to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via X.X.X.X
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, Tunnel0
L        172.16.0.2/32 is directly connected, Tunnel0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.1/32 is directly connected, Vlan1
S     192.168.21.0/24 is directly connected, Tunnel0
      X.X.X.X/24 is variably subnetted, 2 subnets, 2 masks ----- ISP LAN
C        X.X.X.X/30 is directly connected, GigabitEthernet0/0 ----- ISP LAN
L        X.X.X.X/32 is directly connected, GigabitEthernet0/0 ----- ISP LAN

R1 ACL:

 

Extended IP access list NAT_ACL
    10 deny ip 192.168.1.0 0.0.0.255 192.168.21.0 0.0.0.255
    20 deny ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255
    30 deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
    40 permit ip 192.168.1.0 0.0.0.255 any (823729 matches)

 

No other ACL is applied on R1!!!

I'm only trying to ping 192.168.21.0 LAN and a static route is in place for that LAN on both routers

I can ping when there is no tunnel protection in place....as soon as I protect the tunnel it fails, all parameters of the encryption is supported and equal on both sides

Tnx for the help

 

 

Hi,you are missing a ACL for

Hi,

you are missing a ACL for vpn interested traffic

 

Ip Access-list extended VPNTRAFFIC

               Permit gre host x.x.x.x host y.y.y.y  

x = your tunnel source

y = your tunnel destination

 

Crypto ipsec transform-set IPSECCRITERIA esp-3des esp-sha-hmac

               Mode  transport

Crypto map IPSECPOLICY   1    ipsec-isakmp

               Match address VPNTRAFFIC

               Set transform-set IPSECCRITERIA

               Set peer x.x.x.x

Another thing you should do: in nat ACL

Extended IP access list NAT_ACL
    X  10 deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255 (14 matches)
    X  20 deny ip 192.168.22.0 0.0.0.255 192.168.1.0 0.0.0.255
    X  30 deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255 (2 matches)

remove above acl and put this ACL

Extended ip  access-list NAT_ACL

      10 deny gre any any

       20 permit a.b.c.d

       30 permit  x.x.y.z  (or permit ip any any)

Thirdly, your ACL show me that you hav three sub nets that want to go to 192.168.1.0

so you have to put static route for each one pointing to tunnel 0

if u don,t solve the problem then post the config of both routers.

Regards,

syed

 

"Don,t forget to rate me if post helpful"

 

 

 

 

 

 

New Member

The ISAKMP (IKEv1) service is

The ISAKMP (IKEv1) service is not up as you suspected. so firstly  please check ISAKMP service is down on router R2. 

You can remove IPsec related config and restart the router R2 and try. after all, you should observe UDP 500/4500 is listening.

 

New Member

Tnx David, Update:I've

Tnx David,

 

Update:

I've deleted the IPSEC lists and made a new one with

permit esp any any

permit gre any any

permit udp any eq 500 4500 any

permit ip any any

 

and I've applied it on tunnel interfaces in both directions(nothng happened), then I also applied it on physical interfaces facing IN(guess that by default traffic facing OUT is allowed).....after sh crypto session ---> tunnel interface i DOWN_NEGOTIATING but physical interface is UP-IDLE(guessing thats my ssh connection on R2)  but tunnels are still down.

 

Could ISP be the issue???

New Member

It was the case of pointing

It was the case of pointing the tunnel to a right IP address, something so fundamental(basically a tipo)

So.....after creating a policy with all the same paramaters, transformset, ipsec protect policy for encrypting the tunnel and tunnel interfaces on wich you apply the tunnel protection....ALL IS WORKING

 

MARK AS ANSWERED

Thanks everyone for your help!

716
Views
20
Helpful
8
Replies