07-23-2012 08:53 AM - edited 02-21-2020 06:13 PM
Hello, I have a link radio with a branch but the link of provider is untrusted so I configure a Tunnel GRE + IPSec but I am receiving this logs in my router.
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
The topology is:
Router 1 C3825 IOS 12.4(25f) Fa0/2/2 -------- link radio -------------------- Router 2 C3825 IOS 15.1(4)M4 Gi0/1
I receive the logs in the Router 1 only.
The configurations are:
Router 1:
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key Andina12 address 172.20.127.114
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set TS esp-aes esp-md5-hmac
!
crypto ipsec profile protege-gre
set security-association lifetime seconds 86400
set transform-set TS
interface Tunnel0
description Tunnel GRE IPSec a Vibora
bandwidth 2000
ip address 172.20.127.117 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 172.20.127.113
tunnel destination 172.20.127.114
tunnel protection ipsec profile protege-gre
interface FastEthernet0/2/2
description RadioEnlace a Vibora
switchport access vlan 74
bandwidth 2000
no cdp enable
interface Vlan74
bandwidth 2000
ip address 172.20.127.113 255.255.255.252
router eigrp 1
network 172.20.127.116 0.0.0.3
Router 2:
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key Andina12 address 172.20.127.113
!
!
crypto ipsec transform-set TS esp-aes esp-md5-hmac
!
crypto ipsec profile protege-gre
set security-association lifetime seconds 86400
set transform-set TS
interface Tunnel0
description Tunnel GRE IPSec a SCZ
bandwidth 2000
ip address 172.20.127.118 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 172.20.127.114
tunnel destination 172.20.127.113
tunnel protection ipsec profile protege-gre
interface GigabitEthernet0/1
description Radio Enlace a SCZ
bandwidth 2000
ip address 172.20.127.114 255.255.255.252
duplex auto
speed auto
media-type rj45
no cdp enable
router eigrp 1
network 172.20.127.116 0.0.0.3
Thanks for the help.
Solved! Go to Solution.
07-23-2012 06:47 PM
Yes, you can have just that configured:
crypto ipsec transform-set TS esp-aes
mode transport
Remember to change it on both routers.
07-23-2012 09:09 AM
Change the crypto ipsec mode to transport mode. By default it's tunnel mode.
crypto ipsec transform-set TS esp-aes esp-md5-hmac
mode transport
07-23-2012 11:55 AM
Thanks for the response I read in otrher post that the problem could be the "transform-set esp-md5-hmac" method of authentication I don't know whats is the problem because I only receive the log in the Router 1.
07-23-2012 04:06 PM
I put the transform-set in mode transport but the log continue appearing. Can I put the next transform-set.
crypto ipsec transform-set TS esp-aes
mode transport
Thanks
07-23-2012 06:47 PM
Yes, you can have just that configured:
crypto ipsec transform-set TS esp-aes
mode transport
Remember to change it on both routers.
07-24-2012 12:10 PM
I made the configuration that you say Jennifer and didn't see logs again.
Thanks for the help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: