cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
925
Views
0
Helpful
5
Replies

Issue with tunnel GRE IPSec

Hello, I have a link radio with a branch but the link of provider is untrusted so I configure a Tunnel GRE + IPSec but I am receiving this logs in my router.

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

The topology is:

Router 1 C3825 IOS 12.4(25f) Fa0/2/2 -------- link radio -------------------- Router 2 C3825 IOS 15.1(4)M4 Gi0/1

I receive the logs in the Router 1 only.

The configurations are:

Router 1:

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key Andina12 address 172.20.127.114

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set TS esp-aes esp-md5-hmac

!

crypto ipsec profile protege-gre

set security-association lifetime seconds 86400

set transform-set TS

interface Tunnel0

description Tunnel GRE IPSec a Vibora

bandwidth 2000

ip address 172.20.127.117 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source 172.20.127.113

tunnel destination 172.20.127.114

tunnel protection ipsec profile protege-gre

interface FastEthernet0/2/2

description RadioEnlace a Vibora

switchport access vlan 74

bandwidth 2000

no cdp enable

interface Vlan74

bandwidth 2000

ip address 172.20.127.113 255.255.255.252

router eigrp 1

network 172.20.127.116 0.0.0.3

Router 2:

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key Andina12 address 172.20.127.113

!

!

crypto ipsec transform-set TS esp-aes esp-md5-hmac

!

crypto ipsec profile protege-gre

set security-association lifetime seconds 86400

set transform-set TS

interface Tunnel0

description Tunnel GRE IPSec a SCZ

bandwidth 2000

ip address 172.20.127.118 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source 172.20.127.114

tunnel destination 172.20.127.113

tunnel protection ipsec profile protege-gre

interface GigabitEthernet0/1

description Radio Enlace a SCZ

bandwidth 2000

ip address 172.20.127.114 255.255.255.252

duplex auto

speed auto

media-type rj45

no cdp enable

router eigrp 1

network 172.20.127.116 0.0.0.3

Thanks for the help.

1 Accepted Solution

Accepted Solutions

Yes, you can have just that configured:

crypto ipsec transform-set TS esp-aes

    mode transport

Remember to change it on both routers.

View solution in original post

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Change the crypto ipsec mode to transport mode. By default it's tunnel mode.

crypto ipsec transform-set TS esp-aes esp-md5-hmac

    mode transport

Thanks for the response I read in otrher post that the problem could be the "transform-set esp-md5-hmac" method of authentication I don't know whats is the problem because I only receive the log in the Router 1.

I put the transform-set in mode transport but the log continue appearing. Can I put the next transform-set.

crypto ipsec transform-set TS esp-aes

    mode transport

Thanks

Yes, you can have just that configured:

crypto ipsec transform-set TS esp-aes

    mode transport

Remember to change it on both routers.

I made the configuration that you say Jennifer and didn't see logs again.

Thanks for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: