Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VIP Purple

GRE Tunnel is not working

I have created two tunnels between 2 remote location:

one of them working pretty well but not the other:

here are the logs:

Jul  5 05:49:47.844: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:49:47.844: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Jul  5 05:49:47.844: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:49:47.844: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:49:47.844: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:49:57.660: ISAKMP:(0):purging node -1742526512

Jul  5 05:49:57.660: ISAKMP:(0):purging node -955876125

Jul  5 05:49:57.844: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:49:57.844: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Jul  5 05:49:57.844: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:49:57.844: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:49:57.844: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:50:07.660: ISAKMP:(0):purging SA., sa=280BABE0, delme=280BABE0

Jul  5 05:50:07.844: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:50:07.844: ISAKMP:(0):peer does not do paranoid keepalives.

Jul  5 05:50:07.844: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 186.226.214.10)

Jul  5 05:50:07.844: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 186.226.214.10)

Jul  5 05:50:07.844: ISAKMP: Unlocking peer struct 0x3085CCF0 for isadb_mark_sa_deleted(), count 0

Jul  5 05:50:07.844: ISAKMP: Deleting peer node by peer_reap for 186.226.214.10: 3085CCF0

Jul  5 05:50:07.844: ISAKMP:(0):deleting node 601382680 error FALSE reason "IKE deleted"

Jul  5 05:50:07.844: ISAKMP:(0):deleting node -2075971693 error FALSE reason "IKE deleted"

Jul  5 05:50:07.844: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jul  5 05:50:07.844: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Jul  5 05:50:12.288: ISAKMP:(0): SA request profile is (NULL)

Jul  5 05:50:12.288: ISAKMP: Created a peer struct for 186.226.214.10, peer port 500

Jul  5 05:50:12.288: ISAKMP: New peer created peer = 0x3085CCF0 peer_handle = 0x8000057B

Jul  5 05:50:12.288: ISAKMP: Locking peer struct 0x3085CCF0, refcount 1 for isakmp_initiator

Jul  5 05:50:12.288: ISAKMP: local port 500, remote port 500

Jul  5 05:50:12.288: ISAKMP: set new node 0 to QM_IDLE

Jul  5 05:50:12.288: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 29128FD0

Jul  5 05:50:12.288: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Jul  5 05:50:12.288: ISAKMP:(0):found peer pre-shared key matching 186.226.214.10

Jul  5 05:50:12.288: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Jul  5 05:50:12.288: ISAKMP:(0): constructed NAT-T vendor-07 ID

Jul  5 05:50:12.288: ISAKMP:(0): constructed NAT-T vendor-03 ID

Jul  5 05:50:12.288: ISAKMP:(0): constructed NAT-T vendor-02 ID

Jul  5 05:50:12.288: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Jul  5 05:50:12.288: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Jul  5 05:50:12.288: ISAKMP:(0): beginning Main Mode exchange

Jul  5 05:50:12.288: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:50:12.288: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:50:22.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:50:22.288: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Jul  5 05:50:22.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:50:22.288: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:50:22.288: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:50:32.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:50:32.288: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Jul  5 05:50:32.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:50:32.288: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:50:32.288: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:50:42.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:50:42.288: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Jul  5 05:50:42.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:50:42.288: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:50:42.288: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:50:42.288: ISAKMP: set new node 0 to QM_IDLE

Jul  5 05:50:42.288: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 200.168.205.109, remote 186.226.214.10)

Jul  5 05:50:42.288: ISAKMP: Error while processing SA request: Failed to initialize SA

Jul  5 05:50:42.288: ISAKMP: Error while processing KMI message 0, error 2.

Jul  5 05:50:52.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:50:52.288: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Jul  5 05:50:52.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:50:52.288: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:50:52.288: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:50:57.844: ISAKMP:(0):purging node 601382680

Jul  5 05:50:57.844: ISAKMP:(0):purging node -2075971693

Jul  5 05:51:02.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:51:02.288: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Jul  5 05:51:02.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:51:02.288: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:51:02.288: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:51:07.844: ISAKMP:(0):purging SA., sa=290F5018, delme=290F5018

Jul  5 05:51:12.288: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:51:12.288: ISAKMP:(0):peer does not do paranoid keepalives.

Jul  5 05:51:12.288: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 186.226.214.10)

Jul  5 05:51:12.288: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 186.226.214.10)

Jul  5 05:51:12.288: ISAKMP: Unlocking peer struct 0x3085CCF0 for isadb_mark_sa_deleted(), count 0

Jul  5 05:51:12.288: ISAKMP: Deleting peer node by peer_reap for 186.226.214.10: 3085CCF0

Jul  5 05:51:12.288: ISAKMP:(0):deleting node -128482521 error FALSE reason "IKE deleted"

Jul  5 05:51:12.288: ISAKMP:(0):deleting node -893189840 error FALSE reason "IKE deleted"

Jul  5 05:51:12.288: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jul  5 05:51:12.288: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Jul  5 05:51:13.500: ISAKMP:(0): SA request profile is (NULL)

Jul  5 05:51:13.500: ISAKMP: Created a peer struct for 186.226.214.10, peer port 500

Jul  5 05:51:13.500: ISAKMP: New peer created peer = 0x3085CCF0 peer_handle = 0x8000057D

Jul  5 05:51:13.500: ISAKMP: Locking peer struct 0x3085CCF0, refcount 1 for isakmp_initiator

Jul  5 05:51:13.500: ISAKMP: local port 500, remote port 500

Jul  5 05:51:13.500: ISAKMP: set new node 0 to QM_IDLE

Jul  5 05:51:13.500: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 280BABE0

Jul  5 05:51:13.500: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Jul  5 05:51:13.500: ISAKMP:(0):found peer pre-shared key matching 186.226.214.10

Jul  5 05:51:13.500: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Jul  5 05:51:13.500: ISAKMP:(0): constructed NAT-T vendor-07 ID

Jul  5 05:51:13.500: ISAKMP:(0): constructed NAT-T vendor-03 ID

Jul  5 05:51:13.500: ISAKMP:(0): constructed NAT-T vendor-02 ID

Jul  5 05:51:13.500: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Jul  5 05:51:13.500: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Jul  5 05:51:13.500: ISAKMP:(0): beginning Main Mode exchange

Jul  5 05:51:13.500: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:51:13.500: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:51:23.500: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:51:23.500: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Jul  5 05:51:23.500: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:51:23.500: ISAKMP:(0): sending packet to 186.226.214.10 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:51:23.500: ISAKMP:(0):Sending an IKE IPv4 Packet.

Regards

4 REPLIES
Hall of Fame Super Gold

GRE Tunnel is not working

Could post the config of both sides?  As well as a diagram?

VIP Purple

Re: GRE Tunnel is not working

here is the config : for VPN4

hostname ATRCVPN4

!

boot-start-marker

boot-end-marker

!

!

no logging console

no logging monitor

enable secret 5 $1$eIME$cUCWwN2HgWJkM.03CMlov/

!

no aaa new-model

!

clock timezone MET 1 0

clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

no ipv6 cef

ip source-route

ip cef

!

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.89.41.1 10.89.41.10

ip dhcp excluded-address 10.89.41.150 10.89.41.254

!

ip dhcp pool LAN_IP_ADDR

network 10.89.41.0 255.255.255.0

dns-server 10.89.21.1

default-router 10.89.41.254

domain-name user.grammer.world

netbios-name-server 10.89.21.1

lease 3

!

!

no ip domain lookup

ip domain name user.grammer.world

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1941/K9 sn FTX163880R3

!

!

vtp mode transparent

username gcmaint privilege 15 secret 5 $1$FB3I$knnXXtNWU.6mCBtocq2/i.

username hobmaint privilege 15 secret 5 $1$QEoK$n9NSi772vbI8jvvFGmjFO.

username adminmc secret 5 $1$nTvr$YP8Fup/14THKOt4wxy97m0

username grammerwart password 7 120E0405061E0203392F2D293F3030

!

redundancy

!

!

!

!

vlan 41

name Data_VLAN41

!

ip tftp source-interface Vlan41

ip ssh version 2

!

!

crypto isakmp policy 20

encr aes 256

authentication pre-share

crypto isakmp key realXtunnel89 address 200.168.205.109 no-xauth

!

!

crypto ipsec transform-set ts_ati_aes esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile vpn_profile_ati_aes

set transform-set ts_ati_aes

!

!

!

!

!

!

interface Loopback0

description *** IP 10.89.0.4 ***

ip address 10.89.0.4 255.255.255.255

!

interface Tunnel8941

description *** Tunnel ATRCVPN4 JdF > ATRCVPN3 Ati ***

ip address 172.23.89.2 255.255.255.252

ip mtu 1300

ip tcp adjust-mss 1260

tunnel source 186.226.214.10

tunnel destination 200.168.205.109

tunnel protection ipsec profile vpn_profile_ati_aes

!

interface Tunnel28941

description *** Tunnel ATRCVPN4 JdF > ATRCVPN3 Ati ***

bandwidth 2000

ip address 172.24.89.2 255.255.255.252

ip mtu 1300

ip tcp adjust-mss 1260

tunnel source 189.17.58.210

tunnel destination 200.168.205.109

tunnel protection ipsec profile vpn_profile_ati_aes

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description *** WAN Embratel JdF ***

ip address 189.17.58.210 255.255.255.240

ip access-group internet in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

!

interface GigabitEthernet0/1

description *** WAN Rede Turbo JdF ***

ip address 186.226.214.10 255.255.255.248

ip access-group internet in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

!

ATRCVPN4#

ATRCVPN4#sh run

Building configuration...

Current configuration : 6109 bytes

!

! Last configuration change at 08:12:25 MEST Fri Jul 5 2013 by gcmaint

! NVRAM config last updated at 08:04:27 MEST Fri Jul 5 2013 by gcmaint

! NVRAM config last updated at 08:04:27 MEST Fri Jul 5 2013 by gcmaint

version 15.1

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname ATRCVPN4

!

boot-start-marker

boot-end-marker

!

!

no logging console

no logging monitor

enable secret 5 $1$eIME$cUCWwN2HgWJkM.03CMlov/

!

no aaa new-model

!

clock timezone MET 1 0

clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

no ipv6 cef

ip source-route

ip cef

!

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.89.41.1 10.89.41.10

ip dhcp excluded-address 10.89.41.150 10.89.41.254

!

ip dhcp pool LAN_IP_ADDR

network 10.89.41.0 255.255.255.0

dns-server 10.89.21.1

default-router 10.89.41.254

domain-name user.grammer.world

netbios-name-server 10.89.21.1

lease 3

!

!

no ip domain lookup

ip domain name user.grammer.world

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1941/K9 sn FTX163880R3

!

!

vtp mode transparent

username gcmaint privilege 15 secret 5 $1$FB3I$knnXXtNWU.6mCBtocq2/i.

username hobmaint privilege 15 secret 5 $1$QEoK$n9NSi772vbI8jvvFGmjFO.

username adminmc secret 5 $1$nTvr$YP8Fup/14THKOt4wxy97m0

username grammerwart password 7 120E0405061E0203392F2D293F3030

!

redundancy

!

!

!

!

vlan 41

name Data_VLAN41

!

ip tftp source-interface Vlan41

ip ssh version 2

!

!

crypto isakmp policy 20

encr aes 256

authentication pre-share

crypto isakmp key realXtunnel89 address 200.168.205.109 no-xauth

!

!

crypto ipsec transform-set ts_ati_aes esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile vpn_profile_ati_aes

set transform-set ts_ati_aes

!

!

!

!

!

!

interface Loopback0

description *** IP 10.89.0.4 ***

ip address 10.89.0.4 255.255.255.255

!

interface Tunnel8941

description *** Tunnel ATRCVPN4 JdF > ATRCVPN3 Ati ***

ip address 172.23.89.2 255.255.255.252

ip mtu 1300

ip tcp adjust-mss 1260

tunnel source 186.226.214.10

tunnel destination 200.168.205.109

tunnel protection ipsec profile vpn_profile_ati_aes

!

interface Tunnel28941

description *** Tunnel ATRCVPN4 JdF > ATRCVPN3 Ati ***

bandwidth 2000

ip address 172.24.89.2 255.255.255.252

ip mtu 1300

ip tcp adjust-mss 1260

tunnel source 189.17.58.210

tunnel destination 200.168.205.109

tunnel protection ipsec profile vpn_profile_ati_aes

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description *** WAN Embratel JdF ***

ip address 189.17.58.210 255.255.255.240

ip access-group internet in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

!

interface GigabitEthernet0/1

description *** WAN Rede Turbo JdF ***

ip address 186.226.214.10 255.255.255.248

ip access-group internet in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex full

speed 100

!

interface FastEthernet0/0/0

description *** LAN Interface 10.89.41.254 ***

switchport mode trunk

no ip address

duplex full

speed 100

!

interface FastEthernet0/0/1

no ip address

shutdown

!

interface FastEthernet0/0/2

no ip address

shutdown

!

interface FastEthernet0/0/3

no ip address

shutdown

!

interface Vlan1

description *** Management VLAN ***

no ip address

!

interface Vlan41

description *** Transfer core to ATRCVPN4 ***

ip address 10.89.41.254 255.255.255.0

!

!

router eigrp 1

network 10.89.0.0 0.0.255.255

network 172.23.89.0 0.0.0.3

network 172.24.89.0 0.0.0.3

passive-interface Loopback0

!

ip forward-protocol nd

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.24.89.1

ip route 62.153.226.20 255.255.255.255 189.17.58.209

ip route 62.153.226.20 255.255.255.255 186.226.214.9

ip route 200.168.205.109 255.255.255.255 189.17.58.209 name JdF_Tu28941

ip route 200.168.205.109 255.255.255.255 186.226.214.9 name JdF_Tu8941

ip route 212.185.199.2 255.255.255.255 189.17.58.209

ip route 212.185.199.2 255.255.255.255 186.226.214.9

!

ip access-list extended internet

permit gre any any

permit esp any any

permit udp any eq isakmp any eq isakmp

permit tcp host 62.153.226.20 any eq 22

permit tcp host 212.185.199.2 any eq 22

permit icmp host 62.153.226.20 host 200.168.205.109 echo

permit icmp host 62.153.226.20 host 200.168.205.109 traceroute

permit icmp host 62.153.226.20 host 189.17.58.210 echo

permit icmp host 212.185.199.2 host 189.17.58.210 echo

permit icmp host 62.153.226.20 host 189.17.58.210 traceroute

permit icmp host 212.185.199.2 host 189.17.58.210 traceroute

permit icmp host 195.243.205.104 host 189.17.58.210 echo

permit icmp host 212.185.41.196 host 189.17.58.210 echo

permit icmp host 195.243.205.104 host 189.17.58.210 traceroute

permit icmp host 212.185.41.196 host 189.17.58.210 traceroute

permit tcp host 62.153.226.20 any eq telnet

permit tcp host 212.185.199.2 any eq telnet

permit icmp host 62.153.226.20 host 186.226.214.9 echo

permit icmp host 62.153.226.20 host 186.226.214.9 traceroute

permit ip any any

permit udp host 200.168.205.109 host 186.226.214.10 eq isakmp

!

!

!

------------------------------------------------------------------------

VPN 3:

hostname ATRCVPN3

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

no logging console

enable secret 5 $1$Kf8c$j3C1CThj3M28UhksMcz5D0

!

no aaa new-model

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

ip domain name grammer

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-4106650042

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4106650042

revocation-check none

rsakeypair TP-self-signed-4106650042

!

!

crypto pki certificate chain TP-self-signed-4106650042

certificate self-signed 01

  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313036 36353030 3432301E 170D3132 30353235 30383130

  35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303636

  35303034 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C6BC 05290FE8 C2330304 C1AB79B9 9B4AE6A7 CB81E7D3 49350E41 4B1FBFA2

  01E601E9 AE3845EA B3B81ECA 3C320282 35B92779 D23CBA5D 43D73733 93BE4843

  2542F450 CF8B1715 3EE44BFB D3810191 AC989F32 2635F94B C9FA196F E76D3F79

  503473F8 A5F8A23E 3853E017 0C5A5E6B ED5980BC 08F53F4A 3F5457B1 93CE170A

  B5FB0203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603

  551D1104 14301282 10415452 4356504E 332E6772 616D6D65 72301F06 03551D23

  04183016 80148EC3 1956CB71 F8D48C6E 3F008A53 CEAAE5FF 9CD7301D 0603551D

  0E041604 148EC319 56CB71F8 D48C6E3F 008A53CE AAE5FF9C D7300D06 092A8648

  86F70D01 01040500 03818100 2D9E96AA D52CC8F6 3ED719EE DC3796D8 9E914122

  986E2BE1 07EFA642 1A3D1489 8EA1A2CE 00FA41C3 B134082B B8D0ED77 A235DA21

  C6C7B1F2 0D6F2B15 89D1D269 211ADC5D 4494939E 46048B0D 13ADC1FC 3FF81C98

  B5C97F97 0E7949E2 814A1384 61274FE9 A12EADA1 4AE83C60 71384175 C2FA1BA5

  6620BB3A 67F2B1D4 1A5C99A3

        quit

license udi pid CISCO1941/K9 sn FTX163880R5

!

!

username hobmaint privilege 15 secret 5 $1$Hqq5$NlHHePwZvaKyBjK4IFvRW1

username adminmc secret 5 $1$XO2F$M0RwdJrKVrSuUoqbOjR1o0

username wobvw privilege 3 secret 5 $1$0pi0$RPVpLjzQtLzIxS.wpK394.

username gcmaint privilege 15 secret 5 $1$FJS2$AyQ2qzj1YInPUQCnJmwK0.

!

redundancy

!

!

!

!

ip tftp source-interface Vlan1

!

!

crypto isakmp policy 20

encr aes 256

authentication pre-share

crypto isakmp key realXtunnel89 address 189.17.58.210 no-xauth

crypto isakmp key realXtunnel89 address 186.226.214.10 no-xauth

!

!

crypto ipsec transform-set ts_ati_aes esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile vpn_profile_ati_aes

set transform-set ts_ati_aes

!

!

!

!

!

!

interface Loopback0

description *** IP 10.89.0.3 ***

ip address 10.89.0.3 255.255.255.255

!

interface Tunnel8941

description *** Tunnel ATRCVPN3 Ati > ATRCVPN4 JdF ***

ip address 172.23.89.1 255.255.255.252

ip mtu 1300

ip tcp adjust-mss 1260

tunnel source 200.168.205.109

tunnel destination 186.226.214.10

tunnel protection ipsec profile vpn_profile_ati_aes

!

interface Tunnel28941

description *** Tunnel ATRCVPN3 Ati > ATRCVPN4 JdF ***

bandwidth 2000

ip address 172.24.89.1 255.255.255.252

ip mtu 1300

ip tcp adjust-mss 1260

tunnel source 200.168.205.109

tunnel destination 189.17.58.210

tunnel protection ipsec profile vpn_profile_ati_aes

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description *** Site to Site Net (Internet) ***

ip address 200.168.205.109 255.255.255.240

ip access-group internet in

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/0

description *** LAN Interface 10.89.8.254 ***

switchport mode trunk

no ip address

duplex full

speed 100

!

interface FastEthernet0/0/1

no ip address

!

interface FastEthernet0/0/2

no ip address

!

interface FastEthernet0/0/3

no ip address

!

interface Vlan1

description *** Management VLAN ***

no ip address

!

interface Vlan8

description *** Transfer core to ATRCVPN3 ***

ip address 10.89.8.254 255.255.255.0

!

!

router eigrp 1

network 10.89.0.0 0.0.255.255

network 172.23.89.0 0.0.0.3

network 172.24.89.0 0.0.0.3

passive-interface Loopback0

!

ip local policy route-map local_out

ip forward-protocol nd

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 10.89.8.1

ip route 10.89.41.0 255.255.255.0 172.24.89.2

ip route 62.153.226.20 255.255.255.255 200.168.205.105

ip route 186.226.214.10 255.255.255.255 200.168.205.105 name JdF_Tu8941

ip route 189.17.58.210 255.255.255.255 200.168.205.105 name JdF_Tu28941

ip route 212.185.41.200 255.255.255.255 62.153.226.17

!

ip access-list extended internet

permit gre any any

permit esp any any

permit udp any eq isakmp any eq isakmp

permit tcp host 62.153.226.20 any eq 22

permit tcp host 212.185.199.2 any eq 22

permit icmp host 62.153.226.20 host 200.168.205.109 echo

permit icmp host 195.243.205.104 host 200.168.205.109 echo

permit icmp host 212.185.41.196 host 200.168.205.109 echo

permit icmp host 62.153.226.20 host 200.168.205.109 traceroute

permit icmp host 195.243.205.104 host 200.168.205.109 traceroute

permit icmp host 212.185.41.196 host 200.168.205.109 traceroute

permit ip any any

permit udp host 186.226.214.10 host 200.168.205.109 eq isakmp

!

here the layout:

Hall of Fame Super Gold

GRE Tunnel is not working

If you have an ISP providing the link, your "tunnel destination" should be your ISP's interface.

Normally, I would set the Loopback IP address as my "tunnel source".

VIP Purple

GRE Tunnel is not working

I have the tunnel destination :  ip from from ISP interface.

I never used loopback interface for tunnels.

here are my debug logggs:

Jul  5 05:41:22.373: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Jul  5 05:41:22.373: ISAKMP:(0):atts are acceptable. Next payload is 0

Jul  5 05:41:22.373: ISAKMP:(0):Acceptable atts:actual life: 0

Jul  5 05:41:22.373: ISAKMP:(0):Acceptable atts:life: 0

Jul  5 05:41:22.373: ISAKMP:(0):Fill atts in sa vpi_length:4

Jul  5 05:41:22.373: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

Jul  5 05:41:22.373: ISAKMP:(0):Returning Actual lifetime: 86400

Jul  5 05:41:22.373: ISAKMP:(0)::Started lifetime timer: 86400.

Jul  5 05:41:22.373: ISAKMP:(0): processing vendor id payload

Jul  5 05:41:22.373: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

Jul  5 05:41:22.373: ISAKMP (0): vendor ID is NAT-T RFC 3947

Jul  5 05:41:22.373: ISAKMP:(0): processing vendor id payload

Jul  5 05:41:22.373: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

Jul  5 05:41:22.373: ISAKMP (0): vendor ID is NAT-T v7

Jul  5 05:41:22.373: ISAKMP:(0): processing vendor id payload

Jul  5 05:41:22.373: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

Jul  5 05:41:22.373: ISAKMP:(0): vendor ID is NAT-T v3

Jul  5 05:41:22.373: ISAKMP:(0): processing vendor id payload

Jul  5 05:41:22.373: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

Jul  5 05:41:22.373: ISAKMP:(0): vendor ID is NAT-T v2

Jul  5 05:41:22.373: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jul  5 05:41:22.373: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jul  5 05:41:22.373: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Jul  5 05:41:22.373: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (R) MM_SA_SETUP

Jul  5 05:41:22.373: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:22.373: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jul  5 05:41:22.373: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Jul  5 05:41:22.837: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Jul  5 05:41:22.837: ISAKMP:(0):peer does not do paranoid keepalives.

Jul  5 05:41:22.837: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 200.168.205.109)

Jul  5 05:41:22.837: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 200.168.205.109)

Jul  5 05:41:22.837: ISAKMP: Unlocking peer struct 0x291AF64C for isadb_mark_sa_deleted(), count 0

Jul  5 05:41:22.837: ISAKMP: Deleting peer node by peer_reap for 200.168.205.109: 291AF64C

Jul  5 05:41:22.837: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jul  5 05:41:22.837: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA

Jul  5 05:41:24.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:41:24.973: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Jul  5 05:41:24.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:41:24.973: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:41:24.973: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:32.369: ISAKMP (0): received packet from 200.168.205.109 dport 500 sport 500 Global (R) MM_SA_SETUP

Jul  5 05:41:32.369: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Jul  5 05:41:32.369: ISAKMP:(0): retransmitting due to retransmit phase 1

Jul  5 05:41:32.869: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Jul  5 05:41:32.869: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Jul  5 05:41:32.869: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Jul  5 05:41:32.869: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (R) MM_SA_SETUP

Jul  5 05:41:32.869: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:34.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:41:34.973: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Jul  5 05:41:34.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:41:34.973: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:41:34.973: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:42.377: ISAKMP (0): received packet from 200.168.205.109 dport 500 sport 500 Global (R) MM_SA_SETUP

Jul  5 05:41:42.377: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Jul  5 05:41:42.377: ISAKMP:(0): retransmitting due to retransmit phase 1

Jul  5 05:41:42.877: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Jul  5 05:41:42.877: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Jul  5 05:41:42.877: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Jul  5 05:41:42.877: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (R) MM_SA_SETUP

Jul  5 05:41:42.877: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:44.973: ISAKMP: set new node 0 to QM_IDLE

Jul  5 05:41:44.973: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 186.226.214.10, remote 200.168.205.109)

Jul  5 05:41:44.973: ISAKMP: Error while processing SA request: Failed to initialize SA

Jul  5 05:41:44.973: ISAKMP: Error while processing KMI message 0, error 2.

Jul  5 05:41:44.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:41:44.973: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Jul  5 05:41:44.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:41:44.973: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:41:44.973: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:52.365: ISAKMP (0): received packet from 200.168.205.109 dport 500 sport 500 Global (R) MM_SA_SETUP

Jul  5 05:41:52.365: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Jul  5 05:41:52.365: ISAKMP:(0): retransmitting due to retransmit phase 1

Jul  5 05:41:52.865: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Jul  5 05:41:52.865: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Jul  5 05:41:52.865: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

Jul  5 05:41:52.865: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (R) MM_SA_SETUP

Jul  5 05:41:52.865: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:41:54.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Jul  5 05:41:54.973: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Jul  5 05:41:54.973: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Jul  5 05:41:54.973: ISAKMP:(0): sending packet to 200.168.205.109 my_port 500 peer_port 500 (I) MM_NO_STATE

Jul  5 05:41:54.973: ISAKMP:(0):Sending an IKE IPv4 Packet.

Jul  5 05:42:00.729: ISAKMP:(0):purging node -1455087230

Jul  5 05:42:00.729: ISAKMP:(0):purging node -880088908

I dont know ahy is its bloking phase 1 on port 500.

Regards

346
Views
0
Helpful
4
Replies
CreatePlease login to create content