Solved: Unable to get IPSEC-over-GRE Tunnel Working

Jonathan Holt · ‎12-29-2013

Hi Guys

Looking for a little assistance here. I am setting up an IPSEC-over-GRE tunnel between a couple of CSRs and as soon as I enable IPSEC the tunnel protocol drops and won't come back up.

Here is my the relevant configuration:

Crypto Config on Both Routers

======================

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

mode tunnel

crypto ipsec profile ipsec-over-gre

set transform-set esp-aes-sha

Interface Configuration on Router 1

=========================

interface GigabitEthernet2

vrf forwarding Prod

ip address 10.0.0.1 255.255.255.0

ip nat outside

negotiation auto

Tunnel Interface Configuration on Router 1
==============================

interface Tunnel0

vrf forwarding Prod

ip address 192.168.254.1 255.255.255.0

tunnel source GigabitEthernet2

tunnel mode ipsec ipv4

tunnel destination 10.0.0.2

tunnel path-mtu-discovery

tunnel vrf Prod

tunnel protection ipsec profile ipsec-over-gre

Interface Configuration on Router 2

=========================

interface GigabitEthernet2

vrf forwarding Prod

ip address 10.0.0.2 255.255.255.0

ip nat outside

negotiation auto

Tunnel Interface Configuration on Router 2

==============================

interface Tunnel0

vrf forwarding Prod

ip address 192.168.254.2 255.255.255.0

tunnel source GigabitEthernet2

tunnel mode ipsec ipv4

tunnel destination 10.0.0.1

tunnel path-mtu-discovery

tunnel vrf Prod

tunnel protection ipsec profile ipsec-over-gre

Troubleshooting so far

================

- The two physical interfaces can ping each other successfully

- The tunnel interface works before the tunnel mode ipsec ipv4 command is added, and then it drops. Shortly after that I add the tunnel protection ipsec profile ipsec-over-gre command.

- Show interface reveals:

CSR-03#show int tun0

Tunnel0 is up, line protocol is down

Hardware is Tunnel

Internet address is 192.168.254.2/24

MTU 17892 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 10.0.0.1 (GigabitEthernet2), destination 10.0.0.2

Tunnel Subblocks:

src-track:

Tunnel0 source tracking subblock associated with GigabitEthernet2

Set of tunnels with source GigabitEthernet2, 1 member (includes iterators), on interface <OK>

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Path MTU Discovery, ager 10 mins, min MTU 92

Tunnel transport MTU 1500 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "ipsec-over-gre")

Last input never, output never, output hang never

Last clearing of "show interface" counters 00:00:04

Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Any assistance at all is greatly appreciated. I think this should work fine as configured and I cant get my head around why it isnt.

Cheers

Jon

NAGISWAREN2 · ‎12-29-2013

HI ,

1)Does your GRE tunnel pickup before apply tunnel protection? This to ensure your GRE tunnel its self is properly configured. Once you confirm this working , you can move to step 2.

2)When you working with IPSec in VRF, i think you would need implement crypto keyring to define preshared-key. Try this on both router.

crypto keyring Prod-keyring vrf Prod

pre-shared-key address 10.1.1.2 key cisco123

!

crypto isakmp profile ike-profile

vrf Prod

keyring Prod-keyring

match identity address 10.1.1.2 255.255.255.255 Prod

crypto ipsec profile ipsec-over-gre

set transform-set esp-aes-sha

set isakmp-profile ike-profile

Regards,

Nagis

Regards, Nagis

View solution in original post

Richard Burts · ‎12-29-2013

Jon

I have done this type of tunnel a number of times but not yet on CSRs. So there is some possibility that some aspect of CSR is getting in the way that I would not recognize. If the tunnel works ok before you enable the crypto then that assures that it is not an issue with IP connectivity or with basic tunnel configuration

So it is most likely that there is some problem with crypto configuration. My first suggestion is to verify that both devices have correct images to support crypto and have licenses activated that support crypto (though if the crypto commands are accepted it is likely that image and license are ok). But lets start here.

My second suggestion is check the configurations and verify that the crypto configuration is really the same on both devices.

My third suggestion would be to use some crypto debugging, probably starting with ISAKMP, to see where the crypto negotiation is not working.

HTH

Rick

HTH

Rick

Jonathan Holt · ‎12-29-2013

Hi Rick

Thanks heaps for the fast reply.

The software I am using is the trial version of the CSR - It comes with the Advanced License, which should allow IPSec...

I can confirm that the crypto information is the same. I have also done a debug on both CSRs, and its coming back saying that there is no PSK specified for the peer, although clearly there is. I've also tried setting the peer specifically to the remote interface address (10.0.0.x), but no joy.

Router-1#show run | sec crypto

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key ***** address 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

mode tunnel

crypto ipsec profile ipsec-over-gre

set transform-set esp-aes-sha

Router-2#show run | sec crypto

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key ***** address 0.0.0.0

crypto isakmp keepalive 10

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

mode tunnel

crypto ipsec profile ipsec-over-gre

set transform-set esp-aes-sha

Router-1#debug crypto isakmp

*Dec 30 02:58:56.943: ISAKMP:(0): SA request profile is (NULL)

*Dec 30 02:58:56.943: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500

*Dec 30 02:58:56.943: ISAKMP: New peer created peer = 0x7F9539B29578 peer_handle = 0x80000099

*Dec 30 02:58:56.943: ISAKMP: Locking peer struct 0x7F9539B29578, refcount 1 for isakmp_initiator

*Dec 30 02:58:56.943: ISAKMP: local port 500, remote port 500

*Dec 30 02:58:56.943: ISAKMP: set new node 0 to QM_IDLE

*Dec 30 02:58:56.943: ISAKMP:(0):insert sa successfully sa = 7F9539B2F100

*Dec 30 02:58:56.943: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Dec 30 02:58:56.943: ISAKMP:(0):No pre-shared key with 10.0.0.2!

*Dec 30 02:58:56.945: ISAKMP:(0): No Cert or pre-shared address key.

*Dec 30 02:58:56.946: ISAKMP:(0): construct_initial_message: Can not start Main mode

*Dec 30 02:58:56.947: ISAKMP: Unlocking peer struct 0x7F9539B29578 for isadb_unlock_peer_delete_sa(), count 0

*Dec 30 02:58:56.948: ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: 7F9539B29578

*Dec 30 02:58:56.949: ISAKMP:(0):purging SA., sa=7F9539B2F100, delme=7F9539B2F100

*Dec 30 02:58:56.949: ISAKMP:(0):purging node 2692845451

*Dec 30 02:58:56.949: ISAKMP: Error while processing SA request: Failed to initialize SA

CSR-01#

*Dec 30 02:58:56.949: ISAKMP: Error while processing KMI message 0, error 2.

I'll keep troubleshooting - Any chance it could have something to do with using VRFs?

Cheers

Jon

Richard Burts · ‎12-29-2013

Jon

I can not rule out VRFs being part of the problem. But at this point I believe it is likely something other than VRF. We may come back to that later, but for now lets look at other things.

One thing that strikes me in reviewing what you posted is the use of crypto isakmp key 0.0.0.0 on both routers. When I have done this kind of config before I have used 0.0.0.0 on one side (hub in hub and spoke network) and have specified the address in the crypto isakmp key of the spoke router. Is it possible to try specifying the peer address on one of the routers?

HTH

Rick

HTH

Rick

NAGISWAREN2 · ‎12-29-2013

HI ,

1)Does your GRE tunnel pickup before apply tunnel protection? This to ensure your GRE tunnel its self is properly configured. Once you confirm this working , you can move to step 2.

2)When you working with IPSec in VRF, i think you would need implement crypto keyring to define preshared-key. Try this on both router.

crypto keyring Prod-keyring vrf Prod

pre-shared-key address 10.1.1.2 key cisco123

!

crypto isakmp profile ike-profile

vrf Prod

keyring Prod-keyring

match identity address 10.1.1.2 255.255.255.255 Prod

crypto ipsec profile ipsec-over-gre

set transform-set esp-aes-sha

set isakmp-profile ike-profile

Regards,

Nagis

Regards, Nagis

Jonathan Holt · ‎12-30-2013

Rick and Nagis,

Thanks so much for your help and your time!

Nagis, I've gotten it working using the isakmp profile with the crypto keyring. Spot on - works perfectly!

Really happy to have found a solution, so thanks again for that!

Cheers

Jon

NAGISWAREN2 · ‎01-12-2014

Hi Jonathan,

Glad to know that its resolve the problem

Regards,

Nagis

Regards, Nagis