08-23-2014 09:48 AM - edited 03-12-2019 07:19 AM
The configs are pretty straight forward: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpna.html#wp1054133
Yet I'm having two issues. With external peers I have a main mode failure on the peer who's tunnel was un-shut first. The security groups permits ESP, UDP 500 and 4500. When that didn't work I opened up UDP all the way. I still had the issue.
Between internal peers in AWS my tunnel is up/down. Both isakmp and IPsec SAs are established. But I am unable to pass traffic.
any ideas will be greatly appreciated
[26B]
crypto keyring VTI-2627 vrf F5426
pre-shared-key address 10.10.10.94 key abc123
!
crypto isakmp profile VTI-2627
keyring VTI-2627
match identity address 10.10.10.94 F5426
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto ipsec transform-set VTI-Set esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI-2627
set transform-set VTI-Set
set isakmp-profile VTI-2627
set pfs group2
!
int tunnel2627
desc IPSec VTI to R26A
ip address 10.26.27.1 255.255.255.252
tunnel mode ipsec ipv4
tunnel vrf F5426
tunnel source Gi1
tunnel destination 10.10.10.94
tunnel protection ipsec profile VTI-2627
[27A]
crypto keyring VTI-2726 vrf F5427
pre-shared-key address 20.20.20.218 key abc123
!
crypto isakmp profile VTI-2726
keyring VTI-2726
match identity address 20.20.20.218 F5427
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto ipsec transform-set VTI-Set esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI-2726
set transform-set VTI-Set
set isakmp-profile VTI-2726
set pfs group2
!
int tunnel2726
desc IPSec VTI to R26B
ip address 10.26.27.2 255.255.255.252
tunnel mode ipsec ipv4
tunnel vrf F5427
tunnel source Gi1
tunnel destination 20.20.20.218
tunnel protection ipsec profile VTI-2726
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 20.20.20.218
08-26-2014 09:49 AM
taburley,
One of the issues that I have encountered in the past is forgetting that if I am creating a tunnel externally the destination may be NAT'd by the AWS infrastructure. What is the route that your tunnel has to take to be formed? If it leaves through an IGW it is possible that you are NAT'd to a public address and the tunnel destination on the opposite side will need to point to that address instead of the 10.X.X.X address. It may be something to check out. Can you ping from 27A to 26B using the tunnel source and destination addresses?
-Nick
08-26-2014 11:56 AM
Same VPC, same subnet....just creating a layer 3 infrastructure on-top of AWS' layer 2/3.
08-26-2014 12:10 PM
If it's the same VPC with the same subnet, then the security policy doesn't apply. So are you able to ping from 27A to 26B? Is other traffic able to pass between the two devices? For example, can you telnet from one device to the other? Can you ping between the two using the source and destination addresses used on your tunnels?
-Nick
08-26-2014 12:26 PM
yes - there is 100% connectivity. I have actually put in a GRE just to make sure I was getting more than a ping through. The crypto isn't working when I have the tunnel going through a vrf.
The security group is applied to ALL interfaces by default.
thanks for looking at this. it's nice to have another set of "eyes.'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide