cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1520
Views
0
Helpful
4
Replies

VRF VPN in AWS - Main Mode Failure

taburley
Level 1
Level 1

The configs are pretty straight forward:  http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/vspa/configuration/guide/ivmsw_book/ivmvpna.html#wp1054133

 

Yet I'm having two issues.  With external peers I have a main mode failure on the peer who's tunnel was un-shut first.  The security groups permits ESP, UDP 500 and 4500.  When that didn't work I opened up UDP all the way.  I still had the issue.

Between internal peers in AWS my tunnel is up/down.  Both isakmp and IPsec SAs are established.  But I am unable to pass traffic.

any ideas will be greatly appreciated

 

[26B]

crypto keyring VTI-2627 vrf F5426
 pre-shared-key address 10.10.10.94 key abc123
!
crypto isakmp profile VTI-2627
 keyring VTI-2627
 match identity address 10.10.10.94 F5426
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto ipsec transform-set VTI-Set esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile VTI-2627
 set transform-set VTI-Set
 set isakmp-profile VTI-2627
 set pfs group2
!
int tunnel2627
 desc IPSec VTI to R26A
 ip address 10.26.27.1 255.255.255.252
 tunnel mode ipsec ipv4
 tunnel vrf F5426
 tunnel source Gi1
 tunnel destination 10.10.10.94
 tunnel protection ipsec profile VTI-2627


[27A]

crypto keyring VTI-2726 vrf F5427
 pre-shared-key address 20.20.20.218 key abc123
!
crypto isakmp profile VTI-2726
 keyring VTI-2726
 match identity address 20.20.20.218 F5427
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto ipsec transform-set VTI-Set esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile VTI-2726
 set transform-set VTI-Set
 set isakmp-profile VTI-2726
 set pfs group2
!
int tunnel2726
 desc IPSec VTI to R26B
 ip address 10.26.27.2 255.255.255.252
 tunnel mode ipsec ipv4
 tunnel vrf F5427
 tunnel source Gi1
 tunnel destination 20.20.20.218
 tunnel protection ipsec profile VTI-2726


%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 20.20.20.218

4 Replies 4

Nicholas Oliver
Cisco Employee
Cisco Employee

taburley,

One of the issues that I have encountered in the past is forgetting that if I am creating a tunnel externally the destination may be NAT'd by the AWS infrastructure.  What is the route that your tunnel has to take to be formed?  If it leaves through an IGW it is possible that you are NAT'd to a public address and the tunnel destination on the opposite side will need to point to that address instead of the 10.X.X.X address.  It may be something to check out.  Can you ping from 27A to 26B using the tunnel source and destination addresses?

-Nick

 

taburley
Level 1
Level 1

 

Same VPC, same subnet....just creating a layer 3 infrastructure on-top of AWS' layer 2/3.

If it's the same VPC with the same subnet, then the security policy doesn't apply.  So are you able to ping from 27A to 26B?  Is other traffic able to pass between the two devices?  For example, can you telnet from one device to the other?  Can you ping between the two using the source and destination addresses used on your tunnels?

-Nick

taburley
Level 1
Level 1

 

yes - there is 100% connectivity.  I have actually put in a GRE just to make sure I was getting more than a ping through.  The crypto isn't working when I have the tunnel going through a vrf.

 

The security group is applied to ALL interfaces by default.

 

thanks for looking at this.  it's nice to have another set of "eyes.'