Re: Help getting GRE IPsec tunnel setup

dctaylorit · ‎04-19-2013

We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.

There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.

I have attached a PDF that shows a general overview.

Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.

Main Office
The external address     198.40.227.50.
The loopback address   10.254.10.6
The tunnel address        10.2.60.1

Offsite Datacenter
The external address     198.40.254.178
The loopback address   10.254.60.6
The tunnel address        10.2.60.2

The main office PIX515 Config (Edited – if I am missing something that you need please let me know).

PIX Version 7.2(2)

!

interface Ethernet0

mac-address 5475.d0ba.5012

nameif outside

security-level 0

ip address 198.40.227.50 255.255.255.240

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.3 255.255.0.0

!

access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6

access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6

global (outside) 1 interface

nat (outside) 1 10.60.0.0 255.255.0.0

nat (inside) 0 access-list noNat

route outside 0.0.0.0 0.0.0.0 198.40.227.49 1

route inside 10.60.0.0 255.255.0.0 10.10.10.1 1

route inside 10.254.10.6 255.255.255.255 10.10.10.253 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map cr-lakeavemap 10 match address outside_cryptomap_60

crypto map cr-lakeavemap 10 set peer 198.40.254.178

crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA

crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map

crypto map cr-lakeavemap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 198.40.254.178 type ipsec-l2l

tunnel-group 198.40.254.178 ipsec-attributes

The offsite datacenter PIX501 config (again edited)

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6

access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6

mtu outside 1500

mtu inside 1500

ip address outside 198.40.254.178 255.255.255.240

ip address inside 10.60.10.2 255.255.0.0

route outside 0.0.0.0 0.0.0.0 198.40.254.177 1

route inside 10.2.60.2 255.255.255.255 10.60.10.1 1

route inside 10.254.60.6 255.255.255.255 10.60.10.1 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN

crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map cr-lakeavemap 10 ipsec-isakmp

crypto map cr-lakeavemap 10 match address crvpn

crypto map cr-lakeavemap 10 set peer 198.40.227.50

crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA

crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map

crypto map cr-lakeavemap client authentication LOCAL

crypto map cr-lakeavemap interface outside

isakmp enable outside

isakmp key ******** address 198.40.227.50 netmask 255.255.255.255

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Output of the “show crypto ipsec sa” command
From the main office

Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50

access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6

local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)

current_peer: 198.40.254.178

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: D78E63C9

inbound esp sas:

spi: 0x5D63434C (1566786380)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2, crypto-map: cr-lakeavemap

sa timing: remaining key lifetime (kB/sec): (4274801/7527)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xD78E63C9 (3616433097)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 2, crypto-map: cr-lakeavemap

sa timing: remaining key lifetime (kB/sec): (4275000/7527)

IV size: 8 bytes

replay detection support: Y

From the offsite datacenter

local ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)

current_peer: 198.40.227.50:500

dynamic allocated peer ip: 0.0.0.0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1156, #recv errors 0

local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 5d63434c

inbound esp sas:

spi: 0xd78e63c9(3616433097)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: cr-lakeavemap

sa timing: remaining key lifetime (k/sec): (4608000/6604)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x5d63434c(1566786380)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: cr-lakeavemap

sa timing: remaining key lifetime (k/sec): (4607792/6596)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated. If there is anything else you'd like to see please let me know.

Maykol Rojas · ‎04-21-2013

Hi Joe,

This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?

If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.

Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.

Let me know.

Mike Rojas.

Mike

dctaylorit · ‎04-22-2013

Maykol - I believe you are correct on the GRE traffic is not getting back to the PIX in the main office. I did a packet capture on the PIX and not getting anything coming in regarding any of the Loopback or Tunnels.

The 2821 and 2921 routers use using HRST and use a standby IP of 10.10.10.1. The 2821 IP is 10.10.10.253 and the 2921 is 10.10.10.254.

10.2.60.1 & 10.2.60.2 are the Loopback addresses

10.254.10.6 & 10.254.60.6 are the Tunnel Addresses.

I have updated the PBR on the 2821 & 2921 to send any traffic for the 10.60.x.x network, 10.2.60.2, and 10.254.60.6 to the PIX but I'm wondering if that is wrong.