cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
281
Views
0
Helpful
0
Replies
Highlighted

Crypto error in IPsec Tunnel over EIGRP [URGENT]

Hi everyone,

I have a Cisco 2911 (IOS ver 15.3(3)M) in our branch office and Cisco 7204VXR (IOS version 12.4(4)) in our headquarters. They should be connected to each other via IPsec Tunnel over EIGRP.

On the Cisco 2911, I receive this from the log:

Nov 17 17:34:33: %CRYPTO-4-IKMP_NO_SA: IKE message from 117.215.97.243 has no SA and is not an initialization offer
Nov 17 17:51:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel65, changed state to down
Nov 17 17:51:21: %DUAL-5-NBRCHANGE: EIGRP-IPv4 89: Neighbor 10.255.255.65 (Tunnel65) is down: interface down
Nov 17 17:51:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel65, changed state to up
Nov 17 17:51:25: %DUAL-5-NBRCHANGE: EIGRP-IPv4 89: Neighbor 10.255.255.65 (Tunnel65) is up: new adjacency

On the Cisco 7204, this is the log:

Nov 17 17:47:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=117.215.97.243, prot=50, spi=0xA8A632E(176841518), srcaddr=117.215.105.5
Nov 17 17:47:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel6301, changed state to down
Nov 17 17:47:19: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 89: Neighbor 10.255.255.66 (Tunnel6301) is down: interface down
Nov 17 17:47:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel6301, changed state to up
Nov 17 17:47:23: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 89: Neighbor 10.255.255.66 (Tunnel6301) is up: new adjacency

This happen every 2 minutes interval.

 

Here's the config:

Cisco 2911:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 12345 address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-vti esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ph-ipsec esp-3des esp-md5-hmac
 mode tunnel
!
!

crypto ipsec profile ipsec-vti
 set security-association replay window-size 1024
 set transform-set ipsec-vti

 

interface Tunnel65
 description ipsec vti to sgsineqnix-gw-2
 ip address 10.255.255.66 255.255.255.252
 ip summary-address eigrp 89 10.63.0.0 255.255.224.0
 tunnel source 117.215.105.5
 tunnel mode ipsec ipv4
 tunnel destination 117.215.97.243
 tunnel protection ipsec profile ipsec-vti

 

interface GigabitEthernet0/0/0
 switchport access vlan 106
 no ip address

interface Vlan106
 description Internet
 ip address 117.215.105.5 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 crypto map ph-ipsec

 

 

CIsco 7204:

!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-vti esp-aes 256 esp-sha-hmac
crypto ipsec transform-set eq-ipsec esp-3des esp-md5-hmac
crypto ipsec profile ipsec-vti
 set security-association replay window-size 1024
 ! Warning: window size of 128 actually used
 set transform-set ipsec-vti

 

interface Tunnel6301
 description ipsec vti to Aend
 ip address 10.255.255.65 255.255.255.252
 ip summary-address eigrp 89 10.65.0.0 255.255.224.0 5
 tunnel source 117.215.97.243
 tunnel destination 117.215.105.5
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vti

 

interface GigabitEthernet0/1
 description internet
 ip address 117.215.97.243 255.255.255.192
 ip access-group firewall in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 duplex full
 speed 100
 media-type rj45
 negotiation auto
 crypto map eq-ipsec

Please advise how to fix this issue.

0 REPLIES 0
Content for Community-Ad