Hi everyone,
I have a Cisco 2911 (IOS ver 15.3(3)M) in our branch office and Cisco 7204VXR (IOS version 12.4(4)) in our headquarters. They should be connected to each other via IPsec Tunnel over EIGRP.
On the Cisco 2911, I receive this from the log:
Nov 17 17:34:33: %CRYPTO-4-IKMP_NO_SA: IKE message from 117.215.97.243 has no SA and is not an initialization offer
Nov 17 17:51:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel65, changed state to down
Nov 17 17:51:21: %DUAL-5-NBRCHANGE: EIGRP-IPv4 89: Neighbor 10.255.255.65 (Tunnel65) is down: interface down
Nov 17 17:51:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel65, changed state to up
Nov 17 17:51:25: %DUAL-5-NBRCHANGE: EIGRP-IPv4 89: Neighbor 10.255.255.65 (Tunnel65) is up: new adjacency
On the Cisco 7204, this is the log:
Nov 17 17:47:18: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=117.215.97.243, prot=50, spi=0xA8A632E(176841518), srcaddr=117.215.105.5
Nov 17 17:47:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel6301, changed state to down
Nov 17 17:47:19: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 89: Neighbor 10.255.255.66 (Tunnel6301) is down: interface down
Nov 17 17:47:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel6301, changed state to up
Nov 17 17:47:23: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 89: Neighbor 10.255.255.66 (Tunnel6301) is up: new adjacency
This happen every 2 minutes interval.
Here's the config:
Cisco 2911:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
crypto isakmp key 12345 address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-vti esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ph-ipsec esp-3des esp-md5-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-vti
set security-association replay window-size 1024
set transform-set ipsec-vti
interface Tunnel65
description ipsec vti to sgsineqnix-gw-2
ip address 10.255.255.66 255.255.255.252
ip summary-address eigrp 89 10.63.0.0 255.255.224.0
tunnel source 117.215.105.5
tunnel mode ipsec ipv4
tunnel destination 117.215.97.243
tunnel protection ipsec profile ipsec-vti
interface GigabitEthernet0/0/0
switchport access vlan 106
no ip address
interface Vlan106
description Internet
ip address 117.215.105.5 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
crypto map ph-ipsec
CIsco 7204:
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
!
crypto isakmp key 12345 address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 10 periodic
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-vti esp-aes 256 esp-sha-hmac
crypto ipsec transform-set eq-ipsec esp-3des esp-md5-hmac
crypto ipsec profile ipsec-vti
set security-association replay window-size 1024
! Warning: window size of 128 actually used
set transform-set ipsec-vti
interface Tunnel6301
description ipsec vti to Aend
ip address 10.255.255.65 255.255.255.252
ip summary-address eigrp 89 10.65.0.0 255.255.224.0 5
tunnel source 117.215.97.243
tunnel destination 117.215.105.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vti
interface GigabitEthernet0/1
description internet
ip address 117.215.97.243 255.255.255.192
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex full
speed 100
media-type rj45
negotiation auto
crypto map eq-ipsec
Please advise how to fix this issue.
