Fellow Support Community,
Any assistance or suggestions you can provide on a issue I have with a GRE tunnel and IPSec. I have a vessel offshore which has a GRE tunnel working between shore and vessel - this works fine and data passes between vessel and corporate LAN ok.
The problem comes when I apply the IPSec and ISAKMP parameters to each of the VTIs.
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_IPSEC_PROFILE
These commands and the associated pararameters are tried and tested and working fine for 5 other VPNs which are currently up and passing traffic. The working configuration for each endpoint is below. When the above commands are applied the VPN stays QM_IDLE but no data traffic passes over the tunnel. The VPN provides the connectivty back to corporate LAN so the site is effectively cut off
Any suggestions??
****HUB****
crypto keyring HELIX_VPN_KEYRING
pre-shared-key address B.B.B.B key xyz
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile VPN_ISAKMP_PROFILE
keyring HELIX_VPN_KEYRING
match identity address B.B.B.B 255.255.255.255
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha-hmac
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile VPN_IPSEC_PROFILE
description *** VPN IPsec Profile - RH - November 2012 ***
set transform-set VPN_TS
set pfs group2
set isakmp-profile VPN_ISAKMP_PROFILE
!
interface Tunnel128
description *** Vessel VPN Tunnel (JC1RT01:B.B.B.B) ***
ip address 10.0.75.130 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0.311
tunnel destination B.B.B.B
!
interface GigabitEthernet0/0.311
description *** ISP Public Subnet ***
encapsulation dot1Q 311
ip address A.A.A.A 255.255.255.248
!
ip route 10.2.88.0 255.255.255.0 10.0.75.129 name JC1_Data_Tu128
ip route 10.2.89.0 255.255.255.0 10.0.75.129 name JC1_Voice_Tu128
****REMOTE****
crypto keyring VPN_KEYRING vrf Internet
pre-shared-key address A.A.A.A key xyz
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp profile VPN_ISAKMP_PROFILE
vrf Internet
keyring VPN_KEYRING
match identity address A.A.A.A 255.255.255.255 Internet
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha-hmac
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile VPN_IPSEC_PROFILE
description *** VPN IPsec Profile - RH - 30/01/13 ***
set transform-set VPN_TS
set pfs group2
set isakmp-profile VPN_ISAKMP_PROFILE
!
interface Tunnel128
description *** Jaya Crystal VPN Tunnel (VPNRTR01:A.A.A.A) ***
ip address 10.0.75.129 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0.602
tunnel destination A.A.A.A
tunnel vrf Internet
!
interface FastEthernet0/0.602
description *** Vessel Provided Public IP Demark ***
encapsulation dot1Q 602
ip vrf forwarding Internet
ip address B.B.B.B 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 10.0.75.130 name Tu128
