Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Who Me Too'd this topic
Who Me Too'd this topic
VPN GRE IPSEC trought ASA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2018 01:45 AM - edited 03-12-2019 05:00 AM
Hello,
I have two routers Cisco 2921 and 881. I want set the VPN site to site with GRE IPSEC between routers. Cisco 2921 is behind ASA 5508X in site A and ASA is connected to internet. Cisco 881 is in site B, connected to internet. I enabled on ASA NAT-T. If i configured only GRE tunnel beetwen the routers it is working. If i add the IPSEC to GRE problem is with ISAKMP, and VPN doesnt work. I dont know where is problem.
It is my configuration:
ASA:
interface GigabitEthernet1/1
duplex full
nameif outside
security-level 0
ip address 213.216.110.XXX 255.255.255.248
!
interface GigabitEthernet1/8
description Connection to C2921
speed 1000
duplex full
nameif MENet
security-level 100
ip address 10.10.3.2 255.255.255.248
!
object network VPN-Router
host 10.10.3.1
nat (MENet, Outside) static interface
crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 enable MENet
access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp
C2921 with IP 10.10.3.1 behind ASA.
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 lifetime 30000 crypto isakmp key Mi2017a address 195.150.12.XX crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile MAIN_VPN_PROFILE set security-association lifetime seconds 30000 set transform-set MI2018 ! interface GigabitEthernet0/2/0 description Connection to ASA ip address 10.10.3.1 255.255.255.248 no ip redirects no ip proxy-arp duplex full speed 1000 no cdp enable interface Tunnel10 description EX-VPN ip address 10.10.17.131 255.255.255.192 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 3 7 tunnel source GigabitEthernet0/2/0 tunnel destination 195.150.12.XX tunnel protection ipsec profile MAIN_VPN_PROFILE ! ip route 195.150.12.XX 255.255.255.248 GigabitEthernet0/2/0 10.10.3.2
On router 881 configuration:
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 lifetime 30000 crypto isakmp key Mi2017a address 213.216.110.XXX ! crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile MAIN_VPN_PROFILE set security-association lifetime seconds 30000 set transform-set MI2018 ! interface Tunnel10 bandwidth 20000 ip address 10.10.17.130 255.255.255.192 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 3 7 tunnel source FastEthernet4 tunnel destination 213.216.110.XXX tunnel protection ipsec profile MAIN_VPN_PROFILE interface FastEthernet4 ip address 195.150.12.XX 255.255.255.248 no ip proxy-arp ip virtual-reassembly in duplex auto speed auto no cdp enable !
On C881 i see:
sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 195.150.12.XX 213.216.110.XXX QM_IDLE 2111 ACTIVE 195.150.12.XX 213.216.110.XXX MM_NO_STATE 2110 ACTIVE (deleted)
On C2921 i see:
sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 195.150.12.XX 10.10.3.1 MM_KEY_EXCH 1920 ACTIVE 195.150.12.XX 10.10.3.1 MM_NO_STATE 1919 ACTIVE (deleted)
If i enabled debug ISAKMP i see:
*Feb 5 21:26:17.073: ISAKMP:(2008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb 5 21:26:17.073: ISAKMP (2008): ID payload
next-payload : 8
type : 1
address : 195.150.12.XX
protocol : 17
port : 0
length : 12
*Feb 5 21:26:17.073: ISAKMP:(2008):Total payload length: 12
*Feb 5 21:26:17.073: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Feb 5 21:26:17.073: ISAKMP:(2008):Sending an IKE IPv4 Packet.
*Feb 5 21:26:17.077: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 5 21:26:17.077: ISAKMP:(2008):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Feb 5 21:26:17.081: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb 5 21:26:17.081: ISAKMP:(2008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Feb 5 21:26:17.573: ISAKMP (2007): received packet from 213.216.110.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH
*Feb 5 21:26:17.573: ISAKMP:(2007): phase 1 packet is a duplicate of a previous packet.
*Feb 5 21:26:17.573: ISAKMP:(2007): retransmitting due to retransmit phase 1
*Feb 5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH...
*Feb 5 21:26:18.073: ISAKMP (2007): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH
*Feb 5 21:26:18.073: ISAKMP:(2007): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Feb 5 21:26:18.073: ISAKMP:(2007):Sending an IKE IPv4 Packet.
*Feb 5 21:26:27.065: ISAKMP (2008): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 5 21:26:27.065: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet.
*Feb 5 21:26:27.065: ISAKMP:(2008): retransmitting due to retransmit phase 1
*Feb 5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE ...
*Feb 5 21:26:27.565: ISAKMP (2008): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE
*Feb 5 21:26:27.565: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:26:27.565: ISAKMP:(2008):Sending an IKE IPv4 Packet.
eb 5 21:30:17.409: ISAKMP:(2013):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb 5 21:30:17.409: ISAKMP (2013): ID payload
next-payload : 8
type : 1
address : 195.150.12.XX
protocol : 17
port : 0
length : 12
*Feb 5 21:30:17.409: ISAKMP:(2013):Total payload length: 12
*Feb 5 21:30:17.409: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Feb 5 21:30:17.409: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:17.409: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 5 21:30:17.409: ISAKMP:(2013):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Feb 5 21:30:17.413: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb 5 21:30:17.417: ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Feb 5 21:30:27.401: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 5 21:30:27.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb 5 21:30:27.401: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb 5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ...
*Feb 5 21:30:27.901: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb 5 21:30:27.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:27.901: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:37.397: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 5 21:30:37.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb 5 21:30:37.401: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb 5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ...
*Feb 5 21:30:37.901: ISAKMP (2013): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Feb 5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb 5 21:30:37.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:37.901: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:38.013: ISAKMP: set new node 0 to QM_IDLE
*Feb 5 21:30:38.013: SA has outstanding requests (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500)
*Feb 5 21:30:38.013: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE )
*Feb 5 21:30:38.013: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 4112572105
*Feb 5 21:30:38.013: ISAKMP:(2013):QM Initiator gets spi
*Feb 5 21:30:38.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:38.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:38.013: ISAKMP:(2013):Node 4112572105, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb 5 21:30:38.013: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Feb 5 21:30:47.409: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb 5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ...
*Feb 5 21:30:47.909: ISAKMP (2013): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Feb 5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb 5 21:30:47.909: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:47.909: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ...
*Feb 5 21:30:48.013: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb 5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE
*Feb 5 21:30:48.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:48.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:57.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 5 21:30:57.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb 5 21:30:57.405: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb 5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ...
*Feb 5 21:30:57.905: ISAKMP (2013): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Feb 5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb 5 21:30:57.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:57.905: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ...
*Feb 5 21:30:58.013: ISAKMP (2013): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Feb 5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE
*Feb 5 21:30:58.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:30:58.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:30:58.021: ISAKMP:(2012):purging node -1412652012
*Feb 5 21:30:58.021: ISAKMP:(2012):purging node 665005119
*Feb 5 21:30:58.417: ISAKMP:(2011):purging node -1499783167
*Feb 5 21:31:07.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb 5 21:31:07.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb 5 21:31:07.405: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb 5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ...
*Feb 5 21:31:07.905: ISAKMP (2013): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Feb 5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb 5 21:31:07.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:31:07.905: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ...
*Feb 5 21:31:08.013: ISAKMP (2013): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Feb 5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE
*Feb 5 21:31:08.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:31:08.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:31:08.021: ISAKMP:(2012):purging SA., sa=86E8CB30, delme=86E8CB30
*Feb 5 21:31:08.117: ISAKMP: set new node 0 to QM_IDLE
*Feb 5 21:31:08.117: SA has outstanding requests (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500)
*Feb 5 21:31:08.117: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE )
*Feb 5 21:31:08.117: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 1297611346
*Feb 5 21:31:08.117: ISAKMP:(2013):QM Initiator gets spi
*Feb 5 21:31:08.117: ISAKMP:(2013):peer does not do paranoid keepalives.
*Feb 5 21:31:08.117: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer 213.216.110.XXX)
*Feb 5 21:31:08.117: ISAKMP:(2013):Node 1297611346, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb 5 21:31:08.117: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Feb 5 21:31:08.121: ISAKMP: set new node -222890906 to QM_IDLE
*Feb 5 21:31:08.125: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb 5 21:31:08.125: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb 5 21:31:08.125: ISAKMP:(2013):purging node -222890906
*Feb 5 21:31:08.125: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 5 21:31:08.125: ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Feb 5 21:31:08.125: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer 213.216.110.XXX)
*Feb 5 21:31:08.125: ISAKMP: Unlocking peer struct 0x85D0EAE0 for isadb_mark_sa_deleted(), count 0
*Feb 5 21:31:08.125: ISAKMP: Deleting peer node by peer_reap for 213.216.110.XXX: 85D0EAE0
*Feb 5 21:31:08.125: ISAKMP:(2013):deleting node -182395191 error FALSE reason "IKE deleted"
*Feb 5 21:31:08.125: ISAKMP:(2013):deleting node 1297611346 error FALSE reason "IKE deleted"
*Feb 5 21:31:08.129: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 5 21:31:08.129: ISAKMP:(2013):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Please help me
Labels:
- Labels:
-
Other VPN Topics
