Cisco IPSEC over GRE crypto map not negotiating

Notable2025 · ‎08-26-2019

Hi everyone.

We have a Cisco 1100 LTE router which is configured to build an IPSEC tunnel to a FG device over GRE . The GRE is terminated on our coreswitch in the datacenter. Now all and well, but the crypto map on the router side never starts to initiate traffic, even when manually pinging from loopback IP side A to loopback IP side B of the GRE or when pining the peer-IP from the cellular interface. You can assume that policies for GRE + IPSEC settings on the Fortigate have been configured properly and that the GRE tunnel on the datacenter side has been configured properly too. When sniffing traffic on the Fortigate for dialup IPSEC we don't see anything coming in from the remote site as the crypto map is not even doing anything. no isakmp SA's are cretaed, no debugging starts, just nothing. Anyone can help us out perhaps? I'll drop the config of the router below (some parts are left out for security reasons). Many thanks in advance

hostname RTR-BRW-BRUG-02
!
!
ip vrf 4GBackup-VRF
rd 65281:5
import map rmDispatchVLAN
route-target export 65281:5
route-target import 65281:10
!
ip vrf BRW-Trust-VRF
rd 65281:10
route-target export 65281:10
route-target import 65281:5
!
license udi pid C1111-4PLTEEA sn FCZ232192N6
license accept end user agreement
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery disable
!
!
vlan internal allocation policy ascending
!
!
crypto keyring EBO-FG-2-KR vrf 4GBackup-VRF
description keyring for VPN via 4G to Fortigate FW
pre-shared-key address 'peer-ip' key 'privatekey'
!
crypto isakmp policy 281
encr aes 256
hash sha256
authentication pre-share
group 2
lifetime 28800
crypto isakmp invalid-spi-recovery
crypto isakmp profile EBO-FG-2
vrf 4GBackup-VRF
keyring EBO-FG-2-KR
self-identity user-fqdn router@site
match identity address 'peer-ip' 255.255.255.255 4GBackup-VRF
no keepalive
initiate mode aggressive
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set 4GTS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map 4GCMAP 10 ipsec-isakmp
set peer 'peer-ip'
set transform-set 4GTS
set pfs group14
set isakmp-profile EBO-FG-2
match address acl4GBackupVpn
reverse-route
!
interface Loopback300
ip vrf forwarding 4GBackup-VRF
ip address 172.27.81.245 255.255.255.255
!
interface Tunnel300
description GRE_RTR-BRW-BRUG_02-Cellular_Via_FG_VPN
ip vrf forwarding 4GBackup-VRF
ip address 172.27.81.250 255.255.255.252
ip tcp adjust-mss 1400
ip ospf authentication-key anR2cTxp
ip ospf network point-to-point
ip ospf mtu-ignore
tunnel source Loopback300
tunnel destination 172.27.81.246
tunnel vrf 4GBackup-VRF
!
interface GigabitEthernet0/0/1
description To-SWitch-05
no ip address
speed 1000
no negotiation auto
!
interface GigabitEthernet0/0/1.10
description BRW-Trust-LAN
encapsulation dot1Q 10
ip vrf forwarding BRW-Trust-VRF
ip address 172.25.81.253 255.255.255.0
ip helper-address 10.20.80.203
ip helper-address 10.20.80.204
standby 1 ip 172.25.81.1
standby 1 priority 90
standby 1 preempt
!
interface GigabitEthernet0/0/1.80
description BRW-Dispatch
encapsulation dot1Q 80
ip vrf forwarding BRW-Trust-VRF
ip address 172.26.81.179 255.255.255.240
ip helper-address 10.20.80.203
ip helper-address 10.20.80.204
standby 1 ip 172.26.81.177
standby 1 priority 90
standby 1 preempt
!

interface Cellular0/2/0
ip vrf forwarding 4GBackup-VRF
ip address negotiated
ip nat outside
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer watch-group 1
dialer-group 1
ipv6 enable
pulse-time 1
crypto map 4GCMAP
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
no ip address
!
router ospf 282 vrf 4GBackup-VRF
router-id 172.27.81.250
domain-id 172.27.80.158
log-adjacency-changes detail
capability vrf-lite
area 0 authentication
redistribute bgp 65281 metric 200 subnets
passive-interface default
no passive-interface Tunnel300
network 172.27.81.248 0.0.0.3 area 0
!
router bgp 65281
bgp log-neighbor-changes
!
address-family ipv4 vrf 4GBackup-VRF
redistribute ospf 282 match internal external 1 external 2 route-map rmapDefault
default-information originate
default-metric 300
exit-address-family
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route vrf 4GBackup-VRF 8.8.8.8 255.255.255.255 Cellular0/2/0 name host-route-for-cellular-IP-SLA
ip route vrf 4GBackup-VRF 'peer-ip' 255.255.255.255 Cellular0/2/0 name host-route-for-IPSec-PeerIP-over-LTE
!
ip access-list standard aclDispatchVLAN
permit 172.26.81.176 0.0.0.7
!
ip access-list extended acl4GBackupVpn
permit ip host 172.27.81.245 host 172.27.81.246
!
ip prefix-list pfDispatchVLAN description "Dispatch VLAN for 4G failover"
ip prefix-list pfDispatchVLAN seq 1 permit 172.26.81.176/29
!
ip prefix-list plDefault seq 10 permit 0.0.0.0/0
ip sla 1
icmp-echo 8.8.8.8 source-interface Cellular0/2/0
vrf 4GBackup-VRF
threshold 1000
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla schedule 281 life forever start-time now
ip sla 300
icmp-echo 172.27.81.246 source-ip 172.27.81.245
vrf 4GBackup-VRF
frequency 10
ip sla schedule 300 life forever start-time now
access-list 101 permit ip host 172.25.81.254 host 172.25.81.6
dialer watch-list 1 ip 8.8.8.8 255.255.255.255
!
route-map rmDispatchVLAN permit 10
description "Dispatch VLAN for 4G failover"
match ip address prefix-list pfDispatchVLAN
!
route-map rmapDefault permit 10
match ip address prefix-list plDefault
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
login local
transport input none
stopbits 1
line vty 0 4
logging synchronous
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
logging synchronous
login
transport preferred ssh
!
pnp profile pnp_cco_profile
transport https ipv4 52.205.197.159 port 443
end

Georg Pauwen · ‎08-26-2019

Hello,

the access list that the crypto map matches:

ip access-list extended acl4GBackupVpn
permit ip host 172.27.81.245 host 172.27.81.246

allows only traffic from the tunnel source to the tunnel destination. Which traffic, from where to where, that is, from which network to which network, has to traverse the encrypted link ?

Also, you are not using NAT, and only private IP addressing, is that right ?

Richard Burts · ‎08-26-2019

The ACL used to identify traffic for encryption will, in fact, match packets with source address as the tunnel source address and destination address as tunnel destination. So each GRE packet will match the ACL and should be encrypted.

What will send traffic through the tunnel? Will it use anything other than OSPF to send traffic through the tunnel? Is OSPF working? Would you post the output of show ip ospf and of show ip ospf interface?

HTH

Rick

HTH

Rick

Notable2025 · ‎08-27-2019

Hi Richard

To answer your question:

output of sho ip ospf interface:

RTR-BRW-BRUG-02#sho ip ospf interface
Tunnel300 is up, line protocol is down
Internet Address 172.27.81.250/30, Interface ID 18, Area 0
Attached via Network Statement
Process ID 282, Router ID 172.27.81.250, Network Type POINT_TO_POINT, Cost: 1000
Topology-MTID Cost Disabled Shutdown Topology Name
0 1000 no no Base
Transmit Delay is 1 sec, State DOWN
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40

show ip ospf:

RTR-BRW-BRUG-02#sho ip ospf
Routing Process "ospf 282" with ID 172.27.81.250
Start time: 00:02:35.832, Time elapsed: 5d18h
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Supports NSSA (compatible with RFC 3101)
Supports Database Exchange Summary List Optimization (RFC 5243)
Event-log disabled
It is an autonomous system boundary router
Redistributing External Routes from,
bgp 65281 with metric mapped to 200, includes subnets in redistribution
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 50 msecs
Minimum hold time between two consecutive SPFs 200 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
Incremental-SPF disabled
Initial LSA throttle delay 50 msecs
Minimum hold time for LSA throttle 200 msecs
Maximum wait time for LSA throttle 5000 msecs
Minimum LSA arrival 100 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
EXCHANGE/LOADING adjacency limit: initial 300, process maximum 300
Number of external LSA 1. Checksum Sum 0x007DCC
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0) (Inactive)
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm last executed 5d18h ago
SPF algorithm executed 1 times
Area ranges are
Number of LSA 1. Checksum Sum 0x0055CA
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

As I mentioned to the other person, this setup has actually worked perfectly like it was, and one day the whole GRE over IPSEC stopped working and does not ever want to renegotiate... Any ideas on that issue perhaps?

Notable2025 · ‎08-27-2019

Hi

The traffic that will pas the through the Tunnel interface eventually is the subnet 172.26.81.176/28 defined by pfDispatchVLAN and used in route-map rmDispatchVLAN
And to answer both of your questions, yes we don't use NAT and only private IP addressing.

I did forget to mention something pretty important: This setup used to work but one day completely stopped working. Like the GRE over IPSEC worked perfectly with the same config and all of a sudden stopped working. Now we cannot get the tunnel to renegotiate. I have changed plmn on the cellular interface and tried other things to exclude that it was a cellular issue all of a sudden.

Richard Burts · ‎08-27-2019

Thank you for the information. It is interesting that this vpn used to work and then stopped working. That suggests that something changed. Do you have any knowledge of any changes (on either end) at about that time?

Probably the most important part of what you posted is the fact that the tunnel is line protocol down. If the tunnel is line protocol down then no packets will be sent through the tunnel. And if no packets are sent through the tunnel then there is no interesting traffic to bring up the vpn.

I do not see routing information about how to reach the tunnel destination. Is the information in the config but not posted? Or perhaps is it not in the config?

I see ip nat outside configured on the cellular interface. But I do not see any other address translation. Is there address translation? If so please post it. If not then perhaps remove the command from the cellular interface.

How is the watch list working on the cellular interface? Would you post the output of show interface for the cellular interface? Also would you post the output of show ip route?

You show us the route map rmDispatchVLAN but do not show us how it is used.

One thing that I notice is that there is a mismatch between the prefix list used in the route map

ip prefix-list pfDispatchVLAN seq 1 permit 172.26.81.176/29

and the interface configuration

ip address 172.26.81.179 255.255.255.240

The interface uses a /28 mask while the prefix list uses /29

HTH

Rick

HTH

Rick