Solved: Configuration issue with IPsec

DanDan · ‎10-27-2021

Hi all,

I am having a hard time with IPSec config, I set it up and when I enter the command on the tunnel interface, tunnel goes down right away.

This is the error message :

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel212, changed state to downDUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.212.212.2 (Tunnel212) is down: interface down
CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /12.0.0.1, src_addr= 12.0.0.2, prot= 47

This happens on both routers.

Here is the config from both routers.

R1 :

crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key cisco123 hostname R2
!
crypto ipsec transform-set R1-VPN esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile R1PROFILE
set transform-set R1-VPN
!
interface Tunnel212
ip address 10.212.212.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 12.0.0.2
tunnel protection ipsec profile R1PROFILE

R2 :

crypto isakmp key cisco123 hostname R1
!
crypto ipsec transform-set R2-VPN esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile R2PROFILE
set transform-set R2-VPN
!

interface Tunnel212
ip address 10.212.212.2 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 12.0.0.1
tunnel protection ipsec profile R2PROFILE
!
interface Tunnel223
ip address 10.223.223.1 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 23.0.0.2

I have been looking for the solution for a while, so forgive me if this was already asked some place.

Thank you so much.

Daniel.

Richard Burts · ‎10-28-2021

Thanks for posting the configs. The main issue that I see is that on R2 the tunnel connecting to R1 does not include the statement

tunnel protection ipsec profile R2PROFILE

That is configured on a different tunnel Tunnel223. Add the tunnel protection to tunnel Tunnel212 and let us know if the behavior changes.

HTH

Rick

View solution in original post

Georg Pauwen · ‎10-27-2021

Hello,

you posted partial configs, so we cannot really see what is going on. Can you post the full configs (sh run) of both routers ?

Make sure you are just advertising the tunnel and LAN subnets in your EIGRP, not the WAN subnets:

R1

router eigrp 100
network 10.212.212.0 0.0.0.3
network x.x.x.x y.y.y.y <-- your LAN

R2

router eigrp 100
network 10.212.212.0 0.0.0.3
network x.x.x.x y.y.y.y <-- your LAN

DanDan · ‎10-27-2021

Hi Georg, my bad.

Here is the full config :

R2

Current configuration : 3219 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
--More--
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
interface Tunnel212
ip address 10.212.212.2 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 12.0.0.1
!
interface Tunnel223
ip address 10.223.223.1 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 23.0.0.2
!
interface GigabitEthernet0/0
ip address 12.0.0.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 23.0.0.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router eigrp 100
network 10.212.212.0 0.0.0.3
network 10.223.223.0 0.0.0.3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
control-plane
!
banner exec ^C

R1

Current configuration : 3052 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
interface Tunnel212
ip address 10.212.212.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 12.0.0.2
!
interface GigabitEthernet0/0
ip address 12.0.0.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router eigrp 100
network 10.212.212.0 0.0.0.3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
control-plane
!
banner exec ^C

In this topology I have a third router also, but I am focusing o the first tunnel that is not working.

Thank you for your help.

Georg Pauwen · ‎10-27-2021

Hello,

the configurations you posted are different from what you posted originally. There is no VTI anymore ?

DanDan · ‎10-27-2021

You are right, my VM restarted and my config wasnt saved. I did the configuration again and same issue obviously :).

Here is the config again, thank you.

R1

Current configuration : 3435 bytes
!
! Last configuration change at 22:44:35 UTC Wed Oct 27 2021
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key cisco123 hostname R2
!
crypto ipsec transform-set R1-VPN esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile R1PROFILE
set transform-set R1-VPN
!
interface Tunnel212
ip address 10.212.212.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 12.0.0.2
tunnel protection ipsec profile R1PROFILE
!
interface GigabitEthernet0/0
ip address 12.0.0.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router eigrp 100
network 10.212.212.0 0.0.0.3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
control-plane
!
banner exec ^C

R2

Current configuration : 3545 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 20
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key cisco123 hostname R1
!
crypto ipsec transform-set R2-VPN esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile R2PROFILE
set transform-set R2-VPN
!
interface Tunnel212
ip address 10.212.212.2 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 12.0.0.1
!
interface Tunnel223
ip address 10.223.223.1 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 23.0.0.2
tunnel protection ipsec profile R2PROFILE
!
interface GigabitEthernet0/0
ip address 12.0.0.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 23.0.0.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router eigrp 100
network 10.212.212.0 0.0.0.3
network 10.223.223.0 0.0.0.3
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ipv6 ioam timestamp
!
control-plane
!
banner exec ^C

Here are the messages I am getting :

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel212, changed state to down
%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 10.212.212.2 (Tunnel212) is down: interface down
%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /12.0.0.1, src_addr= 12.0.0.2, prot= 47

Thank you for your help.

Richard Burts · ‎10-28-2021

Thanks for posting the configs. The main issue that I see is that on R2 the tunnel connecting to R1 does not include the statement

tunnel protection ipsec profile R2PROFILE

That is configured on a different tunnel Tunnel223. Add the tunnel protection to tunnel Tunnel212 and let us know if the behavior changes.

HTH

Rick

DanDan · ‎11-01-2021

Silly mistake of mine, thank you for your help. Much appreciated.

Daniel.

Richard Burts · ‎11-03-2021

Daniel

You are welcome. It is an easy mistake to make. But sometimes difficult to see in your own work (sometimes we see what we expect to see rather than what is actually in the config) and frequently easier for a fresh pair of eyes to see. This is one of the great things about this community. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Richard Burts · ‎10-27-2021

Daniel

@Georg Pauwen makes a good point about the possibility that this is an issue with recursive routing (when the routing logic says that the way to get to the tunnel end point is to go through the tunnel). With recursive routing there are usually some other log messages. Are there other messages generated in the log at about this time?

HTH

Rick

DanDan · ‎11-01-2021

Thank you for your help.

All is working now.

Daniel.