Try moving crypto engine

go-trexsupport · ‎06-22-2015

Hi,

I'm stuck on a configuration which worked for like 10 minutes, and now not.
Config:

crypto keyring vrf_management_keyring
pre-shared-key address {DESTINATION_IP} key {KEY}
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
crypto isakmp profile vrf_management_profile
   keyring vrf_management_keyring
   match identity address {DESTINATION_IP} 255.255.255.255
   isakmp authorization list default
!
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile vrf_mng_ipsec_profile
set transform-set ESP-AES-256-SHA
set isakmp-profile vrf_management_profile
!
interface Tunnel156
ip vrf forwarding ivrf
ip address 172.31.254.254 255.255.255.252
tunnel source {SOURCE_IP}
tunnel destination {DESTINATION_IP}
tunnel mode ipsec ipv4
tunnel protection ipsec profile vrf_mng_ipsec_profile
crypto engine slot 2/0 inside

interface Loopback156
ip address {SOURCE_IP} 255.255.255.255
crypto engine outside

Error I am getting

19:24:46: %ACE-6-UNEXP_INBOUND_IPSEC: Vlan159: received unexpected IPsec packet: src: {DESTINATION_IP}; dst: {SOURCE_IP}; (count=6499)

Also on the sh crypto ipsec sa I can see that there are no decaps

Source side:

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Destination side:

#pkts encaps: 3560, #pkts encrypt: 3560, #pkts digest: 3560

Image on the 6500: Advanced Enterprise Services SSH Release 12.2.33-SXI13 (MD)

Thanks in advanced.

Ricardo

Darrell Gatlin · ‎07-24-2015

Try moving crypto engine outside to the L3 interface that loopback156 is routed out of, it looks like it may be going out of VLAN 159. I use loopbacks for the peer address and I don't have crypto engine outside configured on any of them.

GRE IPsec 6506-E / SPA-IPSEC-2G