Hello, had the exact same issue on my GNS3 lab - and I did remove the keepalive and it came up. THank you!

Hi Joseph Doherty ,

Thanks for your update.

Let me remove the keep alive and check & i will share you my complete configuration as soon as possible.

When i came across the Cisco document 

1)IPSEC Tunnel mode means the source IP would be the

Tunnel IP

2)IPSEC Transport means the source IP would be the

Physical IP

Please correct me  If i am wrong.

i have tested same through GNS3-wire shark .However i am seeing for Tunnel mode /Transport mode (IP header) for both  source  IP is my physical interface only. 

Hi Rick,

Thanks 

DOC says ,IPSEC Tunnel mode => First Header will have the

tunnel ip

on  top of the original IP header. 

 Transport header will have the

Physical ip

will be the first header 

Can you please clarify me ..

I am not sure which doc you are referring to or exactly what it says. But I can tell you for sure that the IP address used in the IP header of an IPSec packet will not be the tunnel address. Perhaps one way to explain it is that the source address should be the peering address and the peering address can not be the tunnel address. Remember that the devices must negotiate ISAKMP using the peer address and the tunnel IP address is not reachable until the negotiation is successfully completed. If you try to negotiate to the tunnel address and the tunnel address is not yet up then the negotiation fails.

HTH

Rick

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Basically, IPSec can support its own tunneling and so when used with another tunneling encapsulation mode, you can have redundant addressing (within the transmitted packet), when doing

p2p

between the peering IPs.  The tunnel/transport modes control whether the extra IPSec tunnel addressing is done.  For such

p2p

you don't need the duplication, although I think it's the default.

For example, when doing

site-to-site GRE/IPSec

you don't need two sets of IPs.  It's a little more efficient to turn off the second set with transport mode.

Hi Jose,

As per your answer ,in

P2P

we couldn't get the result as per the attached DOC

If i have HUB and spoke (IPSEC/DMVPN) as per the above document will get the IP header in wireshark?

Like Tunnel mode

source ip tunnel ip

Transport mode

Source ip physical

My understand completely wrong ?.Need your help understand what below attached diagram says

==============================================

What is a new IP header ? in Tunnel mode

What is original IP header ? in Transport mode  

Please find the attachment here also 

Source Physical IP     : 192.168.12.1 
Destnation Physical IP : 192.168.23.3

Tunnel Source IP      : 192.168.13.1
Tunnel Destination IP :  192.168.13.3

Tunnel mode with esp:
++++++++++++++++++++

crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac 

When i am using the i could see below Frame in wireshark

[Protocols in Frame: eth:ip:esp]

complete packet encapsulated including tunnel ip only could see

physical ip's

Here i have attache the diagram which i referred for the tunnel mode & transport mode.

As per the diagram for tunnel mode with esp, it shows NEW IP header will add in top of the original header.

original header tunnel ip or physical ip ?

Could you please guide me if my understanding is wrong that would help me to correct myself.

Transport with AH header

+++++++++++++++++++++++

crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac 

When i am using the i could see below Frame in wireshark

This header as correct as per the DOC
 

[Protocols in Frame: eth:ip:ah:ip:gre:ipgre]

Hi Jose

Thank u so much..

You are right once i removed the keep alive conf and the tunnel started to work...no idea how its working?

why

IPSEC profile

with keep alive its not working ? same keep alive configure with

IPSEC crypto map

it's working.

I have one more question here, In

ipsec profile

how the interesting traffic took automatically ? no interesting traffic has been defined myself .

Is this the advantage of creating a

ipsec profile

instead of old tech

(crypto map)

?

R1#sh crypto map
Crypto Map "Tunnel1-head-0" 65536 ipsec-isakmp
        Profile name: vino
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                ge3vpn:  { esp-3des esp-sha-hmac  } ,
        }

Crypto Map "Tunnel1-head-0" 65537 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 192.168.23.3
        Extended IP access list
            access-list  permit gre host 192.168.12.1 host 192.168.23.3
        Current peer: 192.168.23.3
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                ge3vpn:  { esp-3des esp-sha-hmac  } ,
        }
        Interfaces using crypto map Tunnel1-head-0:
                Tunnel1


R1#

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I did come across some Cisco documentation that helps explain why the keepalive doesn't work with VTI tunnels (I've also bumpted into it keeping the tunnel down, and I recall [?], or not taking the tunnel down when it should).  Keepalives need to be reflected, and with VTI, I believe they get sent either via the tunnel or via the interface but are not reflected or correctly processed on the other side.  I.e. something like tunnel<>interface or interface<>tunnel, whichever, basically the two sides don't correctly match for keepalive generation and reflection.

With a GRE tunnel, including GRE/IPSec, I believe they are processed correctly.  I.e. tunnel<>tunnel or interface<>interface.

As Rick noted, the VTI tunnel will go down if connectivity is lost.  The problem with GRE tunnels, some will stay up even with no end-to-end connectivity.  For the latter, keepalive insures you can detect lost of end-to-end connectivity.

Of course, with either, if your run a dynamic routing protocol across the tunnel, it will detect the lost of the end-to-end connection.

Yes, with VTI you don't have to define interesting traffic (and its less encapsulation overhead too).

With IPSec you need to use cyrpto maps (at least you no longer need to define the crypto statement on both the physical interface and the tunnel interface).

The reason for the difference, with VTI you have an encrypted tunnel, interesting traffic is whatever you direct into the tunnel.

With GRE/IPSec you're encrypting selected GRE traffic on the physical interface, the tunnel, itself, isn't encrypted.