Solved: Ipsec site-to-site with GRE not work

Rodrigo Baza · ‎01-30-2018

Hi Everyone!!!

i need your help,

I'm having some trouble running a site to site vpn between two ASRv which i hope you can help me to get some answer with, i am probably missing something here.

I have the next log.

SR_MPLS_BV_1#
*Jan 30 19:47:35.943: ISAKMP-ERROR: (0):No pre-shared key with 172.21.1.42!
*Jan 30 19:47:35.947: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
*Jan 30 19:47:35.950: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
*Jan 30 19:47:35.954: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jan 30 19:47:35.954: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Jan 30 19:47:36.372: IPSEC(ipsec_process_proposal): peer address 172.31.1.
ASR_MPLS_BV_1#wr42 not found
*Jan 30 19:47:36.372: ISAKMP-ERROR: (1002):IPSec policy invalidated proposal with error 64
*Jan 30 19:47:36.374: ISAKMP-ERROR: (1002):phase 2 SA policy not acceptable! (local 172.31.1.41 remote 172.31.1.42)
*Jan 30 19:47:36.375: ISAKMP-ERROR: (1002):deleting node 3686480858 error TRUE reason "QM rejected"
*Jan 30 19:47:36.529: %SYS-5-CONFIG_I: Configured from console by console
ASR_MPLS_BV_1#wr
Building configuration...
[OK]
ASR_MPLS_BV_1#
*Jan 30 19:48:06.373: IPSEC(ipsec_process_proposal): peer address 172.31.1.42 not found
*Jan 30 19:48:06.374: ISAKMP-ERROR: (1002):IPSec policy invalidated proposal with error 64
*Jan 30 19:48:06.377: ISAKMP-ERROR: (1002):phase 2 SA policy not acceptable! (local 172.31.1.41 remote 172.31.1.42)
*Jan 30 19:48:06.377: ISAKMP-ERROR: (1002):deleting node 51690126 error TRUE reason "QM rejected"
ASR_MPLS_BV_1#
*Jan 30 19:48:19.215: ISAKMP-ERROR: (0):No pre-shared key with 172.21.1.42!
*Jan 30 19:48:19.217: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
*Jan 30 19:48:19.219: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
*Jan 30 19:48:19.222: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jan 30 19:48:19.222: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
ASR_MPLS_BV_1#
*Jan 30 19:48:46.091: IPSEC(ipsec_process_proposal): peer address 172.31.1.42 not found
*Jan 30 19:48:46.092: ISAKMP-ERROR: (1002):IPSec policy invalidated proposal with error 64
*Jan 30 19:48:46.094: ISAKMP-ERROR: (1002):phase 2 SA policy not acceptable! (local 172.31.1.41 remote 172.31.1.42)
*Jan 30 19:48:46.095: ISAKMP-ERROR: (1002):deleting node 1383673818 error TRUE reason "QM rejected"
ASR_MPLS_BV_1#
*Jan 30 19:48:49.216: ISAKMP-ERROR: (0):No pre-shared key with 172.21.1.42!
*Jan 30 19:48:49.220: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
*Jan 30 19:48:49.222: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
*Jan 30 19:48:49.226: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jan 30 19:48:49.226: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
ASR_MPLS_BV_1#
*Jan 30 19:49:16.091: IPSEC(ipsec_process_proposal): peer address 172.31.1.42 not found
*Jan 30 19:49:16.092: ISAKMP-ERROR: (1002):IPSec policy invalidated proposal with error 64
*Jan 30 19:49:16.095: ISAKMP-ERROR: (1002):phase 2 SA policy not acceptable! (local 172.31.1.41 remote 172.31.1.42)
*Jan 30 19:49:16.096: ISAKMP-ERROR: (1002):deleting node 693012127 error TRUE reason "QM rejected"
ASR_MPLS_BV_1#
*Jan 30 19:49:21.834: ISAKMP-ERROR: (0):No pre-shared key with 172.21.1.42!
*Jan 30 19:49:21.838: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
*Jan 30 19:49:21.840: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
*Jan 30 19:49:21.844: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jan 30 19:49:21.844: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
ASR_MPLS_BV_1#
*Jan 30 19:49:48.666: IPSEC(ipsec_process_proposal): peer address 172.31.1.42 not found
*Jan 30 19:49:48.666: ISAKMP-ERROR: (1002):IPSec policy invalidated proposal with error 64
*Jan 30 19:49:48.669: ISAKMP-ERROR: (1002):phase 2 SA policy not acceptable! (local 172.31.1.41 remote 172.31.1.42)
*Jan 30 19:49:48.670: ISAKMP-ERROR: (1002):deleting node 784558989 error TRUE reason "QM rejected"
ASR_MPLS_BV_1#
*Jan 30 19:49:51.835: ISAKMP-ERROR: (0):No pre-shared key with 172.21.1.42!
*Jan 30 19:49:51.837: ISAKMP-ERROR: (0):No Cert or pre-shared address key.
*Jan 30 19:49:51.838: ISAKMP-ERROR: (0):construct_initial_message: Can not start Main mode
*Jan 30 19:49:51.841: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Jan 30 19:49:51.842: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

When i see the isakmp phase status i see that.

ASR_MPLS_BV_1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
172.31.1.41 172.31.1.42 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

Maybe the problem it's in phase 2 but i don't understand why does not run...

Help!

Georg Pauwen · ‎01-31-2018

Hello,

I labbed your setup and initially copied the same typo you have in your configuration:

ASR_MPLS_BV_1

crypto map IPSEC 10 ipsec-isakmp
set peer 172.21.1.42

This needs to be:

ASR_MPLS_BV_1

crypto map IPSEC 10 ipsec-isakmp
set peer 172.31.1.42

View solution in original post

Georg Pauwen · ‎01-30-2018

Hello,

post the configs of both routers, there could be a mismatch in the crypto config or the isakmp parameters...

Rodrigo Baza · ‎01-31-2018

Hi,

I attached the config, i don't see nothing different in the ipsec configuration.

Georg Pauwen · ‎01-31-2018

Hello,

thanks for the configs, I will lab this and get back with you. At first glance, everything looks ok. You might wan to try 'mode transport' instead of 'mode tunnel'..

Rodrigo Baza · ‎01-31-2018

Thanks!

Yes, yestarday i did but didn't work, i changed phase 2 to mode tranport but nothing happen.

Richard Burts · ‎01-31-2018

I have looked through the configs and there are several things that I notice (not all of which necessarily explain this behavior).

1) I see this error repeatedly in the log

IPSEC(ipsec_process_proposal): peer address 172.31.1.42 not found

the peer address and the shared key are in the config that was posted. Can you verify that interface Gig1 is up/up and connected as expected (direct connection point to point to the peer)?

2) I see 2 tunnels and 2 instances in the crypto map. But I see the crypto map applied only on 1 interface. How is the second peer supposed to work if the interface with its tunnel source does not have the crypto ma applied.

3) Both instances in the crypto map use the same ACL to identify traffic to be processed in the VPN. In my experience that is a big problem. IOS processes the crypto map in sequential order and if traffic matches the ACL in the first instance it does not look into the second instance.

HTH

Rick

HTH

Rick

Georg Pauwen · ‎01-31-2018

Hello,

I labbed your setup and initially copied the same typo you have in your configuration:

ASR_MPLS_BV_1

crypto map IPSEC 10 ipsec-isakmp
set peer 172.21.1.42

This needs to be:

ASR_MPLS_BV_1

crypto map IPSEC 10 ipsec-isakmp
set peer 172.31.1.42

Richard Burts · ‎01-31-2018

Georg

Good catch on the typo. Did correcting this have any impact on operation of the VPN?

HTH

Rick

HTH

Rick

Georg Pauwen · ‎01-31-2018

Richard,

yes, everything came up immediately after changing that. It corresponds with the error saying that the peer could not be found.

I hope it works out the same for the OP.

Richard Burts · ‎01-31-2018

Georg

Thanks for clarifying that correcting the typo did bring up the VPN. +5 for that. I am still concerned about the effect of the second peer. But at least the original problem is solved.

HTH

Rick

HTH

Rick

Rodrigo Baza · ‎01-31-2018

Thanks and sorry Georg.
I don't know why i never seen this error but thank you so much!!!

Richard,

You have reason, i tried many test to find the error i never thought that answer it was to easy.

Thank you guys!