cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


201
Views
0
Helpful
11
Replies
Enthusiast

IPSEC Tunnel up/down

Hi there,

Thanks for reading.

 

I have a pair of routers with IPSEC tunnels configured.  The routers can ping each other's public IPs.  There are crypto isakmp keys with appropriate peer-router IP addresses.  There are spot-on matching crypto isakmp policies in naming and protocols.

 

Debug crypto isakmp shows that it's not even attempting to connect.

 

Thanks!

Bob

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: IPSEC Tunnel up/down

Bob

 

Thanks for posting the information. There may be more than one issue involved and I will start with the most significant and if that does not resole the issue then we will look further. I assume that your intention was to configure this vpn using VTI. On each of the tunnel interfaces you have configured the tunnel mode for ipsec. But neither tunnel interface includes the tunnel protection command. Please add tunnel protection to both tunnel interfaces using profile VTI-aes256. Try this and let us know if the behavior changes.

 

HTH

 

Rick

11 REPLIES
Highlighted
VIP Mentor

Re: IPSEC Tunnel up/down

Hello,

 

post the configs of both routers, you might be missing something small...

Hall of Fame Master

Re: IPSEC Tunnel up/down

Bob

 

You describe some symptoms but give us no detail to work with. Can we start with getting configs of both routers. And perhaps some additional information such as output of show ip interface brief and of show ip route?

 

HTH

 

Rick

Enthusiast

Re: IPSEC Tunnel up/down

Thanks again

VIP Advocate

Re: IPSEC Tunnel up/down

how are you attempting to bring the tunnel up?  by generating interesting traffic is assume?

 

if that interesting traffic entering the FW in question?

Please remember to rate useful posts, by clicking on the stars below.

Hall of Fame Master

Re: IPSEC Tunnel up/down

Bob

 

Thanks for posting the information. There may be more than one issue involved and I will start with the most significant and if that does not resole the issue then we will look further. I assume that your intention was to configure this vpn using VTI. On each of the tunnel interfaces you have configured the tunnel mode for ipsec. But neither tunnel interface includes the tunnel protection command. Please add tunnel protection to both tunnel interfaces using profile VTI-aes256. Try this and let us know if the behavior changes.

 

HTH

 

Rick

Enthusiast

Re: IPSEC Tunnel up/down

Thanks Richard and everybody,

 

I added the VTI-aes256 line to tunnel configs on both sides.  The tunnel came up on one side but not the other.  I can see a phase 2 failure (SA policy no acceptable) in the debug but not sure where to fix that.

Hall of Fame Master

Re: IPSEC Tunnel up/down

Bob

 

Thanks for the update. Glad to know that adding the tunnel protection profile was a step in the right direction. At least now they are negotiating. It is not clear from the debug what is the issue. Perhaps debug from the other side might have helpful information?

 

HTH

 

Rick

Enthusiast

Re: IPSEC Tunnel up/down

The local side 201.96.120.21.  The remote side has about 70 tunnels so you'll need to filter for it.

Hall of Fame Master

Re: IPSEC Tunnel up/down

When a device has multiple vpn tunnels to various remote peers Cisco has developed a tool to help with this, which is crypto conditional debug. See this link for information which I hope will be useful.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-crypto-debug-sup.html

using conditional crypto debug you can identify the specific remote peer you are interested in and then debug for crypto (both isakmp and ipsec) will display output for that particular peer. Give that a try and post the output specific to the peer we are interested in.

 

HTH

 

Rick

Enthusiast

Re: IPSEC Tunnel up/down

Hi Richard, thanks again for your interest in my issue!  Attached is a conditional debug.

Hall of Fame Master

Re: IPSEC Tunnel up/down

Bob

 

I am a bit confused and hope you can clarify for me. You sent me debug output from rtmx602. In that debug I see isakmp negotiation with 91.212.206.133 which I expected. And it appears that negotiation was successful. It also received isakmp negotiation with 91.212.206.134 which I did not expect. There is no mention of that address in the configuration. So what is this address and why is it attempting isakmp negotiation with rtmx602? Looking at the debug it appears that it is the negotiation with this address that has the error about attributes not acceptable.

 

I then suggested that you post debug from the other side. You mentioned how many peers and I suggested conditional debug. The conditional debug that you posted was more debug from rtmx602. Can we get conditional debug from rthv1 for rtmx6002?

 

HTH

 

Rick

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Dinner CLEUR2019