cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

297
Views
15
Helpful
20
Replies

Re: ISR 931 IPSEC Tunnel issue

@Georg Pauwen Thank for your suggestions! I reset the router to the factory setting and start it over again. This time I leave only 1 VLAN (vlan 1) of network (172.28.207.177 255.255.255.240) and only 1 IPSEC tunnel (the one not working). The issue still there with the same error message. Please find the new show run as below. Thank you vm!

 

version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.28.207.177 172.28.207.179
!
ip dhcp pool dhcp_tfex_pool
network 172.28.207.176 255.255.255.240
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool iDRAC
host 172.28.207.178 255.255.255.240
client-identifier 0144.a842.3405.12
default-router 172.28.207.177
dns-server 203.80.96.33
!
ip dhcp pool YASSVR
host 172.28.207.179 255.255.255.240
hardware-address 44a8.4234.0510
default-router 172.28.207.177
dns-server 203.80.96.33
!
!
!
ip name-server 203.80.96.33
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid C931-4P sn PSZ23091D50
license accept end user agreement
license boot module c900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key C@fbrk1F address y.y.y.y
!
!
crypto ipsec transform-set setvpn esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map CRYTOMAP 1 ipsec-isakmp
set peer y.y.y.y
set transform-set setvpn
match address 100
!
!
!
!
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYTOMAP
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 172.28.207.177 255.255.255.240
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet4 overload
ip nat inside source static tcp 172.28.207.178 777 interface GigabitEthernet4 777
ip nat inside source static tcp 172.28.207.178 888 interface GigabitEthernet4 888
ip nat inside source static tcp 172.28.207.179 22 interface GigabitEthernet4 22
ip nat inside source static tcp 172.28.207.179 443 interface GigabitEthernet4 443
ip route 0.0.0.0 0.0.0.0 210.6.226.253
!
!
!
access-list 100 permit ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 100 permit ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 172.19.214.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 172.19.215.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 10.3.14.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 10.3.27.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 172.19.7.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 10.22.6.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 10.22.61.0 0.0.0.255
access-list 101 deny ip 172.28.207.176 0.0.0.15 10.232.6.0 0.0.0.255
access-list 101 permit ip 172.28.207.176 0.0.0.15 any
!
control-plane
!
!
line con 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

Highlighted
VIP Mentor

Re: ISR 931 IPSEC Tunnel issue

Hello,

 

try and set the pfs group in the crypto map:

 

crypto map CRYTOMAP 1 ipsec-isakmp
set peer y.y.y.y
set transform-set setvpn

set pfs group2
match address 100

 

Also, post the output of:

 

debug crypto isakmp

debug crypto ipsec

 

I still think there is an encryption mismatch. Without seeing the configuration of the other side, it will be guessing what the right settings are...

Re: ISR 931 IPSEC Tunnel issue

@Georg Pauwenthanks again!

 

try with your new suggestion, still the same. the debug log also the same

 

*Jan 14 10:54:56.825: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.825: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.825: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.825: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.825: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.825: IPSEC: Expand action denied, notify RP
*Jan 14 10:54:56.825: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.827: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 10:54:56.827: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

 

The remote side told us the IKE policy is

Encryption: 3DES

Authentication: SHA

DH Group:2

 

Any ideas?

Re: ISR 931 IPSEC Tunnel issue

Also by looking at

Router#sh cry ipsec sa

interface: GigabitEthernet4
Crypto map tag: MYCRYPTOMAP, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (172.28.207.176/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.232.6.0/255.255.255.0/0/0)
current_peer y.y.y.y port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 25, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

VIP Mentor

Re: ISR 931 IPSEC Tunnel issue

The other side needs to mirror the access list you have.

 

Post the output of:

 

debug crypto ipsec

debug crypto isakmp

Re: ISR 931 IPSEC Tunnel issue

@Georg Pauwen 

 

debug crypto ipsec output:

*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.302: IPSEC: Expand action denied, notify RP
*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.302: IPSEC: Expand action denied, discard or forward packet.
*Jan 14 15:36:13.304: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

 

debug crypto isakmp output:

no debug log displayed.

 

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here