Re: It does not work GRE tunnel over IPSec

Sergey Prishchepa · ‎07-06-2012

Between the two networks should be set up encryption. The task of trying to solve with the help of VPN IPSec. But the problem with EIGRP, always in debug I see:

% CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (Ip) vrf / dest_addr = / 224.0.0.10, src_addr = 10.10.10.14, prot = 88

Set up a GRE tunnel, but the messages were. Help please. Here are the configs.

R1

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key KEY_VPN address 10.10.10.14
!
!
crypto ipsec transform-set TS_VPN esp-des esp-md5-hmac
!
crypto map MAP_VPN 10 ipsec-isakmp
set peer 10.10.10.14
set transform-set TS_VPN
match address ACL

!
interface Tunnel0
ip address 10.10.10.41 255.255.255.252
tunnel source GigabitEthernet0/0.2
tunnel destination 10.10.10.14
!
!
interface GigabitEthernet0/0
ip address 10.10.11.11 255.255.255.248
ip flow ingress
ip nat inside
ip virtual-reassembly in
standby 0 ip 10.10.11.13
standby 0 priority 150
standby 0 preempt
ip policy route-map INTERNET-MAP
load-interval 30
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 294
ip address 10.10.10.13 255.255.255.252
crypto map MAP_VPN
!
router eigrp 205
network 10.0.38.0 0.0.0.15
network 10.10.11.8 0.0.0.7
network 10.10.10.12 0.0.0.3
!
ip route 0.0.0.0 0.0.0.0 213.130.27.193
!
ip access-list extended ACL
permit ip any any
permit gre any any
permit eigrp any any
permit icmp any any

R2

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key KEY_VPN address 10.10.10.13
!
!
crypto ipsec transform-set TS_VPN esp-des esp-md5-hmac
!
crypto map MAP_VPN 10 ipsec-isakmp
set peer 10.10.10.13
set transform-set TS_VPN
match address ACL

!
interface Tunnel0
ip address 10.10.10.42 255.255.255.252
tunnel source GigabitEthernet0/0.2
tunnel destination 10.10.10.13
!
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 294
ip address 10.10.10.14 255.255.255.252
crypto map MAP_VPN

router eigrp 205
network 10.0.0.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 10.10.10.13
!
ip access-list extended ACL
permit ip any any
permit gre any any
permit eigrp any any
permit icmp any any

Roman Rodichev · ‎07-06-2012

Сергей, поменяй ACL на:

ip access-list extended ACL

permit ip host 10.10.10.13 host 10.10.10.14

и

ip access-list extended ACL

permit ip host 10.10.10.14 host 10.10.10.13

Sergey Prishchepa · ‎07-06-2012

Я так понимаю на R1

ip access-list extended ACL

permit ip host 10.10.10.13 host 10.10.10.14

а на R2

ip access-list extended ACL

permit ip host 10.10.10.14 host 10.10.10.13

Попробовал не помогает.

Чем это отличается от

permit ip any any?

А как проверить ходит ли траффик через GRE?

terrencepayet · ‎07-06-2012

Hi Sergey,

You should never use "permit ip any any" in a crypto map access-list.

With a "permit ip any any" statement, the router will ONLY accept encrypted

traffic coming in on your Gigabit interface 0/0.2(because everything is a match

for "permit ip any any". This is what is breaking your eigrp.

Your getting the "Rec'd packet not an IPSEC packet" error because your

access-list ACL matches everything (permit ip any any). This means

everything received on Gigabit interface into the router must be encrypted traffic,

or it will be rejected. I believe that the multicast eigrp traffic

originating from gigabit interface will never be encrypted.

Please apply the config suggested by Roman.

Regards,

Sent from Cisco Technical Support iPad App

Karsten Iwen · ‎07-07-2012

Is that for learning-purpose or do you want to use it in production? For production I wouldn't use anything else anymore then virtual tunnel interfaces:

http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

Sergey Prishchepa · ‎07-07-2012

On this page

http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

opens on this page

http://www.cisco.com/msgs/403.html

Sergey Prishchepa · ‎07-07-2012

Once the ACL is left only to:

ip access-list extended ACL

permit ip host 10.10.10.13 host 10.10.10.14

and

ip access-list extended ACL

permit ip host 10.10.10.14 host 10.10.10.13

that

R1#sh cry sess
Crypto session current status

Interface: GigabitEthernet0/0.2
Session status: UP-IDLE
Peer: 10.10.10.14 port 500
IKEv1 SA: local 10.10.10.13/500 remote 10.10.10.14/500 Active
IKEv1 SA: local 10.10.10.13/500 remote 10.10.10.14/500 Inactive
IPSEC FLOW: permit ip host 10.10.10.13 host 10.10.10.14
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

debug

Jul 7 07:49:52.103: ISAKMP (1028): received packet from 10.10.10.14 dport 500 sport 500 Global (R) QM_IDLE

Jul 7 07:49:52.103: ISAKMP: set new node 744776555 to QM_IDLE

Jul 7 07:49:52.103: crypto_engine: Decrypt IKE packet

Jul 7 07:49:52.103: crypto_engine: Generate IKE hash

Jul 7 07:49:52.103: ISAKMP:(1028): processing HASH payload. message ID = 744776555

Jul 7 07:49:52.103: ISAKMP:(1028): processing SA payload. message ID = 744776555

Jul 7 07:49:52.103: ISAKMP:(1028):Checking IPSec proposal 1

Jul 7 07:49:52.103: ISAKMP: transform 1, ESP_DES

Jul 7 07:49:52.103: ISAKMP: attributes in transform:

Jul 7 07:49:52.103: ISAKMP: encaps is 1 (Tunnel)

Jul 7 07:49:52.103: ISAKMP: SA life type in seconds

Jul 7 07:49:52.103: ISAKMP: SA life duration (basic) of 3600

Jul 7 07:49:52.103: ISAKMP: SA life type in kilobytes

Jul 7 07:49:52.103: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Jul 7 07:49:52.103: ISAKMP: authenticator is HMAC-MD5

Jul 7 07:49:52.103: ISAKMP:(1028):atts are acceptable.

Jul 7 07:49:52.103: IPSEC(validate_proposal_request): proposal part #1

Jul 7 07:49:52.103: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.10.13:0, remote= 10.10.10.14:0,

local_proxy= 10.10.10.13/255.255.255.255/0/0 (type=1),

remote_proxy= 10.10.10.14/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 7 07:49:52.103: Crypto mapdb : proxy_match

src addr : 10.10.10.13

dst addr : 10.10.10.14

protocol : 0

src port : 0

dst port : 0

Jul 7 07:49:52.103: Crypto mapdb : proxy_match

src addr : 10.10.10.13

dst addr : 10.10.10.14

protocol : 0

src port : 0

dst port : 0

Jul 7 07:49:52.103: map_db_find_best did not find matching map

Jul 7 07:49:52.103: IPSEC(ipsec_process_proposal): proxy identities not supported

Jul 7 07:49:52.103: ISAKMP:(1028): IPSec policy invalidated proposal with error 32

Jul 7 07:49:52.103: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 10.10.10.13 remote 10.10.10.14)

Jul 7 07:49:52.103: ISAKMP: set new node -894830763 to QM_IDLE

Jul 7 07:49:52.103: crypto_engine: Generate IKE hash

Jul 7 07:49:52.103: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 822122880, message ID = 3400136533

Jul 7 07:49:52.103: crypto_engine: Encrypt IKE packet

Jul 7 07:49:52.103: ISAKMP:(1028): sending packet to 10.10.10.14 my_port 500 peer_port 500 (R) QM_IDLE

Jul 7 07:49:52.103: ISAKMP:(1028):Sending an IKE IPv4 Packet.

Jul 7 07:49:52.103: ISAKMP:(1028):purging node -894830763

Jul 7 07:49:52.103: ISAKMP:(1028):deleting node 744776555 error TRUE reason "QM rejected"

Jul 7 07:49:52.103: ISAKMP:(1028):Node 744776555, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Jul 7 07:49:52.103: ISAKMP:(1028):Old State = IKE_QM_READY New State = IKE_QM_READY

Jul 7 07:49:58.363: ISAKMP:(1027):purging node 1361484197

Jul 7 07:49:58.367: ISAKMP:(1027):purging node -978575193

Jul 7 07:50:06.279: %DUAL-5-NBRCHANGE: EIGRP-IPv4 205: Neighbor 10.10.10.14 (GigabitEthernet0/0.2) is down: retry limit exceed

ed

Jul 7 07:50:08.359: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.10.13:0, remote= 10.10.10.14:0,

local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4)

Jul 7 07:50:08.851: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.10.13:500, remote= 10.10.10.14:500,

local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 7 07:50:08.851: ISAKMP: set new node 0 to QM_IDLE

Jul 7 07:50:08.851: SA has outstanding requests (local 49.63.137.200 port 500, remote 49.63.137.228 port 500)

Jul 7 07:50:08.851: ISAKMP:(1028): sitting IDLE. Starting QM immediately (QM_IDLE )

Jul 7 07:50:08.851: ISAKMP:(1028):beginning Quick Mode exchange, M-ID of 64585526

Jul 7 07:50:08.851: ISAKMP:(1028):QM Initiator gets spi

Jul 7 07:50:08.851: crypto_engine: Generate IKE hash

Jul 7 07:50:08.851: crypto_engine: Encrypt IKE packet

Jul 7 07:50:08.851: ISAKMP:(1028): sending packet to 10.10.10.14 my_port 500 peer_port 500 (R) QM_IDLE

Jul 7 07:50:08.851: ISAKMP:(1028):Sending an IKE IPv4 Packet.

Jul 7 07:50:08.851: ISAKMP:(1028):Node 64585526, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 7 07:50:08.851: ISAKMP:(1028):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jul 7 07:50:08.855: ISAKMP (1028): received packet from 10.10.10.14 dport 500 sport 500 Global (R) QM_IDLE

Jul 7 07:50:08.855: ISAKMP: set new node 549659124 to QM_IDLE

Jul 7 07:50:08.855: crypto_engine: Decrypt IKE packet

Jul 7 07:50:08.855: crypto_engine: Generate IKE hash

Jul 7 07:50:08.855: ISAKMP:(1028): processing HASH payload. message ID = 549659124

Jul 7 07:50:08.855: ISAKMP:(1028): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1230905296, message ID = 549659124, sa = 0x313F8860

Jul 7 07:50:08.855: ISAKMP:(1028): deleting spi 1230905296 message ID = 64585526

Jul 7 07:50:08.855: ISAKMP:(1028):deleting node 64585526 error TRUE reason "Delete Larval"

Jul 7 07:50:08.855: ISAKMP:(1028):deleting node 549659124 error FALSE reason "Informational (in) state 1"

Jul 7 07:50:08.855: ISAKMP:(1028):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jul 7 07:50:08.855: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETEJul 7 07:49:52.103: ISAKMP (1028): received packet from 10.10.10.14 dport 500 sport 500 Global (R) QM_IDLE

Jul 7 07:49:52.103: ISAKMP: set new node 744776555 to QM_IDLE

Jul 7 07:49:52.103: crypto_engine: Decrypt IKE packet

Jul 7 07:49:52.103: crypto_engine: Generate IKE hash

Jul 7 07:49:52.103: ISAKMP:(1028): processing HASH payload. message ID = 744776555

Jul 7 07:49:52.103: ISAKMP:(1028): processing SA payload. message ID = 744776555

Jul 7 07:49:52.103: ISAKMP:(1028):Checking IPSec proposal 1

Jul 7 07:49:52.103: ISAKMP: transform 1, ESP_DES

Jul 7 07:49:52.103: ISAKMP: attributes in transform:

Jul 7 07:49:52.103: ISAKMP: encaps is 1 (Tunnel)

Jul 7 07:49:52.103: ISAKMP: SA life type in seconds

Jul 7 07:49:52.103: ISAKMP: SA life duration (basic) of 3600

Jul 7 07:49:52.103: ISAKMP: SA life type in kilobytes

Jul 7 07:49:52.103: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Jul 7 07:49:52.103: ISAKMP: authenticator is HMAC-MD5

Jul 7 07:49:52.103: ISAKMP:(1028):atts are acceptable.

Jul 7 07:49:52.103: IPSEC(validate_proposal_request): proposal part #1

Jul 7 07:49:52.103: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.10.10.13:0, remote= 10.10.10.14:0,

local_proxy= 10.10.10.13/255.255.255.255/0/0 (type=1),

remote_proxy= 10.10.10.14/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 7 07:49:52.103: Crypto mapdb : proxy_match

src addr : 10.10.10.13

dst addr : 10.10.10.14

protocol : 0

src port : 0

dst port : 0

Jul 7 07:49:52.103: Crypto mapdb : proxy_match

src addr : 10.10.10.13

dst addr : 10.10.10.14

protocol : 0

src port : 0

dst port : 0

Jul 7 07:49:52.103: map_db_find_best did not find matching map

Jul 7 07:49:52.103: IPSEC(ipsec_process_proposal): proxy identities not supported

Jul 7 07:49:52.103: ISAKMP:(1028): IPSec policy invalidated proposal with error 32

Jul 7 07:49:52.103: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 10.10.10.13 remote 10.10.10.14)

Jul 7 07:49:52.103: ISAKMP: set new node -894830763 to QM_IDLE

Jul 7 07:49:52.103: crypto_engine: Generate IKE hash

Jul 7 07:49:52.103: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 822122880, message ID = 3400136533

Jul 7 07:49:52.103: crypto_engine: Encrypt IKE packet

Jul 7 07:49:52.103: ISAKMP:(1028): sending packet to 10.10.10.14 my_port 500 peer_port 500 (R) QM_IDLE

Jul 7 07:49:52.103: ISAKMP:(1028):Sending an IKE IPv4 Packet.

Jul 7 07:49:52.103: ISAKMP:(1028):purging node -894830763

Jul 7 07:49:52.103: ISAKMP:(1028):deleting node 744776555 error TRUE reason "QM rejected"

Jul 7 07:49:52.103: ISAKMP:(1028):Node 744776555, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Jul 7 07:49:52.103: ISAKMP:(1028):Old State = IKE_QM_READY New State = IKE_QM_READY

Jul 7 07:49:58.363: ISAKMP:(1027):purging node 1361484197

Jul 7 07:49:58.367: ISAKMP:(1027):purging node -978575193

Jul 7 07:50:06.279: %DUAL-5-NBRCHANGE: EIGRP-IPv4 205: Neighbor 10.10.10.14 (GigabitEthernet0/0.2) is down: retry limit exceed

ed

Jul 7 07:50:08.359: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.10.13:0, remote= 10.10.10.14:0,

local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4)

Jul 7 07:50:08.851: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.10.10.13:500, remote= 10.10.10.14:500,

local_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/47/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Jul 7 07:50:08.851: ISAKMP: set new node 0 to QM_IDLE

Jul 7 07:50:08.851: SA has outstanding requests (local 49.63.137.200 port 500, remote 49.63.137.228 port 500)

Jul 7 07:50:08.851: ISAKMP:(1028): sitting IDLE. Starting QM immediately (QM_IDLE )

Jul 7 07:50:08.851: ISAKMP:(1028):beginning Quick Mode exchange, M-ID of 64585526

Jul 7 07:50:08.851: ISAKMP:(1028):QM Initiator gets spi

Jul 7 07:50:08.851: crypto_engine: Generate IKE hash

Jul 7 07:50:08.851: crypto_engine: Encrypt IKE packet

Jul 7 07:50:08.851: ISAKMP:(1028): sending packet to 10.10.10.14 my_port 500 peer_port 500 (R) QM_IDLE

Jul 7 07:50:08.851: ISAKMP:(1028):Sending an IKE IPv4 Packet.

Jul 7 07:50:08.851: ISAKMP:(1028):Node 64585526, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jul 7 07:50:08.851: ISAKMP:(1028):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jul 7 07:50:08.855: ISAKMP (1028): received packet from 10.10.10.14 dport 500 sport 500 Global (R) QM_IDLE

Jul 7 07:50:08.855: ISAKMP: set new node 549659124 to QM_IDLE

Jul 7 07:50:08.855: crypto_engine: Decrypt IKE packet

Jul 7 07:50:08.855: crypto_engine: Generate IKE hash

Jul 7 07:50:08.855: ISAKMP:(1028): processing HASH payload. message ID = 549659124

Jul 7 07:50:08.855: ISAKMP:(1028): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1230905296, message ID = 549659124, sa = 0x313F8860

Jul 7 07:50:08.855: ISAKMP:(1028): deleting spi 1230905296 message ID = 64585526

Jul 7 07:50:08.855: ISAKMP:(1028):deleting node 64585526 error TRUE reason "Delete Larval"

Jul 7 07:50:08.855: ISAKMP:(1028):deleting node 549659124 error FALSE reason "Informational (in) state 1"

Jul 7 07:50:08.855: ISAKMP:(1028):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Jul 7 07:50:08.855: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Karsten Iwen · ‎07-07-2012

the ACLs would be better the following way:

ip access-list extended ACL

permit gre host 10.10.10.13 host 10.10.10.14

and

ip access-list extended ACL

permit gre host 10.10.10.14 host 10.10.10.13

Then you can test the connectivity with cleartext packets.

Karsten Iwen · ‎07-07-2012

strange, here the link is working ...

Try that one:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-0m/sec-ipsec-virt-tunnl.html

Sergey Prishchepa · ‎07-07-2012

ip access-list extended ACL

permit gre host 10.10.10.13 host 10.10.10.14

and

ip access-list extended ACL

permit gre host 10.10.10.14 host 10.10.10.13

did not help

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-0m/sec-ipsec-virt-tunnl.html

thanks, will read

Sergey Prishchepa · ‎07-07-2012

what does this error?

ISAKMP:(1028): IPSec policy invalidated proposal with error 32

terrencepayet · ‎07-07-2012

Hi Sergey,

Please turn off auto summarization under your EIGRP process.

HTH.

Regards,

Terence

Sent from Cisco Technical Support iPad App

Karsten Iwen · ‎07-08-2012

In the debugging it seems that your crypto-ACLs are not working as they should. Can you please show the actual config?

Sergey Prishchepa · ‎07-08-2012

Terrence Payet: auto summarization is turn off.

R1

ip access-list extended ACL

permit gre host 10.10.10.13 host 10.10.100.14

R2

ip access-list extended ACL

permit gre host 10.10.10.14 host 10.10.10.13

or all of the configuration?

Why in the show crypto session two?

IKEv1 SA: local 10.10.10.13/500 remote 10.10.10.14/500 Active

IKEv1 SA: local 10.10.10.13/500 remote 10.10.10.14/500 Inactive

terrencepayet · ‎07-08-2012

Hi Sergey,

Please send all of the config. As suggested by karsten, it seems theres an issue with your crypto map ACL.

Regards,

terence