Solved: Re: *Jun 12 06:25:42.664: ISAKMP-ERROR: (0):No peer struct to get peer description

JKOOP · ‎06-11-2020

Hello,

I'm trying to configure IPsec tunnel using crypto maps. I can't get the crypto session to associate. Some of what I'm reading is relating to a bad ACL config but it doesn't appear to be the case here, maybe.

Error in the logs, I can't find much information as to have this specifically means.

ISAKMP-ERROR: (0):No peer struct to get peer description

south-east#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

south-east#

south-east#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status

Giuseppe Larosa · ‎06-12-2020

Hello @JKOOP ,

your ACL for defining interesting traffic to be encrypted is wrong:

>> ip access-list extended ipsec-match-acl
permit gre 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
!

Now, if you want to use IPSec to protect a GRE Tunnel between the two routers the traffic to be encrypted will be GRE but the external headers of GRE is that of the physical outigoing interfaces as specified in tunnel config:

>> interface Tunnel0
bandwidth 10000
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
keepalive 10 3
tunnel source GigabitEthernet1
tunnel destination 10.2.1.13
!

interface GigabitEthernet1
description router-east
ip address 10.2.1.1 255.255.255.252
negotiation auto
ipv6 address dhcp
no mop enabled
no mop sysid
crypto map crypto-map
!

so the traffic to be encrypted is :

ip access-list extended ipsec-match-acl
permit gre host 10.2.1.1 host 10.2.1.13

You can put traffic for remote LAN subnet over tunnel using a static route

ip route 172.18.1.0 255.255.255.0 tunnel0

Or you can use PBR policy based routing on the local LAN interface.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-12-2020