cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7865
Views
10
Helpful
1
Replies

*Jun 12 06:25:42.664: ISAKMP-ERROR: (0):No peer struct to get peer description

JKOOP
Level 1
Level 1

Hello,

 

I'm trying to configure IPsec tunnel using crypto maps. I can't get the crypto session to associate. Some of what I'm reading is relating to a bad ACL config but it doesn't appear to be the case here, maybe.

 

Error in the logs, I can't find much information as to have this specifically means.

ISAKMP-ERROR: (0):No peer struct to get peer description

 

south-east#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

south-east#

south-east#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status

 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @JKOOP ,

your ACL for defining interesting traffic to be encrypted is wrong:

>> ip access-list extended ipsec-match-acl
permit gre 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
!

 

Now, if you want to use IPSec to protect a GRE Tunnel between the two routers the traffic to be encrypted will be GRE but the external headers of GRE is that of the physical outigoing interfaces as specified in tunnel config:

 

>> interface Tunnel0
bandwidth 10000
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
keepalive 10 3
tunnel source GigabitEthernet1
tunnel destination 10.2.1.13
!

interface GigabitEthernet1
description router-east
ip address 10.2.1.1 255.255.255.252
negotiation auto
ipv6 address dhcp
no mop enabled
no mop sysid
crypto map crypto-map
!

 

so the traffic to be encrypted is :

 

ip access-list extended ipsec-match-acl
permit gre host 10.2.1.1 host 10.2.1.13

 

You can put traffic for remote LAN subnet over tunnel using a static route

 

ip route 172.18.1.0 255.255.255.0 tunnel0

 

Or you can use PBR policy based routing on the local LAN interface.

 

Hope to help

Giuseppe

 

 

View solution in original post

1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @JKOOP ,

your ACL for defining interesting traffic to be encrypted is wrong:

>> ip access-list extended ipsec-match-acl
permit gre 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
!

 

Now, if you want to use IPSec to protect a GRE Tunnel between the two routers the traffic to be encrypted will be GRE but the external headers of GRE is that of the physical outigoing interfaces as specified in tunnel config:

 

>> interface Tunnel0
bandwidth 10000
ip address 192.168.1.1 255.255.255.0
ip mtu 1400
keepalive 10 3
tunnel source GigabitEthernet1
tunnel destination 10.2.1.13
!

interface GigabitEthernet1
description router-east
ip address 10.2.1.1 255.255.255.252
negotiation auto
ipv6 address dhcp
no mop enabled
no mop sysid
crypto map crypto-map
!

 

so the traffic to be encrypted is :

 

ip access-list extended ipsec-match-acl
permit gre host 10.2.1.1 host 10.2.1.13

 

You can put traffic for remote LAN subnet over tunnel using a static route

 

ip route 172.18.1.0 255.255.255.0 tunnel0

 

Or you can use PBR policy based routing on the local LAN interface.

 

Hope to help

Giuseppe

 

 

Review Cisco Networking for a $25 gift card