Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3112
Views
0
Helpful
16
Replies

Site2Site: ACL are not installed, IPSec SA are fine

Go to solution
udo
Level 1
Level 1

‎11-03-2019 02:44 PM - edited ‎11-03-2019 02:53 PM

Hello Community.

 

I am not a native English speaker, so sorry for that.

 

I have a strange problem running a site2site IPSec tunnel which work well on a 2821 on a ASR1002X AES License.

 

First what i know, eg. have done.

 

The IOS-XE 16.9.4 dont work on dynamic remote vpn because crypto map CMAP isakmp authorization list GROUPAUTHOR  dont work. There is a new way to configure ISAKMP groups via profiles which require an not documented "password" parameter. Okay  i downgraded to 16.7.1 and the VPN part for dialin user (OSX, HO-Router etc.) is back in service. The above crypto statement is available. The site2site problem i am facing is pretty strange. The remote end, Verizon IPSec Tunnel runing since 7 years without problems. Config follow.

 

Behavior is easy to explain. I clear the sessions on the 2821 and shut the interface. I no shut the new interface on the ASR and i trigger the remote end to establish the tunnel wit a phone call (SIP Interconnect). The tunnel imediately start to come up on the ASR. IKE P1 complete IPSec P1 will use the ACL to insert the protected network in the routing database. That fails. Errormessages not really appear (deb cry isa, deb cry ips) will paste it later. After the tunnel is up and active i tried to ping remote end. No resonse because routing ends on the ASR. 

 

My questions are, what went wrong in the IOS-XE with ACLs?

Why the config is ignored? 

Do i miss some global configuration statements to activate the ACL route installation?

The config is far from a complicated one. 

 

I have tried 16.7.1, 16.3.5 same config, also same main behaviour.

 

Here the config from the ASR (interesting part plus all globals. IPs are masked to 10.0.0.0/8 but consistent)

 

version 16.7

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput level 5000000

!

hostname ASR1002X

!

boot-start-marker

boot system bootflash:asr1002x-universalk9.16.07.01.SPA.bin

boot-end-marker

!

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

enable secret 5 xxxxxxxxxxxxxxx

!

!

transport-map type persistent webui https-webui

 secure-server

!

transport-map type persistent ssh sshhandler

 authentication-retries 1

 rsa keypair-name sshkeys

 transport interface GigabitEthernet0

 connection wait allow interruptible

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authentication ppp default local

aaa authorization network groupauthor local 

!

!

!

!

!         

!

aaa session-id common

!

!

!

!

!

!

ip nbar http-services

!

!

!

ip name-server x.x.x.x y.y.y.y

!

!

!

login on-success log

!

!

!

!

!

!

!

subscriber templating

! 

! 

! 

! 

!

!

!

multilink bundle-name authenticated

!

domain domain.net

!

!

!

!

!

!

!

ivr prompt buffers 2

license udi pid ASR1002-X sn ABC123456

no license smart enable

!

spanning-tree extend system-id

diagnostic bootup level minimal

!

!

!

username user .....!*Few Remote User

!

redundancy

 mode none

!

!

!

! 

!

!

!

!

!

no crypto isakmp default policy

!

crypto isakmp policy 1

 encr aes 256

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr aes

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 3

 encr aes 256

 hash sha256

 authentication pre-share

 group 14

 lifetime 3600

!

crypto isakmp policy 5

 encr aes

 authentication pre-share

 group 2

!

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 11

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 12

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 13

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key preshared-key-secret address 10.10.1.238

crypto isakmp key preshared-key-secret address 10.10.2.238

crypto isakmp key preshared-key-secret address 10.10.3.238

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 60 periodic

crypto isakmp nat keepalive 30

!

crypto isakmp client configuration group VPNGROUP

 key xxxxx

 dns x.x.x.x y.y.y.y

 domain domain.net

 pool IPPool

 save-password

!

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association replay window-size 512

!

crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 

 mode tunnel

!

!

!

crypto dynamic-map dynvpn 1

 set nat demux

 set transform-set ipcom 

!

!

crypto map CRYMAP local-address GigabitEthernet0/0/1

crypto map CRYMAP 1 ipsec-isakmp 

 description VzB DTM

 set peer 10.10.1.238

 set transform-set ipcom 

 set pfs group2

 match address 120

crypto map CRYMAP 2 ipsec-isakmp 

 description VzB AMS

 set peer 10.10.2.238

 set transform-set ipcom 

 set pfs group2

 match address 121

crypto map CRYMAP 3 ipsec-isakmp 

 description VzB LND

 set peer 10.10.3.238

 set transform-set ipcom 

 set pfs group2

 match address 122

!

crypto map VPN local-address GigabitEthernet0/0/2

crypto map VPN client authentication list userauthen

crypto map VPN isakmp authorization list groupauthor

crypto map VPN client configuration address respond

crypto map VPN 10 ipsec-isakmp dynamic dynmap 

crypto map VPN 20 ipsec-isakmp dynamic dynvpn 

!

!

!

! 

! 

!

!

interface GigabitEthernet0/0/0

 ip address 10.1.1.10 255.255.255.192

 no ip redirects

 ip nbar protocol-discovery

 shutdown

 negotiation auto

!

interface GigabitEthernet0/0/1

 ip address 10.1.2.219 255.255.255.192

 no ip redirects

 ip nbar protocol-discovery

 ip tcp adjust-mss 1260

 shutdown

 negotiation auto

 crypto map CRYMAP

!

interface GigabitEthernet0/0/2

 ip address 10.1.3.10 255.255.255.240

 no ip redirects

 ip nbar protocol-discovery

 ip tcp adjust-mss 1260

 negotiation auto

 ipv6 nd ra suppress

 crypto map DUSVPN

!

interface GigabitEthernet0/0/3

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet0/0/4

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet0/0/5

 no ip address

 shutdown

 negotiation auto

!

interface GigabitEthernet0

 vrf forwarding Mgmt-intf

 ip address 10.10.10.251 255.255.255.0

 negotiation auto

!

no ip forward-protocol nd

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 1 

ip http session-idle-timeout 1200 

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 10.1.1.1

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1

!         

ip ssh server algorithm authentication password

!

access-list 10 permit 10.1.1.7 log

access-list 10 deny   any log

access-list 11 permit 10.1.10.0 0.0.0.255

access-list 11 permit 10.1.1.0 0.0.0.16

access-list 11 permit 10.1.2.0 0.0.0.255

access-list 11 deny   any log

access-list 120 permit ip 10.1.1.0 0.0.0.255 10.11.1.192 0.0.0.31

access-list 121 permit ip 10.1.1.0 0.0.0.255 10.11.2.192 0.0.0.31

access-list 122 permit ip 10.1.1.0 0.0.0.255 10.11.3.192 0.0.0.31

 

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

line con 0

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

!

transport type persistent webui input https-webui

!

end

 

So thats the router config.

 

Is there any missing in cause of the different systems between the C2821 and the ASR1002X?

 

Here a full establishing log, all is fine except traffic thru the tunnel. No routing is installed :( I marked intersting parts BOLD:

 

Nov  3 04:02:02 acr-xe-0-0-15 3984: Nov  3 03:02:02.541: ISAKMP-PAK: (0):received packet from 10.10.1.238 dport 500 sport 500 Global (N) NEW SA
Nov  3 04:02:02 acr-xe-0-0-15 3985: Nov  3 03:02:02.541: ISAKMP: (0):Created a peer struct for 10.10.1.238, peer port 500
Nov  3 04:02:02 acr-xe-0-0-15 3986: Nov  3 03:02:02.541: ISAKMP: (0):New peer created peer = 0x7F837B5F7060 peer_handle = 0x8000000A
Nov  3 04:02:02 acr-xe-0-0-15 3987: Nov  3 03:02:02.541: ISAKMP: (0):Locking peer struct 0x7F837B5F7060, refcount 1 for crypto_isakmp_process_block
Nov  3 04:02:02 acr-xe-0-0-15 3988: Nov  3 03:02:02.541: ISAKMP: (0):local port 500, remote port 500
Nov  3 04:02:02 acr-xe-0-0-15 3989: Nov  3 03:02:02.541: crypto_engine_select_crypto_engine: can't handle any more 
Nov  3 04:02:02 acr-xe-0-0-15 3990: Nov  3 03:02:02.541: ISAKMP: (0):insert sa successfully sa = 7F837B6AE320
Nov  3 04:02:02 acr-xe-0-0-15 3991: Nov  3 03:02:02.541: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 3992: Nov  3 03:02:02.541: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1 
Nov  3 04:02:02 acr-xe-0-0-15 3993: crypto_isadb_stuff_vrf_instance, ike_fsm_proc_mm1: sa->f_vrf = 0  sa->i_vrf = 0 sa=0x7F837B6AE320 
Nov  3 04:02:02 acr-xe-0-0-15 3994: Nov  3 03:02:02.541: ISAKMP: (0):processing SA payload. message ID = 0
Nov  3 04:02:02 acr-xe-0-0-15 3995: Nov  3 03:02:02.541: ISAKMP: (0):processing vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 3996: Nov  3 03:02:02.541: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch
Nov  3 04:02:02 acr-xe-0-0-15 3997: Nov  3 03:02:02.541: ISAKMP: (0):processing vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 3998: Nov  3 03:02:02.541: ISAKMP: (0):vendor ID is DPD
Nov  3 04:02:02 acr-xe-0-0-15 3999: Nov  3 03:02:02.541: ISAKMP: (0):processing vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 4000: Nov  3 03:02:02.541: ISAKMP: (0):processing IKE frag vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 4001: Nov  3 03:02:02.541: ISAKMP: (0):Support for IKE Fragmentation not enabled
Nov  3 04:02:02 acr-xe-0-0-15 4002: Nov  3 03:02:02.541: ISAKMP: (0):found peer pre-shared key matching 10.10.1.238
Nov  3 04:02:02 acr-xe-0-0-15 4003: Nov  3 03:02:02.541: ISAKMP: (0):local preshared key found
Nov  3 04:02:02 acr-xe-0-0-15 4004: Nov  3 03:02:02.541: ISAKMP: (0):Scanning profiles for xauth ...
Nov  3 04:02:02 acr-xe-0-0-15 4005: Nov  3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
Nov  3 04:02:02 acr-xe-0-0-15 4006: Nov  3 03:02:02.541: ISAKMP: (0):      encryption 3DES-CBC
Nov  3 04:02:02 acr-xe-0-0-15 4007: Nov  3 03:02:02.541: ISAKMP: (0):      hash MD5
Nov  3 04:02:02 acr-xe-0-0-15 4008: Nov  3 03:02:02.541: ISAKMP: (0):      default group 2
Nov  3 04:02:02 acr-xe-0-0-15 4009: Nov  3 03:02:02.541: ISAKMP: (0):      auth pre-share
Nov  3 04:02:02 acr-xe-0-0-15 4010: Nov  3 03:02:02.541: ISAKMP: (0):      life type in seconds
Nov  3 04:02:02 acr-xe-0-0-15 4011: Nov  3 03:02:02.541: ISAKMP: (0):      life duration (basic) of 28800
Nov  3 04:02:02 acr-xe-0-0-15 4012: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov  3 04:02:02 acr-xe-0-0-15 4013: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov  3 04:02:02 acr-xe-0-0-15 4014: Nov  3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 2 policy
Nov  3 04:02:02 acr-xe-0-0-15 4015: Nov  3 03:02:02.541: ISAKMP: (0):      encryption 3DES-CBC
Nov  3 04:02:02 acr-xe-0-0-15 4016: Nov  3 03:02:02.541: ISAKMP: (0):      hash MD5
Nov  3 04:02:02 acr-xe-0-0-15 4017: Nov  3 03:02:02.541: ISAKMP: (0):      default group 2
Nov  3 04:02:02 acr-xe-0-0-15 4018: Nov  3 03:02:02.541: ISAKMP: (0):      auth pre-share
Nov  3 04:02:02 acr-xe-0-0-15 4019: Nov  3 03:02:02.541: ISAKMP: (0):      life type in seconds
Nov  3 04:02:02 acr-xe-0-0-15 4020: Nov  3 03:02:02.541: ISAKMP: (0):      life duration (basic) of 28800
Nov  3 04:02:02 acr-xe-0-0-15 4021: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov  3 04:02:02 acr-xe-0-0-15 4022: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov  3 04:02:02 acr-xe-0-0-15 4023: Nov  3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 3 policy
Nov  3 04:02:02 acr-xe-0-0-15 4024: Nov  3 03:02:02.541: ISAKMP: (0):      encryption 3DES-CBC
Nov  3 04:02:02 acr-xe-0-0-15 4025: Nov  3 03:02:02.541: ISAKMP: (0):      hash MD5
Nov  3 04:02:02 acr-xe-0-0-15 4026: Nov  3 03:02:02.541: ISAKMP: (0):      default group 2
Nov  3 04:02:02 acr-xe-0-0-15 4027: Nov  3 03:02:02.541: ISAKMP: (0):      auth pre-share
Nov  3 04:02:02 acr-xe-0-0-15 4028: Nov  3 03:02:02.541: ISAKMP: (0):      life type in seconds
Nov  3 04:02:02 acr-xe-0-0-15 4029: Nov  3 03:02:02.541: ISAKMP: (0):      life duration (basic) of 28800
Nov  3 04:02:02 acr-xe-0-0-15 4030: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov  3 04:02:02 acr-xe-0-0-15 4031: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov  3 04:02:02 acr-xe-0-0-15 4032: Nov  3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 5 policy
Nov  3 04:02:02 acr-xe-0-0-15 4033: Nov  3 03:02:02.541: ISAKMP: (0):      encryption 3DES-CBC
Nov  3 04:02:02 acr-xe-0-0-15 4034: Nov  3 03:02:02.541: ISAKMP: (0):      hash MD5
Nov  3 04:02:02 acr-xe-0-0-15 4035: Nov  3 03:02:02.541: ISAKMP: (0):      default group 2
Nov  3 04:02:02 acr-xe-0-0-15 4036: Nov  3 03:02:02.541: ISAKMP: (0):      auth pre-share
Nov  3 04:02:02 acr-xe-0-0-15 4037: Nov  3 03:02:02.541: ISAKMP: (0):      life type in seconds
Nov  3 04:02:02 acr-xe-0-0-15 4038: Nov  3 03:02:02.541: ISAKMP: (0):      life duration (basic) of 28800
Nov  3 04:02:02 acr-xe-0-0-15 4039: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov  3 04:02:02 acr-xe-0-0-15 4040: Nov  3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov  3 04:02:02 acr-xe-0-0-15 4041: Nov  3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
Nov  3 04:02:02 acr-xe-0-0-15 4042: Nov  3 03:02:02.541: ISAKMP: (0):      encryption 3DES-CBC
Nov  3 04:02:02 acr-xe-0-0-15 4043: Nov  3 03:02:02.541: ISAKMP: (0):      hash MD5
Nov  3 04:02:02 acr-xe-0-0-15 4044: Nov  3 03:02:02.541: ISAKMP: (0):      default group 2
Nov  3 04:02:02 acr-xe-0-0-15 4045: Nov  3 03:02:02.541: ISAKMP: (0):      auth pre-share
Nov  3 04:02:02 acr-xe-0-0-15 4046: Nov  3 03:02:02.541: ISAKMP: (0):      life type in seconds
Nov  3 04:02:02 acr-xe-0-0-15 4047: Nov  3 03:02:02.541: ISAKMP: (0):      life duration (basic) of 28800
Nov  3 04:02:02 acr-xe-0-0-15 4048: Nov  3 03:02:02.541: ISAKMP: (0):atts are acceptable. Next payload is 0
Nov  3 04:02:02 acr-xe-0-0-15 4049: Nov  3 03:02:02.541: ISAKMP: (0):Acceptable atts:actual life: 86400
Nov  3 04:02:02 acr-xe-0-0-15 4050: Nov  3 03:02:02.541: ISAKMP: (0):Acceptable atts:life: 0
Nov  3 04:02:02 acr-xe-0-0-15 4051: Nov  3 03:02:02.541: ISAKMP: (0):Basic life_in_seconds:28800
Nov  3 04:02:02 acr-xe-0-0-15 4052: Nov  3 03:02:02.541: ISAKMP: (0):Returning Actual lifetime: 28800
Nov  3 04:02:02 acr-xe-0-0-15 4053: Nov  3 03:02:02.541: ISAKMP: (0):Started lifetime timer: 28800.
Nov  3 04:02:02 acr-xe-0-0-15 4054: Nov  3 03:02:02.541: crypto_engine_select_crypto_engine: can't handle any more 
Nov  3 04:02:02 acr-xe-0-0-15 4055: Nov  3 03:02:02.541: crypto_engine: Create DH 
Nov  3 04:02:02 acr-xe-0-0-15 4056: Nov  3 03:02:02.544: ISAKMP: (0):processing vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 4057: Nov  3 03:02:02.544: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch
Nov  3 04:02:02 acr-xe-0-0-15 4058: Nov  3 03:02:02.544: ISAKMP: (0):processing vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 4059: Nov  3 03:02:02.544: ISAKMP: (0):vendor ID is DPD
Nov  3 04:02:02 acr-xe-0-0-15 4060: Nov  3 03:02:02.544: ISAKMP: (0):processing vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 4061: Nov  3 03:02:02.544: ISAKMP: (0):processing IKE frag vendor id payload
Nov  3 04:02:02 acr-xe-0-0-15 4062: Nov  3 03:02:02.544: ISAKMP: (0):Support for IKE Fragmentation not enabled
Nov  3 04:02:02 acr-xe-0-0-15 4063: Nov  3 03:02:02.544: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov  3 04:02:02 acr-xe-0-0-15 4064: Nov  3 03:02:02.544: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1 
Nov  3 04:02:02 acr-xe-0-0-15 4065: Nov  3 03:02:02.544: ISAKMP-PAK: (0):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_SA_SETUP
Nov  3 04:02:02 acr-xe-0-0-15 4066: Nov  3 03:02:02.544: ISAKMP: (0):Sending an IKE IPv4 Packet.
Nov  3 04:02:02 acr-xe-0-0-15 4067: Nov  3 03:02:02.544: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov  3 04:02:02 acr-xe-0-0-15 4068: Nov  3 03:02:02.544: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2 
Nov  3 04:02:02 acr-xe-0-0-15 4069: Nov  3 03:02:02.554: ISAKMP-PAK: (0):received packet from 10.10.1.238 dport 500 sport 500 Global (R) MM_SA_SETUP
Nov  3 04:02:02 acr-xe-0-0-15 4070: Nov  3 03:02:02.554: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4071: Nov  3 03:02:02.554: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3 
Nov  3 04:02:02 acr-xe-0-0-15 4072: Nov  3 03:02:02.554: ISAKMP: (0):processing KE payload. message ID = 0
Nov  3 04:02:02 acr-xe-0-0-15 4073: Nov  3 03:02:02.554: crypto_engine: Create DH shared secret 
Nov  3 04:02:02 acr-xe-0-0-15 4074: Nov  3 03:02:02.556: ISAKMP: (0):processing NONCE payload. message ID = 0
Nov  3 04:02:02 acr-xe-0-0-15 4075: Nov  3 03:02:02.556: ISAKMP: (0):found peer pre-shared key matching 10.10.1.238
Nov  3 04:02:02 acr-xe-0-0-15 4076: Nov  3 03:02:02.556: crypto_engine: Create IKE SA 
Nov  3 04:02:02 acr-xe-0-0-15 4077: Nov  3 03:02:02.556: crypto engine: deleting DH phase 2 SW:23 
Nov  3 04:02:02 acr-xe-0-0-15 4078: Nov  3 03:02:02.556: crypto_engine: Delete DH shared secret 
Nov  3 04:02:02 acr-xe-0-0-15 4079: Nov  3 03:02:02.556: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov  3 04:02:02 acr-xe-0-0-15 4080: Nov  3 03:02:02.556: ISAKMP: (1013):Old State = IKE_R_MM3  New State = IKE_R_MM3 
Nov  3 04:02:02 acr-xe-0-0-15 4081: Nov  3 03:02:02.556: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4082: Nov  3 03:02:02.556: ISAKMP: (1013):Sending an IKE IPv4 Packet.
Nov  3 04:02:02 acr-xe-0-0-15 4083: Nov  3 03:02:02.556: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov  3 04:02:02 acr-xe-0-0-15 4084: Nov  3 03:02:02.556: ISAKMP: (1013):Old State = IKE_R_MM3  New State = IKE_R_MM4 
Nov  3 04:02:02 acr-xe-0-0-15 4085: Nov  3 03:02:02.567: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) MM_KEY_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4086: Nov  3 03:02:02.567: crypto_engine: Decrypt IKE packet 
Nov  3 04:02:02 acr-xe-0-0-15 4087: Nov  3 03:02:02.567: ISAKMP: (1013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4088: Nov  3 03:02:02.567: ISAKMP: (1013):Old State = IKE_R_MM4  New State = IKE_R_MM5 
Nov  3 04:02:02 acr-xe-0-0-15 4089: Nov  3 03:02:02.567: ISAKMP: (1013):processing ID payload. message ID = 0
Nov  3 04:02:02 acr-xe-0-0-15 4090: Nov  3 03:02:02.567: ISAKMP: (1013):ID payload 
Nov  3 04:02:02 acr-xe-0-0-15 4091: next-payload : 8
Nov  3 04:02:02 acr-xe-0-0-15 4092: type         : 1
Nov  3 04:02:02 acr-xe-0-0-15 4093: Nov  3 03:02:02.567: ISAKMP: (1013): address      : 10.10.1.238
Nov  3 04:02:02 acr-xe-0-0-15 4094: Nov  3 03:02:02.567: ISAKMP: (1013): protocol     : 17 
Nov  3 04:02:02 acr-xe-0-0-15 4095: port         : 500 
Nov  3 04:02:02 acr-xe-0-0-15 4096: length       : 12
Nov  3 04:02:02 acr-xe-0-0-15 4097: Nov  3 03:02:02.567: ISAKMP: (0):peer matches *none* of the profilescrypto_isadb_stuff_vrf_instance, crypto_isakmp_assign_profile: sa->f_vrf = 0  sa->i_vrf = 0 sa=0x7F837B6AE320 
Nov  3 04:02:02 acr-xe-0-0-15 4098: Nov  3 03:02:02.567: ISAKMP: (1013):processing HASH payload. message ID = 0
Nov  3 04:02:02 acr-xe-0-0-15 4099: Nov  3 03:02:02.567: crypto_engine: Generate IKE hash 
Nov  3 04:02:02 acr-xe-0-0-15 4100: Nov  3 03:02:02.567: ISAKMP: (1013):SA authentication status:
Nov  3 04:02:02 acr-xe-0-0-15 4101: authenticated
Nov  3 04:02:02 acr-xe-0-0-15 4102: Nov  3 03:02:02.567: ISAKMP: (1013):SA has been authenticated with 10.10.1.238
Nov  3 04:02:02 acr-xe-0-0-15 4103: Nov  3 03:02:02.567: ISAKMP: (0):Trying to insert a peer 10.1.2.219/10.10.1.238/500/, 
Nov  3 04:02:02 acr-xe-0-0-15 4104: Nov  3 03:02:02.567: ISAKMP: (0): and inserted successfully 7F837B5F7060.
Nov  3 04:02:02 acr-xe-0-0-15 4105: Nov  3 03:02:02.567: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov  3 04:02:02 acr-xe-0-0-15 4106: Nov  3 03:02:02.567: ISAKMP: (1013):Old State = IKE_R_MM5  New State = IKE_R_MM5 
Nov  3 04:02:02 acr-xe-0-0-15 4107: Nov  3 03:02:02.567: ISAKMP: (1013):SA is doing 
Nov  3 04:02:02 acr-xe-0-0-15 4108: Nov  3 03:02:02.568: ISAKMP: (1013):pre-shared key authentication using id type ID_IPV4_ADDR
Nov  3 04:02:02 acr-xe-0-0-15 4109: Nov  3 03:02:02.568: ISAKMP: (1013):ID payload 
Nov  3 04:02:02 acr-xe-0-0-15 4110: next-payload : 8
Nov  3 04:02:02 acr-xe-0-0-15 4111: type         : 1
Nov  3 04:02:02 acr-xe-0-0-15 4112: Nov  3 03:02:02.568: ISAKMP: (1013): address      : 10.1.2.219
Nov  3 04:02:02 acr-xe-0-0-15 4113: Nov  3 03:02:02.568: ISAKMP: (1013): protocol     : 17 
Nov  3 04:02:02 acr-xe-0-0-15 4114: port         : 500 
Nov  3 04:02:02 acr-xe-0-0-15 4115: length       : 12
Nov  3 04:02:02 acr-xe-0-0-15 4116: Nov  3 03:02:02.568: ISAKMP: (1013):Total payload length: 12
Nov  3 04:02:02 acr-xe-0-0-15 4117: Nov  3 03:02:02.568: crypto_engine: Generate IKE hash 
Nov  3 04:02:02 acr-xe-0-0-15 4118: Nov  3 03:02:02.568: crypto_engine: Encrypt IKE packet 
Nov  3 04:02:02 acr-xe-0-0-15 4119: Nov  3 03:02:02.568: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4120: Nov  3 03:02:02.568: ISAKMP: (1013):Sending an IKE IPv4 Packet.
Nov  3 04:02:02 acr-xe-0-0-15 4121: Nov  3 03:02:02.568: IKE active tunnels 4
Nov  3 04:02:02 acr-xe-0-0-15 4122: scmIkeTunnelCreate ikeidx:13
Nov  3 04:02:02 acr-xe-0-0-15 4123: Nov  3 03:02:02.568: scmIkeTunnelCreated: Default context, vdi_ptr=gdi_ptr=140202611746552/140202611746552
Nov  3 04:02:02 acr-xe-0-0-15 4124: Nov  3 03:02:02.568: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov  3 04:02:02 acr-xe-0-0-15 4125: Nov  3 03:02:02.568: ISAKMP: (1013):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 
Nov  3 04:02:02 acr-xe-0-0-15 4126: Nov  3 03:02:02.568: ISAKMP: (1013):IKE_DPD is enabled, initializing timers
Nov  3 04:02:02 acr-xe-0-0-15 4127: Nov  3 03:02:02.568: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov  3 04:02:02 acr-xe-0-0-15 4128: Nov  3 03:02:02.568: ISAKMP: (1013):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 
Nov  3 04:02:02 acr-xe-0-0-15 4129: Nov  3 03:02:02.578: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) QM_IDLE      
Nov  3 04:02:02 acr-xe-0-0-15 4130: Nov  3 03:02:02.578: ISAKMP: (1013):set new node 2448060722 to QM_IDLE      
Nov  3 04:02:02 acr-xe-0-0-15 4131: Nov  3 03:02:02.578: crypto_engine: Decrypt IKE packet 
Nov  3 04:02:02 acr-xe-0-0-15 4132: Nov  3 03:02:02.578: crypto_engine: Generate IKE hash 
Nov  3 04:02:02 acr-xe-0-0-15 4133: Nov  3 03:02:02.578: ISAKMP: (1013):processing HASH payload. message ID = 2448060722
Nov  3 04:02:02 acr-xe-0-0-15 4134: Nov  3 03:02:02.578: ISAKMP: (1013):processing SA payload. message ID = 2448060722
Nov  3 04:02:02 acr-xe-0-0-15 4135: Nov  3 03:02:02.578: ISAKMP: (1013):Checking IPSec proposal 1
Nov  3 04:02:02 acr-xe-0-0-15 4136: Nov  3 03:02:02.578: ISAKMP: (1013):transform 1, ESP_3DES
Nov  3 04:02:02 acr-xe-0-0-15 4137: Nov  3 03:02:02.578: ISAKMP: (1013):   attributes in transform:
Nov  3 04:02:02 acr-xe-0-0-15 4138: Nov  3 03:02:02.578: ISAKMP: (1013):      SA life type in seconds
Nov  3 04:02:02 acr-xe-0-0-15 4139: Nov  3 03:02:02.578: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10 
Nov  3 04:02:02 acr-xe-0-0-15 4140: Nov  3 03:02:02.578: ISAKMP: (1013):      encaps is 1 (Tunnel)
Nov  3 04:02:02 acr-xe-0-0-15 4141: Nov  3 03:02:02.578: ISAKMP: (1013):      authenticator is HMAC-MD5
Nov  3 04:02:02 acr-xe-0-0-15 4142: Nov  3 03:02:02.578: ISAKMP: (1013):      group is 2
Nov  3 04:02:02 acr-xe-0-0-15 4143: Nov  3 03:02:02.578: ISAKMP: (1013):atts are acceptable.
Nov  3 04:02:02 acr-xe-0-0-15 4144: Nov  3 03:02:02.578: IPSEC(validate_proposal_request): proposal part #1
Nov  3 04:02:02 acr-xe-0-0-15 4145: Nov  3 03:02:02.578: IPSEC(validate_proposal_request): proposal part #1,
Nov  3 04:02:02 acr-xe-0-0-15 4146:   (key eng. msg.) INBOUND local= 10.1.2.219:0, remote= 10.10.1.238:0,
Nov  3 04:02:02 acr-xe-0-0-15 4147:     local_proxy= 10.1.1.0/255.255.255.0/256/0,
Nov  3 04:02:02 acr-xe-0-0-15 4148:     remote_proxy= 10.11.1.192/255.255.255.224/256/0,
Nov  3 04:02:02 acr-xe-0-0-15 4149:     protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
Nov  3 04:02:02 acr-xe-0-0-15 4150:     lifedur= 0s and 0kb, 
Nov  3 04:02:02 acr-xe-0-0-15 4151:     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Nov  3 04:02:02 acr-xe-0-0-15 4152: Nov  3 03:02:02.578: Crypto mapdb : proxy_match
Nov  3 04:02:02 acr-xe-0-0-15 4153: src addr     : 10.1.1.0
Nov  3 04:02:02 acr-xe-0-0-15 4154: dst addr     : 10.11.1.192
Nov  3 04:02:02 acr-xe-0-0-15 4155: protocol     : 0
Nov  3 04:02:02 acr-xe-0-0-15 4156: src port     : 0
Nov  3 04:02:02 acr-xe-0-0-15 4157: dst port     : 0
Nov  3 04:02:02 acr-xe-0-0-15 4158: Nov  3 03:02:02.578: (ipsec_process_proposal)Map Accepted: CRYMAP, 1
Nov  3 04:02:02 acr-xe-0-0-15 4159: Nov  3 03:02:02.578: crypto_engine: Create DH 
Nov  3 04:02:02 acr-xe-0-0-15 4160: Nov  3 03:02:02.580: ISAKMP: (1013):processing NONCE payload. message ID = 2448060722
Nov  3 04:02:02 acr-xe-0-0-15 4161: Nov  3 03:02:02.580: ISAKMP: (1013):processing KE payload. message ID = 2448060722
Nov  3 04:02:02 acr-xe-0-0-15 4162: Nov  3 03:02:02.580: crypto_engine: Create DH shared secret 
Nov  3 04:02:02 acr-xe-0-0-15 4163: Nov  3 03:02:02.582: ISAKMP: (1013):processing ID payload. message ID = 2448060722
Nov  3 04:02:02 acr-xe-0-0-15 4164: Nov  3 03:02:02.582: ISAKMP: (1013):processing ID payload. message ID = 2448060722
Nov  3 04:02:02 acr-xe-0-0-15 4165: Nov  3 03:02:02.582: ISAKMP: (1013):QM Responder gets spi
Nov  3 04:02:02 acr-xe-0-0-15 4166: Nov  3 03:02:02.582: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4167: Nov  3 03:02:02.582: ISAKMP: (1013):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Nov  3 04:02:02 acr-xe-0-0-15 4168: Nov  3 03:02:02.582: crypto_engine: Generate IKE hash 
Nov  3 04:02:02 acr-xe-0-0-15 4169: Nov  3 03:02:02.582: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Nov  3 04:02:02 acr-xe-0-0-15 4170: Nov  3 03:02:02.582: ISAKMP: (1013):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
Nov  3 04:02:02 acr-xe-0-0-15 4171: Nov  3 03:02:02.582: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Nov  3 04:02:02 acr-xe-0-0-15 4172: Nov  3 03:02:02.582: Crypto mapdb : proxy_match
Nov  3 04:02:02 acr-xe-0-0-15 4173: src addr     : 10.1.1.0
Nov  3 04:02:02 acr-xe-0-0-15 4174: dst addr     : 10.11.1.192
Nov  3 04:02:02 acr-xe-0-0-15 4175: protocol     : 256
Nov  3 04:02:02 acr-xe-0-0-15 4176: src port     : 0
Nov  3 04:02:02 acr-xe-0-0-15 4177: dst port     : 0
Nov  3 04:02:02 acr-xe-0-0-15 4178: Nov  3 03:02:02.582: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYMAP, 1
Nov  3 04:02:02 acr-xe-0-0-15 4179: Nov  3 03:02:02.582: crypto_engine: Generate IKE QM keys 
Nov  3 04:02:02 acr-xe-0-0-15 4180: Nov  3 03:02:02.582: crypto_engine: Create IPSec SA (by keys) 
Nov  3 04:02:02 acr-xe-0-0-15 4181: Nov  3 03:02:02.582: crypto_engine: Generate IKE QM keys 
Nov  3 04:02:02 acr-xe-0-0-15 4182: Nov  3 03:02:02.582: crypto_engine: Create IPSec SA (by keys) 
Nov  3 04:02:02 acr-xe-0-0-15 4183: Nov  3 03:02:02.582: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F837699F4D8
Nov  3 04:02:02 acr-xe-0-0-15 4184: Nov  3 03:02:02.582: IPSEC(create_sa): sa created
Nov  3 04:02:02 acr-xe-0-0-15 4185: ,
Nov  3 04:02:02 acr-xe-0-0-15 4186:   (sa) sa_dest= 10.1.2.219, sa_proto= 50, 
Nov  3 04:02:02 acr-xe-0-0-15 4187:     sa_spi= 0xA2641181(2724467073), 
Nov  3 04:02:02 acr-xe-0-0-15 4188:     sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2013
Nov  3 04:02:02 acr-xe-0-0-15 4189:     sa_lifetime(k/sec)= (4608000/3600),
Nov  3 04:02:02 acr-xe-0-0-15 4190:   (identity) local= 10.1.2.219:0, remote= 10.10.1.238:0,
Nov  3 04:02:02 acr-xe-0-0-15 4191:     local_proxy= 10.1.1.0/255.255.255.0/256/0,
Nov  3 04:02:02 acr-xe-0-0-15 4192:     remote_proxy= 10.11.1.192/255.255.255.224/256/0
Nov  3 04:02:02 acr-xe-0-0-15 4193: Nov  3 03:02:02.582: IPSEC(create_sa): sa created,
Nov  3 04:02:02 acr-xe-0-0-15 4194:   (sa) sa_dest= 10.10.1.238, sa_proto= 50, 
Nov  3 04:02:02 acr-xe-0-0-15 4195:     sa_spi= 0xF92C186B(4180416619), 
Nov  3 04:02:02 acr-xe-0-0-15 4196:     sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2014
Nov  3 04:02:02 acr-xe-0-0-15 4197:     sa_lifetime(k/sec)= (4608000/3600),
Nov  3 04:02:02 acr-xe-0-0-15 4198:   (identity) local= 10.1.2.219:0, remote= 10.10.1.238:0
Nov  3 04:02:02 acr-xe-0-0-15 4199: ,
Nov  3 04:02:02 acr-xe-0-0-15 4200:     local_proxy= 10.1.1.0/255.255.255.0/256/0,
Nov  3 04:02:02 acr-xe-0-0-15 4201:     remote_proxy= 10.11.1.192/255.255.255.224/256/0
Nov  3 04:02:02 acr-xe-0-0-15 4202: Nov  3 03:02:02.586: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_listinc_ipsec_active_tunnels : IPSec active tunnels : 4
Nov  3 04:02:02 acr-xe-0-0-15 4203: notify_mib_ipsec_tunnel_activation: peer has  vdi ptr set 0x7F8376DEA6F8 
Nov  3 04:02:02 acr-xe-0-0-15 4204: scmIpSecTunnelCreated (IKE SA:13), (IPSEC SA:3)
Nov  3 04:02:02 acr-xe-0-0-15 4205: ...new ipsidx:6
Nov  3 04:02:02 acr-xe-0-0-15 4206: Nov  3 03:02:02.586: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=140202611746552/140202611746552
Nov  3 04:02:02 acr-xe-0-0-15 4207: Nov  3 03:02:02.586: ISAKMP: (1013):Received IPSec Install callback... proceeding with the negotiation
Nov  3 04:02:02 acr-xe-0-0-15 4208: Nov  3 03:02:02.586: ISAKMP: (1013):Successfully installed IPSEC SA (SPI:0xA2641181) on GigabitEthernet0/0/1
Nov  3 04:02:02 acr-xe-0-0-15 4209: Nov  3 03:02:02.586: crypto engine: deleting DH phase 2 SW:25 
Nov  3 04:02:02 acr-xe-0-0-15 4210: Nov  3 03:02:02.586: crypto_engine: Delete DH shared secret 
Nov  3 04:02:02 acr-xe-0-0-15 4211: Nov  3 03:02:02.586: crypto engine: deleting DH SW:24 
Nov  3 04:02:02 acr-xe-0-0-15 4212: Nov  3 03:02:02.586: crypto_engine: Encrypt IKE packet 
Nov  3 04:02:02 acr-xe-0-0-15 4213: Nov  3 03:02:02.586: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) QM_IDLE      
Nov  3 04:02:02 acr-xe-0-0-15 4214: Nov  3 03:02:02.586: ISAKMP: (1013):Sending an IKE IPv4 Packet.
Nov  3 04:02:02 acr-xe-0-0-15 4215: Nov  3 03:02:02.586: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Nov  3 04:02:02 acr-xe-0-0-15 4216: Nov  3 03:02:02.586: ISAKMP: (1013):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
Nov  3 04:02:02 acr-xe-0-0-15 4217: Nov  3 03:02:02.586: crypto_engine: Delete DH 
Nov  3 04:02:02 acr-xe-0-0-15 4218: Nov  3 03:02:02.598: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) QM_IDLE      
Nov  3 04:02:02 acr-xe-0-0-15 4219: Nov  3 03:02:02.598: crypto_engine: Decrypt IKE packet 
Nov  3 04:02:02 acr-xe-0-0-15 4220: Nov  3 03:02:02.598: crypto_engine: Generate IKE hash 
Nov  3 04:02:02 acr-xe-0-0-15 4221: Nov  3 03:02:02.598: ISAKMP: (1013):deleting node 2448060722 error FALSE reason "QM done (await)"
Nov  3 04:02:02 acr-xe-0-0-15 4222: Nov  3 03:02:02.598: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov  3 04:02:02 acr-xe-0-0-15 4223: Nov  3 03:02:02.598: ISAKMP: (1013):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

 

So any tipp or hint what can resolve this isse would be appreciated.

 

Thanks in advance,

 

kind regards,

Udo

Labels:
0 Helpful
16 Replies 16

Go to solution
Georg Pauwen
VIP
VIP
In response to udo

‎11-07-2019 11:10 PM - edited ‎11-07-2019 11:11 PM

Hello Udo,

 

thanks for the update. So you are using VTIs now with IPSec profiles ? Would you mind posting the final, working configuration, for future reference ?

0 Helpful

Go to solution
udo
Level 1
Level 1
In response to Georg Pauwen

‎11-08-2019 12:44 AM - edited ‎11-08-2019 12:50 AM

Hi Georg.

 

Yes i can prost it here. I found the solution after days of reading issues and posts about "VRF-Aware IPSec VPN". But all was complicated and many things you don't need. I am a admin who love simple and clear configurations that do what i want, not more.

 

You don't need VTI. Because you need to change the remote side too because of lack of pre shared key, you need in a plain Crypto Map and ACL setup. You also dnt need such OSPF or BGP or RIP routing monsters to do the simple thing i am tried to achive.

 

I only use the VRF vzb as a route engine as it is. This mechanism still works on a ASR1002X to push the protected traffic thru the tunnel. Benefit is a separation of crypto traffic in a virtual instance you miss in pure ACL based routing (which definitively not work on a ASR1002X). Because i love simple but complete examples here my actual config. Stripped another VPN partner and the Dialup VPN. 

 

The BOLD parts are statements i added in comparison to the original C2821 config without VRF. Keyring needs to changed to original crypto isakmp key <secretkey> address <peer-ip> for each peer.

 

aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
aaa session-id common
!
ip vrf vzb
!
ip name-server <nameserver ips>
!
crypto keyring vzb vrf vzb 
  pre-shared-key address <peerip-ldn> key <secretkey>
  pre-shared-key address <peerip-dtm> key <secretkey>
  pre-shared-key address <peerip-ams> key <secretkey>
!
no crypto isakmp default policy
!
crypto isakmp policy 3
 encr aes 256
 hash sha256
 authentication pre-share
 group 14 
 lifetime 3600
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 30
!
crypto isakmp profile vzb-ike-prof
   vrf vzb
   keyring vzb
   match identity address <peerip-ldn> 255.255.255.255 
   match identity address <peerip-dtm> 255.255.255.255 
   match identity address <peerip-ams> 255.255.255.255 
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 
 mode tunnel
!
crypto map CRYMAP local-address GigabitEthernet0/0/1
crypto map CRYMAP 1 ipsec-isakmp 
 description VzB DTM
 set peer <peerip-dtm>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-DTM
 reverse-route
crypto map CRYMAP 2 ipsec-isakmp 
 description VzB AMS
 set peer <peerip-ams>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-AMS
 reverse-route
crypto map CRYMAP 3 ipsec-isakmp 
 description VzB LND
 set peer <peerip-ldn>
 set transform-set ipcom 
 set pfs group2
 set isakmp-profile vzb-ike-prof
 match address VZB-LDN
 reverse-route
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip vrf forwarding vzb
 ip address <our-peer-ip> 255.255.255.192
 no ip redirects
 negotiation auto
 crypto map CRYMAP
!
interface GigabitEthernet0/0/2
 ip address <defaultip-router> 255.255.255.240
 no ip redirects
 negotiation auto
 ipv6 nd ra suppress
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/4
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/5
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.10.10.251 255.255.255.0
 negotiation auto
!
ip forward-protocol nd
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1 
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 <uplink-gatewayip>
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1
ip route vrf vzb 0.0.0.0 0.0.0.0 <gw-ip-our-peer-net>
!
ip access-list extended VZB-AMS
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-net-ams> 0.0.0.31
ip access-list extended VZB-DTM
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-netdtm> 0.0.0.31
ip access-list extended VZB-LDN
 permit ip <local-protected-net> 0.0.0.255 <remote-protected-net-ldn> 0.0.0.31
!
!
control-plane
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 session-timeout 35000 
!
transport type persistent webui input https-webui
!
ntp source GigabitEthernet0/0/2
ntp server <ntp-server-ip>
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

Hope this will help anybody who migrate an old IOS-VPN-Aggregator to an IOS-XE ASR and prevent Administrator-Suicide :).

 

Best,

Udo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card