12-29-2013 06:13 PM - edited 03-04-2019 09:57 PM
Hi Guys
Looking for a little assistance here. I am setting up an IPSEC-over-GRE tunnel between a couple of CSRs and as soon as I enable IPSEC the tunnel protocol drops and won't come back up.
Here is my the relevant configuration:
Crypto Config on Both Routers
======================
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key ****** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile ipsec-over-gre
set transform-set esp-aes-sha
Interface Configuration on Router 1
=========================
interface GigabitEthernet2
vrf forwarding Prod
ip address 10.0.0.1 255.255.255.0
ip nat outside
negotiation auto
Tunnel Interface Configuration on Router 1
==============================
interface Tunnel0
vrf forwarding Prod
ip address 192.168.254.1 255.255.255.0
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 10.0.0.2
tunnel path-mtu-discovery
tunnel vrf Prod
tunnel protection ipsec profile ipsec-over-gre
Interface Configuration on Router 2
=========================
interface GigabitEthernet2
vrf forwarding Prod
ip address 10.0.0.2 255.255.255.0
ip nat outside
negotiation auto
Tunnel Interface Configuration on Router 2
==============================
interface Tunnel0
vrf forwarding Prod
ip address 192.168.254.2 255.255.255.0
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 10.0.0.1
tunnel path-mtu-discovery
tunnel vrf Prod
tunnel protection ipsec profile ipsec-over-gre
Troubleshooting so far
================
- The two physical interfaces can ping each other successfully
- The tunnel interface works before the tunnel mode ipsec ipv4 command is added, and then it drops. Shortly after that I add the tunnel protection ipsec profile ipsec-over-gre command.
- Show interface reveals:
CSR-03#show int tun0
Tunnel0 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.254.2/24
MTU 17892 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.0.0.1 (GigabitEthernet2), destination 10.0.0.2
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet2
Set of tunnels with source GigabitEthernet2, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-over-gre")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:00:04
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Any assistance at all is greatly appreciated. I think this should work fine as configured and I cant get my head around why it isnt.
Cheers
Jon
Solved! Go to Solution.
12-29-2013 10:20 PM
HI ,
1)Does your GRE tunnel pickup before apply tunnel protection? This to ensure your GRE tunnel its self is properly configured. Once you confirm this working , you can move to step 2.
2)When you working with IPSec in VRF, i think you would need implement crypto keyring to define preshared-key. Try this on both router.
crypto keyring Prod-keyring vrf Prod
pre-shared-key address 10.1.1.2 key cisco123
!
crypto isakmp profile ike-profile
vrf Prod
keyring Prod-keyring
match identity address 10.1.1.2 255.255.255.255 Prod
crypto ipsec profile ipsec-over-gre
set transform-set esp-aes-sha
set isakmp-profile ike-profile
Regards,
Nagis
12-29-2013 06:40 PM
Jon
I have done this type of tunnel a number of times but not yet on CSRs. So there is some possibility that some aspect of CSR is getting in the way that I would not recognize. If the tunnel works ok before you enable the crypto then that assures that it is not an issue with IP connectivity or with basic tunnel configuration
So it is most likely that there is some problem with crypto configuration. My first suggestion is to verify that both devices have correct images to support crypto and have licenses activated that support crypto (though if the crypto commands are accepted it is likely that image and license are ok). But lets start here.
My second suggestion is check the configurations and verify that the crypto configuration is really the same on both devices.
My third suggestion would be to use some crypto debugging, probably starting with ISAKMP, to see where the crypto negotiation is not working.
HTH
Rick
12-29-2013 07:09 PM
Hi Rick
Thanks heaps for the fast reply.
The software I am using is the trial version of the CSR - It comes with the Advanced License, which should allow IPSec...
I can confirm that the crypto information is the same. I have also done a debug on both CSRs, and its coming back saying that there is no PSK specified for the peer, although clearly there is. I've also tried setting the peer specifically to the remote interface address (10.0.0.x), but no joy.
Router-1#show run | sec crypto
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key ***** address 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile ipsec-over-gre
set transform-set esp-aes-sha
Router-2#show run | sec crypto
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key ***** address 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile ipsec-over-gre
set transform-set esp-aes-sha
Router-1#debug crypto isakmp
*Dec 30 02:58:56.943: ISAKMP:(0): SA request profile is (NULL)
*Dec 30 02:58:56.943: ISAKMP: Created a peer struct for 10.0.0.2, peer port 500
*Dec 30 02:58:56.943: ISAKMP: New peer created peer = 0x7F9539B29578 peer_handle = 0x80000099
*Dec 30 02:58:56.943: ISAKMP: Locking peer struct 0x7F9539B29578, refcount 1 for isakmp_initiator
*Dec 30 02:58:56.943: ISAKMP: local port 500, remote port 500
*Dec 30 02:58:56.943: ISAKMP: set new node 0 to QM_IDLE
*Dec 30 02:58:56.943: ISAKMP:(0):insert sa successfully sa = 7F9539B2F100
*Dec 30 02:58:56.943: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Dec 30 02:58:56.943: ISAKMP:(0):No pre-shared key with 10.0.0.2!
*Dec 30 02:58:56.945: ISAKMP:(0): No Cert or pre-shared address key.
*Dec 30 02:58:56.946: ISAKMP:(0): construct_initial_message: Can not start Main mode
*Dec 30 02:58:56.947: ISAKMP: Unlocking peer struct 0x7F9539B29578 for isadb_unlock_peer_delete_sa(), count 0
*Dec 30 02:58:56.948: ISAKMP: Deleting peer node by peer_reap for 10.0.0.2: 7F9539B29578
*Dec 30 02:58:56.949: ISAKMP:(0):purging SA., sa=7F9539B2F100, delme=7F9539B2F100
*Dec 30 02:58:56.949: ISAKMP:(0):purging node 2692845451
*Dec 30 02:58:56.949: ISAKMP: Error while processing SA request: Failed to initialize SA
CSR-01#
*Dec 30 02:58:56.949: ISAKMP: Error while processing KMI message 0, error 2.
I'll keep troubleshooting - Any chance it could have something to do with using VRFs?
Cheers
Jon
12-29-2013 08:29 PM
Jon
I can not rule out VRFs being part of the problem. But at this point I believe it is likely something other than VRF. We may come back to that later, but for now lets look at other things.
One thing that strikes me in reviewing what you posted is the use of crypto isakmp key 0.0.0.0 on both routers. When I have done this kind of config before I have used 0.0.0.0 on one side (hub in hub and spoke network) and have specified the address in the crypto isakmp key of the spoke router. Is it possible to try specifying the peer address on one of the routers?
HTH
Rick
12-29-2013 10:20 PM
HI ,
1)Does your GRE tunnel pickup before apply tunnel protection? This to ensure your GRE tunnel its self is properly configured. Once you confirm this working , you can move to step 2.
2)When you working with IPSec in VRF, i think you would need implement crypto keyring to define preshared-key. Try this on both router.
crypto keyring Prod-keyring vrf Prod
pre-shared-key address 10.1.1.2 key cisco123
!
crypto isakmp profile ike-profile
vrf Prod
keyring Prod-keyring
match identity address 10.1.1.2 255.255.255.255 Prod
crypto ipsec profile ipsec-over-gre
set transform-set esp-aes-sha
set isakmp-profile ike-profile
Regards,
Nagis
12-30-2013 01:53 PM
Rick and Nagis,
Thanks so much for your help and your time!
Nagis, I've gotten it working using the isakmp profile with the crypto keyring. Spot on - works perfectly!
Really happy to have found a solution, so thanks again for that!
Cheers
Jon
01-12-2014 10:12 PM
Hi Jonathan,
Glad to know that its resolve the problem
Regards,
Nagis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide