Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4212
Views
40
Helpful
11
Replies

VTI and IPSEC (tunnel mode ipsec is not working )

Go to solution
UCrypto
Level 1
Level 1

‎11-08-2018 09:20 PM - edited ‎03-05-2019 11:02 AM

Dear all,

I try to vti in my lab. I got the some issue.

i cannot turn on "tunnel mode ipsec ipv4" in tunnel.

If i active that command my traffic cannot reach end to end (host to host)

I remove this command,i can reach host to host.

it is VTI restriction or my configuration error ? When i change ipsec mode to GRE ,it is also working. IPSec mode is not working.

 

hostname R1
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.2
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.1.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.1 255.255.255.0
!
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
end

hostname R2
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.1
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.2.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.2 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MrBeginner
Spotlight
Spotlight
In response to UCrypto

‎02-19-2020 09:39 PM

I think it is IOS image error .Please use c7200-adventerprisek9-mz.152-4.M8

View solution in original post

11 Replies 11

Go to solution
Georg Pauwen
VIP
VIP

‎11-09-2018 01:40 AM

Hello,

 

config looks good actually. Which routers are you using, and is this a simulator or live equipment ?

 

What if you change:

 

crypto isakmp key MY_PASSWORD address 192.168.12.1

 

to

 

crypto isakmp key MY_PASSWORD address 0.0.0.0 0.0.0.0

 

on both ends ?

Go to solution
paul driver
VIP
VIP

‎11-09-2018 01:40 AM

Hello

what are you testing this on, I am asking because as far as i can see your config looks okay


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
UCrypto
Level 1
Level 1
In response to paul driver

‎11-09-2018 02:09 AM

Hi ,

I already tried above solution that you proposed.

But still cannot . I don't know why .

I thougth i VPC is error so i change VPC to routers and test . but still got error.

please see the ping test and trace route. 

if i remove  IPsec tunnel mode.i can reach each other.

Preview file
180 KB
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to UCrypto

‎11-09-2018 02:15 AM

Hello

It sounds like your simulation software, try gns3 and test again


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Georg Pauwen
VIP
VIP
In response to UCrypto

‎11-09-2018 05:18 AM

Hello,

 

this looks like GNS3, which images are you using ?

 

Post the full configs of all 4 routers so we can lab this...

Go to solution
UCrypto
Level 1
Level 1
In response to Georg Pauwen

‎11-09-2018 06:06 AM

Hi,
i am using c7200-advipservicesk9-mz.152-4.S5.image . if it is GNS3 error ,i am happy.i worry it cannot be work in production. Please config of all 4 router.
R1#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!

!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#

 

R2#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
!
!
!
!
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#

R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#T{R}X
R3#}p
R3#
R3#termi
R3#terminal len
R3#terminal length 0
R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#

R4#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R4#

 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to UCrypto

‎11-09-2018 08:33 AM

Hello,

 

I just recreated your exact setup in GNS3, with IOSv 15.6(2)T, and it works perfectly. So I am pretty sure it is a version problem, there is nothing wrong wiith the configs.

Go to solution
UCrypto
Level 1
Level 1
In response to Georg Pauwen

‎11-13-2018 06:15 AM

Hi ,

Thank you for your help. I already with real device and VTI with pre share key is working.

Let me know below are i am confused.

  1. Can i create IPSec tunnel Static VTI with CA ( without using pre-share key ) ?
  2. Can i setup both Static VTI tunnel and DMVPN tunnel in one router of branches ? ( i want to connet to DC1 by using IPsec with VTI and Traffice to DC2 by using DMVPN ) because DC 1 using non-cisco devices and DC2 using cisco device. branches are using cisco routers.
0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to UCrypto

‎11-13-2018 09:24 AM

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1046681

Restrictions for IPsec Virtual Tunnel Interface
IPsec Transform Set
The IPsec transform set must be configured in tunnel mode only.

P.S.
good tool https://cway.cisco.com/tools/ipsec-overhead-calc/

Go to solution
UCrypto
Level 1
Level 1
In response to a.alekseev

‎11-13-2018 03:25 PM

Hi,
Do you mean I can not configure VTI with IPsec? Should I use gre over
IPsec.I can use tunnel mode only.Because I have to create two tunnel with
certificate.

Go to solution
MrBeginner
Spotlight
Spotlight
In response to UCrypto

‎02-19-2020 09:39 PM

I think it is IOS image error .Please use c7200-adventerprisek9-mz.152-4.M8

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card