cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
175
Views
0
Helpful
7
Replies
Highlighted
Beginner

VTI and IPSEC (tunnel mode ipsec is not working )

Dear all,

I try to vti in my lab. I got the some issue.

i cannot turn on "tunnel mode ipsec ipv4" in tunnel.

If i active that command my traffic cannot reach end to end (host to host)

I remove this command,i can reach host to host.

it is VTI restriction or my configuration error ? When i change ipsec mode to GRE ,it is also working. IPSec mode is not working.

 

hostname R1
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.2
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.1.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.1 255.255.255.0
!
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
end

hostname R2
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.1
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.2.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.2 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
end

Everyone's tags (1)
7 REPLIES
VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello,

 

config looks good actually. Which routers are you using, and is this a simulator or live equipment ?

 

What if you change:

 

crypto isakmp key MY_PASSWORD address 192.168.12.1

 

to

 

crypto isakmp key MY_PASSWORD address 0.0.0.0 0.0.0.0

 

on both ends ?

VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello

what are you testing this on, I am asking because as far as i can see your config looks okay



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
Beginner

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hi ,

I already tried above solution that you proposed.

But still cannot . I don't know why .

I thougth i VPC is error so i change VPC to routers and test . but still got error.

please see the ping test and trace route. 

if i remove  IPsec tunnel mode.i can reach each other.

VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello

It sounds like your simulation software, try gns3 and test again



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello,

 

this looks like GNS3, which images are you using ?

 

Post the full configs of all 4 routers so we can lab this...

Beginner

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hi,
i am using c7200-advipservicesk9-mz.152-4.S5.image . if it is GNS3 error ,i am happy.i worry it cannot be work in production. Please config of all 4 router.
R1#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!

!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#

 

R2#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
!
!
!
!
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#

R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#T{R}X
R3#}p
R3#
R3#termi
R3#terminal len
R3#terminal length 0
R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#

R4#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R4#

 

 

VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello,

 

I just recreated your exact setup in GNS3, with IOSv 15.6(2)T, and it works perfectly. So I am pretty sure it is a version problem, there is nothing wrong wiith the configs.

CreatePlease to create content
Ask the Expert- Endpoint Security