Solved: VTI and IPSEC (tunnel mode ipsec is not working )

UCrypto · ‎11-08-2018

Dear all,

I try to vti in my lab. I got the some issue.

i cannot turn on "tunnel mode ipsec ipv4" in tunnel.

If i active that command my traffic cannot reach end to end (host to host)

I remove this command,i can reach host to host.

it is VTI restriction or my configuration error ? When i change ipsec mode to GRE ,it is also working. IPSec mode is not working.

hostname R1
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.2
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.1.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.1 255.255.255.0
!
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
end

hostname R2
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.1
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.2.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.2 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
end

MrBeginner · ‎02-19-2020

I think it is IOS image error .Please use c7200-adventerprisek9-mz.152-4.M8

View solution in original post

Georg Pauwen · ‎11-09-2018

Hello,

config looks good actually. Which routers are you using, and is this a simulator or live equipment ?

What if you change:

crypto isakmp key MY_PASSWORD address 192.168.12.1

to

crypto isakmp key MY_PASSWORD address 0.0.0.0 0.0.0.0

on both ends ?

paul driver · ‎11-09-2018

Hello

what are you testing this on, I am asking because as far as i can see your config looks okay

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

UCrypto · ‎11-09-2018

Hi ,

I already tried above solution that you proposed.

But still cannot . I don't know why .

I thougth i VPC is error so i change VPC to routers and test . but still got error.

please see the ping test and trace route.

if i remove IPsec tunnel mode.i can reach each other.

paul driver · ‎11-09-2018

Hello

It sounds like your simulation software, try gns3 and test again

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎11-09-2018

Hello,

this looks like GNS3, which images are you using ?

Post the full configs of all 4 routers so we can lab this...

UCrypto · ‎11-09-2018

Hi,
i am using c7200-advipservicesk9-mz.152-4.S5.image . if it is GNS3 error ,i am happy.i worry it cannot be work in production. Please config of all 4 router.
R1#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!

!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#

R2#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
!
!
!
!
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#

R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#T{R}X
R3#}p
R3#
R3#termi
R3#terminal len
R3#terminal length 0
R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#

R4#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R4#

Georg Pauwen · ‎11-09-2018

Hello,

I just recreated your exact setup in GNS3, with IOSv 15.6(2)T, and it works perfectly. So I am pretty sure it is a version problem, there is nothing wrong wiith the configs.

UCrypto · ‎11-13-2018

Hi ,

Thank you for your help. I already with real device and VTI with pre share key is working.

Let me know below are i am confused.

Can i create IPSec tunnel Static VTI with CA ( without using pre-share key ) ?
Can i setup both Static VTI tunnel and DMVPN tunnel in one router of branches ? ( i want to connet to DC1 by using IPsec with VTI and Traffice to DC2 by using DMVPN ) because DC 1 using non-cisco devices and DC2 using cisco device. branches are using cisco routers.

a.alekseev · ‎11-13-2018

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1046681

Restrictions for IPsec Virtual Tunnel Interface
IPsec Transform Set
The IPsec transform set must be configured in tunnel mode only.

P.S.
good tool https://cway.cisco.com/tools/ipsec-overhead-calc/

UCrypto · ‎11-13-2018

Hi,
Do you mean I can not configure VTI with IPsec? Should I use gre over
IPsec.I can use tunnel mode only.Because I have to create two tunnel with
certificate.

MrBeginner · ‎02-19-2020

I think it is IOS image error .Please use c7200-adventerprisek9-mz.152-4.M8