Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11272
Views
0
Helpful
9
Replies

Ipsec Over GRE tunnel not comming up

shraddha.pajwani
Level 1
Level 1

‎07-13-2016 01:12 PM - edited ‎03-08-2019 06:37 AM

Router6#show interfaces tunnel 1
Tunnel1 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.204.6/30
MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source 192.70.191.15 (GigabitEthernet0/1), destination 174.47.40.66
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "KORE_IPSEC_Profile")
Last input 5d00h, output 1d15h, output hang never
Last clearing of "show interface" counters 6d04h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 94 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
83 packets output, 10064 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
#################

crypto keyring KOREkeyring
pre-shared-key address 174.47.40.66 key XYZ 
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp profile KORE_ISKMP_Profile
keyring KOREkeyring
match identity address 174.47.40.66 255.255.255.255
!
!
crypto ipsec transform-set KOREVPN_TRANS esp-aes 256
mode tunnel
!
crypto ipsec profile KORE_IPSEC_Profile
set transform-set KOREVPN_TRANS
set pfs group2
set isakmp-profile KORE_ISKMP_Profile
!

As soon as I apply profile to tunnel, tunnel goes down and when tunnel comes up , I can not ping across.

Labels:
0 Helpful
9 Replies 9

Harsha A.
Level 1
Level 1

‎07-13-2016 01:40 PM

Hello Shraddha,

Do you have reachability between 2 Tunnel interfaces ?

Can you also share Tunnel config from the destination.

Regards,

Harsha

0 Helpful

shraddha.pajwani
Level 1
Level 1
In response to Harsha A.

‎07-13-2016 02:08 PM

interface Tunnel608

description Wi-Tronix Primary Site

ip address 192.168.204.5 255.255.255.252

ip mtu 1400

tunnel source 174.47.40.66

tunnel destination 192.70.191.15 -----> Router06)

tunnel protection ipsec profile P2P_IPSec/GRE_Customers

Jul 13 19:40:19.295: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:174.47.40.66 local_id:174.47.40.66 remote:192.70.191.15 remote_id:192.70.191.15 IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:2
Jul 13 19:41:19.707: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:174.47.40.66 local_id:174.47.40.66 remote:192.70.191.15 remote_id:192.70.191.15 IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:2

ul 13 19:45:46.950: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Jul 13 19:45:46.950: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jul 13 19:45:46.966: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
Jul 13 19:45:47.962: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
Jul 13 19:47:08.361: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
Jul 13 19:47:11.009: %SYS-5-CONFIG_I: Configured from console by shraddha.pajwani on vty0 (10.4.4.73)
Jul 13 19:49:08.721: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
Jul 13 19:50:09.137: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66

0 Helpful

Harsha A.
Level 1
Level 1
In response to shraddha.pajwani

‎07-13-2016 02:08 PM

Can you change the MTU on your end to 1400 as well.

0 Helpful

shraddha.pajwani
Level 1
Level 1
In response to Harsha A.

‎07-13-2016 02:30 PM

It is now set to 1400 , however no change in tunnel status.

0 Helpful

Harsha A.
Level 1
Level 1
In response to shraddha.pajwani

‎07-13-2016 02:41 PM

Hi,

I believe the IKE and IPSEC parameters are not matching on both peer sides.

Kindly compare the config on both ends.

-Harsha

0 Helpful

shraddha.pajwani
Level 1
Level 1
In response to Harsha A.

‎07-13-2016 02:57 PM

I don't have access to remote end. My end suppose to setup as below.
0 Helpful

Harsha A.
Level 1
Level 1
In response to shraddha.pajwani

‎07-13-2016 02:57 PM

Based on your config,

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600

I think you have configured isakmp lifetime as 3600 instead of 86400

Also your requirement says PFS should not be enabled but your config has pfs enabled.

set transform-set KOREVPN_TRANS
set pfs group2

Please check it from your end and then clear the IKE and IPSEC sessions.

-Harsha

0 Helpful

shraddha.pajwani
Level 1
Level 1
In response to Harsha A.

‎07-14-2016 12:05 PM

Thank you for help. Problem has fixed.

0 Helpful

Harsha A.
Level 1
Level 1
In response to shraddha.pajwani

‎07-14-2016 12:18 PM

Awesome!!! Were you able to correct the config on your end ? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card