07-13-2016 01:12 PM - edited 03-08-2019 06:37 AM
Router6#show interfaces tunnel 1
Tunnel1 is up, line protocol is down
Hardware is Tunnel
Internet address is 192.168.204.6/30
MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate mode reg down
Tunnel source 192.70.191.15 (GigabitEthernet0/1), destination 174.47.40.66
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "KORE_IPSEC_Profile")
Last input 5d00h, output 1d15h, output hang never
Last clearing of "show interface" counters 6d04h
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 94 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
83 packets output, 10064 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
#################
crypto keyring KOREkeyring
pre-shared-key address 174.47.40.66 key XYZ
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp profile KORE_ISKMP_Profile
keyring KOREkeyring
match identity address 174.47.40.66 255.255.255.255
!
!
crypto ipsec transform-set KOREVPN_TRANS esp-aes 256
mode tunnel
!
crypto ipsec profile KORE_IPSEC_Profile
set transform-set KOREVPN_TRANS
set pfs group2
set isakmp-profile KORE_ISKMP_Profile
!
As soon as I apply profile to tunnel, tunnel goes down and when tunnel comes up , I can not ping across.
07-13-2016 01:40 PM
Hello Shraddha,
Do you have reachability between 2 Tunnel interfaces ?
Can you also share Tunnel config from the destination.
Regards,
Harsha
07-13-2016 02:08 PM
interface Tunnel608
description Wi-Tronix Primary Site
ip address 192.168.204.5 255.255.255.252
ip mtu 1400
tunnel source 174.47.40.66
tunnel destination 192.70.191.15 -----> Router06)
tunnel protection ipsec profile P2P_IPSec/GRE_Customers
Jul 13 19:40:19.295: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:174.47.40.66 local_id:174.47.40.66 remote:192.70.191.15 remote_id:192.70.191.15 IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:2
Jul 13 19:41:19.707: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:174.47.40.66 local_id:174.47.40.66 remote:192.70.191.15 remote_id:192.70.191.15 IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:2
ul 13 19:45:46.950: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Jul 13 19:45:46.950: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jul 13 19:45:46.966: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
Jul 13 19:45:47.962: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
Jul 13 19:47:08.361: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
Jul 13 19:47:11.009: %SYS-5-CONFIG_I: Configured from console by shraddha.pajwani on vty0 (10.4.4.73)
Jul 13 19:49:08.721: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
Jul 13 19:50:09.137: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 174.47.40.66
07-13-2016 02:08 PM
Can you change the MTU on your end to 1400 as well.
07-13-2016 02:30 PM
It is now set to 1400 , however no change in tunnel status.
07-13-2016 02:41 PM
Hi,
I believe the IKE and IPSEC parameters are not matching on both peer sides.
Kindly compare the config on both ends.
-Harsha
07-13-2016 02:57 PM
I don't have access to remote end. My end suppose to setup as below.
|
07-13-2016 02:57 PM
Based on your config,
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
I think you have configured isakmp lifetime as 3600 instead of 86400
Also your requirement says PFS should not be enabled but your config has pfs enabled.
set transform-set KOREVPN_TRANS
set pfs group2
Please check it from your end and then clear the IKE and IPSEC sessions.
-Harsha
07-14-2016 12:05 PM
Thank you for help. Problem has fixed.
07-14-2016 12:18 PM
Awesome!!! Were you able to correct the config on your end ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide