Solved: Re: Gre over IPsec b/w hub and spoke

M Talha · ‎05-29-2018

Dear All,

I am stuck in a situation where i have to configure a HQ to Branch GRE over IPsec tunnel. I have done this configuration, keeping everything same on both ends for crypto and applied this map on outside interface but still no luck. Need your help.

SITE A :

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address X.X.137.126

!

crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer X.X.137.126
set transform-set TS
match address 100

!

interface Tunnel2
bandwidth 1000
ip address 10.1.5.6 255.255.255.252
ip mtu 1400
tunnel source Y.Y.194.17
tunnel destination X.X.137.126

!

ip route 10.1.20.0 255.255.255.0 Tunnel2

!

access-list 100 permit gre 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255

Output:

sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: X.X.137.126 port 500
IPSEC FLOW: permit 47 10.1.10.0/255.255.255.0 10.1.20.0/255.255.255.0
Active SAs: 0, origin: crypto map

==================================================

SITE B:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address Y.Y.194.17
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer Y.Y.194.17
set transform-set TS
match address 100

!

interface Tunnel2
bandwidth 1000
ip address 10.1.5.5 255.255.255.252
ip mtu 1400
tunnel source X.X.137.126
tunnel destination Y.Y.194.17

!

ip route 10.1.10.0 255.255.255.0 Tunnel2

!

access-list 100 permit gre 10.1.20.0 0.0.0.255 10.1.10.0 0.0.0.255

Output:

sh crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN
Peer: Y.Y.194.17 port 500
IPSEC FLOW: permit 47 10.1.20.0/255.255.255.0 10.1.10.0/255.255.255.0
Active SAs: 0, origin: crypto map

Rob Ingram · ‎05-30-2018

If Gi0/0 is an ISP link, then the easiest thing to do is change the default route via it's next hop.

If you add the Crypto Map on Gi0/3/0 then you'll have to change the configuration of the Crypto Map, Tunnel interfaces on both routers.

Try changing the default route for now and get that working.

View solution in original post

Rob Ingram · ‎05-29-2018

Hi,
Have you tried debugging "debug crypto isakmp"? Does the output give an indication where the issue is?

Is there a firewall in between? Is it permitting UDP 500, UDP 4500 (if natting) and ESP?

Using a VTI might be simpler than the configuration you are attempting to use, I can provide examples if you wish.

HTH

M Talha · ‎05-29-2018

Dear Rji,

No i havn't tried the debugging yet, secondly there is no firewall in between the two routers. Please share the VTI examples that would be a great help.

Regards,

Talha

Rob Ingram · ‎05-29-2018

Ok, here are some VTI examples: IKEv1 or IKEv2 (FlexVPN). IKEv2 is the latest and more secure, but you will need at least an ISR G2 to use it.

Regardless if you chose to use a VTI, run the debug command I provided to gather some output for us to troubleshoot.

HTH

M Talha · ‎05-30-2018

May 29 18:55:27.459: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47
*May 29 18:56:27.931: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47
*May 29 18:57:31.927: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47
*May 29 18:58:40.299: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47
*May 29 18:59:41.915: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47
*May 29 19:15:12.227: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47
*May 29 19:16:18.803: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC pac ket. (ip) vrf/dest_addr= /X.X.145.162, src_addr= Y.Y.194.17, prot= 47

Rob Ingram · ‎05-30-2018

Please post the full config from both routers.

M Talha · ‎05-30-2018

SITE A:

CSC-KH#sh run
Building configuration...

Current configuration : 3464 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CSC-KH
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-15.T1.bin
boot system flash c2800nm-ipbase-mz.124-15.T10.bin
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
no network-clock-participate wic 0
!
!
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key PASS address X.X.145.162
!
!
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
!
!
crypto map TEST 10 ipsec-isakmp
set peer X.X.145.162
set transform-set TRANS
match address 100
!
!
!
!
!
archive
log config
hidekeys
!
!
controller E1 0/0/0
framing NO-CRC4
channel-group 0 timeslots 1-31
!
controller E1 0/0/1
framing NO-CRC4
channel-group 0 timeslots 1-31
!
!
!
!
interface Tunnel1
ip address 10.1.5.2 255.255.255.252
tunnel source Y.Y.194.17
tunnel destination X.X.145.162
!
!
!
interface GigabitEthernet0/0
ip address Y.Y.194.17 255.255.255.240
ip virtual-reassembly
duplex auto
speed auto
crypto map TEST
!
!
!
!
interface GigabitEthernet0/3/0
ip address Z.Z.130.230 255.255.255.252
negotiation auto
!
!
router rip
version 2
redistribute static metric 5
network 10.0.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Z.Z.130.229
ip route 10.1.30.0 255.255.255.0 Tunnel1
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 30 permit 10.1.10.0 0.0.0.255
access-list 100 permit ip 10.1.10.0 0.0.0.255 10.1.30.0 0.0.0.255
!
!
!
!
control-plane
!
banner motd ^C
******************************************
* Unauthorized access prohibited
******************************************
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
CSC-KH#

SITE B:

CSC-IS#sh run
Building configuration...

Current configuration : 5186 bytes
!
!
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CSC-IS
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 10.1.30.1 10.1.30.50
!
ip dhcp pool office
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
lease 15
!
!
!
multilink bundle-name authenticated
!
!
--More-- !
crypto pki trustpoint TP-self-signed-728174188
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-728174188
revocation-check none
rsakeypair TP-self-signed-728174188
!
!
crypto pki certificate chain TP-self-signed-728174188
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37323831 37343138 38301E17 0D313530 32323130 36303132
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3732 38313734
31383830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BBE6EBBA 74DBD1C4 87917F0F 05CC52BA FB59305E DDE19300 B3049245 BB2B9B6E
06D62E7F 4EFFD985 01D10C46 178D9E25 EE287FF2 53D54DC0 908002FD D4C22CE6
B36E73C0 754F5B8F 6D5525BB 84F59178 5FAFF791 988B112E F321943F 56A4207A
F9EA0CF1 1EB35C32 66AD9B5C 9FEF5A8A 575D4CC1 B3F11151 6311BADD 816942AF
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821641 45472D49 534C2E77 77772E61 65672E63 6F6D2E70 6B301F06
03551D23 04183016 80149778 1DECEC6B B1B03696 061722BF 25E479F1 8E17301D
0603551D 0E041604 1497781D ECEC6BB1 B0369606 1722BF25 E479F18E 17300D06
092A8648 86F70D01 01040500 03818100 8573DE7C 6A6C7ADF 30A3CD32 0735C5BB
5DD3CB4B EBDE1E61 D460C3D1 01A2999F 3C4F929C 4E92BDFE 880788E6 EF280462
62C8DF83 23151133 10157B65 6CCB0A81 2BC7A90A E043A60A E24FF7BB 21463F73
0B57B62F 7FEEED37 33D3617E 6564DD4F AD7BB1F0 738A28D6 70F7516E DFBAEAD0
16D656A9 1FD72EF2 703C5E16 9FD95C2D
quit

!
!
!
redundancy
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key PASS address Y.Y.194.17
!
!
crypto ipsec transform-set TRANS esp-aes 256 esp-sha-hmac
!
!
crypto map TEST 10 ipsec-isakmp
set peer Y.Y.194.17
set transform-set TRANS
match address 100
!
!
!
!
!
interface Tunnel1
bandwidth 1000
ip address 10.1.5.1 255.255.255.252
ip mtu 1400
tunnel source X.X.145.162
tunnel destination Y.Y.194.17
!
!
interface GigabitEthernet0/0
ip address X.X.145.162 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map TEST
!
!
interface GigabitEthernet0/1
ip address 10.1.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool CPOOL X.X.145.162 X.X.145.162 netmask 255.255.255.252
ip nat inside source list CSC-IS interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 X.X.145.161
ip route 10.1.10.0 255.255.255.0 Tunnel1
!
ip access-list standard CSC-IS
permit 10.1.30.0 0.0.0.255
!
access-list 100 permit ip 10.1.30.0 0.0.0.255 10.1.10.0 0.0.0.255
!
!
!
!
!
!

line vty 0 4
privilege level 15
login local

CSC-IS#

Rob Ingram · ‎05-30-2018

Have you got the crypto map on the correct interface on Site A?

interface GigabitEthernet0/0
ip address Y.Y.194.17 255.255.255.240
ip virtual-reassembly
duplex auto
speed auto
crypto map TEST
!
interface GigabitEthernet0/3/0
ip address Z.Z.130.230 255.255.255.252
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 Z.Z.130.229

The default gateway next hop would seem to match the Gi0/3/0 not Gi0/0 interface which is where the Crypto map is attached.

EDIT: I've labbed the crypto map and tunnel interface configuration, and this works. The only difference in my lab is that I am routing in/out the same interface the crypto map is attached to.

M Talha · ‎05-30-2018

So should i move my crypto map to gig 0/3/0 interface ? Secondly Y.Y.194.17 is also one of the ISP interfaces i have got. So should i stick with my gig 0/0 interface or move towards gig 0/3/0.

Rob Ingram · ‎05-30-2018

If Gi0/0 is an ISP link, then the easiest thing to do is change the default route via it's next hop.

If you add the Crypto Map on Gi0/3/0 then you'll have to change the configuration of the Crypto Map, Tunnel interfaces on both routers.

Try changing the default route for now and get that working.

M Talha · ‎05-30-2018

Dear RJI,

I have moved my crypto map to gig 0/3/0 and changed site B peers and tunnels interfaces and VOILA its a success this time. Thanks a lot for all the help and suggestions, the tunnels are up and secured.

Best Regards,

Talha