08-14-2015 09:20 AM - edited 02-21-2020 08:24 PM
Hi all,
I have been building these GRE VPN tunnels for a few years now. Standard practice and well documented.
Having some weird issues in the lab. Trying to get one of our spare IP Dedicated lines up on GRE to test some routing changes, and it just refuses to connect. The outside interface is pingable from the internet and I can even log on to the router from externally - not secure, but I'm holding off applying the ACL until I can resolve this.
It's a pretty basic setup - here's the config for the remote end:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp key ######## address 123.123.123.123 ! crypto ipsec transform-set transform-LLEMEA esp-3des esp-sha-hmac ! crypto map LLEMEA 1 ipsec-isakmp set peer 123.123.123.123 set transform-set transform-LLEMEA set pfs group2 match address 101 ! interface Tunnel1 description vpn-tunnel ip address 111.111.111.111 255.255.255.252 ip tcp adjust-mss 1340 tunnel source g0/0 bandwidth ##### tunnel destination 123.123.123.123 ! router eigrp 456 network 123.123.0.0 network 231.231.0.0 network 111.111.0.0 no auto-summary ! access-list 101 permit gre host 231.231.231.231 host 123.123.123.123 ! int gig0/0 crypto map LLEMEA
And the config from the head-end:
crypto isakmp key ######## address 231.231.231.231 ! crypto map LLEMEA 10 ipsec-isakmp description lab-crypto set peer 231.231.231.231 set transform-set transform-LLEMEA set pfs group2 match address 110 exit ! interface tunnel10 description lab-vpn ip address 111.111.111.112 255.255.255.252 band 20480 tunnel source GigabitEthernet0/0 tunnel destination 231.231.231.231 ! access-list 110 permit gre host 123.123.123.123 host 231.231.231.231
Before you ask, the remote router has a fully working outside interface, with working NAT etc. and a default route that is good. I can ping the head-end router from the remote end, and vice-versa. The tunnel interface is up on both ends, but the SA refuses to work.
Our routing instance is set up the same both ends. The head-end router is currently serving about 30 other sites, and they have identical configs, aside from the IP addressing.
Debugging ISAKMP and IPSEC revealed nothing of any use - no obvious errors like PSK typos or anything (I actually entered the PSK in about 5 times as this is usually the problem!).
Any ideas!?
08-14-2015 12:53 PM
Greg
Are the IPs in your example configuration the actual IPs you are using, specifically the tunnel IP addresses ?
Jon
08-17-2015 01:49 AM
Hi Jon,
No, those are dummy IP's. Stripped out anything I thought might be even remotely sensitive.
I can assure you that I've triple checked, and then quadruple checked that the IP addys are all correct on the actual config.
Cheers
08-17-2015 02:15 AM
Thought I might attach some of the debug I gleaned off the remote router... I've stripped out the public IP addressing again, so don't worry too much about that...
ISAKMP debug:
Aug 17 09:30:24.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I DLE Aug 17 09:30:24.194 GMT: ISAKMP:(1005):Sending an IKE IPv4 Packet. Aug 17 09:30:24.194 GMT: ISAKMP:(1005):Node 3957264405, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Aug 17 09:30:24.194 GMT: ISAKMP:(1005):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 Aug 17 09:30:24.214 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R) QM_IDLE Aug 17 09:30:24.214 GMT: ISAKMP:(1005):deleting node -337702891 error FALSE reason "QM done (await)" Aug 17 09:30:24.214 GMT: ISAKMP:(1005):Node 3957264405, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Aug 17 09:30:24.214 GMT: ISAKMP:(1005):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Aug 17 09:30:24.218 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R) QM_IDLE Aug 17 09:30:24.218 GMT: ISAKMP: set new node 1554036998 to QM_IDLE Aug 17 09:30:24.218 GMT: ISAKMP:(1005): processing HASH payload. message ID = 1554036998 Aug 17 09:30:24.218 GMT: ISAKMP:(1005): processing DELETE payload. message ID = 1554036998 Aug 17 09:30:24.218 GMT: ISAKMP:(1005):peer does not do paranoid keepalives. Aug 17 09:30:24.218 GMT: ISAKMP:(1005):deleting node 1554036998 error FALSE reason "Informational (in) st ate 1" Aug 17 09:30:29.194 GMT: ISAKMP: set new node -1236556008 to QM_IDLE Aug 17 09:30:29.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I DLE Aug 17 09:30:29.194 GMT: ISAKMP:(1005):Sending an IKE IPv4 Packet. Aug 17 09:30:29.194 GMT: ISAKMP:(1005):purging node -1236556008 Aug 17 09:30:29.194 GMT: ISAKMP:(1005):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL Aug 17 09:30:29.194 GMT: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Aug 17 09:30:34.194 GMT: ISAKMP: set new node 486729671 to QM_IDLE Aug 17 09:30:34.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I DLE Aug 17 09:30:34.194 GMT: ISAKMP:(1005):Sending an IKE IPv4 Packet. Aug 17 09:30:34.194 GMT: ISAKMP:(1005):purging node 486729671 Aug 17 09:30:34.194 GMT: ISAKMP:(1005):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL Aug 17 09:30:34.194 GMT: ISAKMP:(1005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Aug 17 09:30:34.222 GMT: ISAKMP:(1005):purging node -1980856964 Aug 17 09:30:34.222 GMT: ISAKMP:(1005):purging node 1354008488 Aug 17 09:30:44.146 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R) QM_IDLE Aug 17 09:30:44.146 GMT: ISAKMP: set new node -1254744196 to QM_IDLE Aug 17 09:30:44.146 GMT: ISAKMP:(1005): processing HASH payload. message ID = 3040223100 Aug 17 09:30:44.146 GMT: ISAKMP:(1005): processing SA payload. message ID = 3040223100 Aug 17 09:30:44.146 GMT: ISAKMP:(1005):Checking IPSec proposal 1 Aug 17 09:30:44.146 GMT: ISAKMP: transform 1, ESP_3DES Aug 17 09:30:44.146 GMT: ISAKMP: attributes in transform: Aug 17 09:30:44.146 GMT: ISAKMP: encaps is 1 (Tunnel) Aug 17 09:30:44.146 GMT: ISAKMP: SA life type in seconds Aug 17 09:30:44.146 GMT: ISAKMP: SA life duration (basic) of 3600 Aug 17 09:30:44.146 GMT: ISAKMP: SA life type in kilobytes Aug 17 09:30:44.146 GMT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Aug 17 09:30:44.146 GMT: ISAKMP: authenticator is HMAC-SHA Aug 17 09:30:44.146 GMT: ISAKMP: group is 2 Aug 17 09:30:44.146 GMT: ISAKMP:(1005):atts are acceptable. Aug 17 09:30:44.166 GMT: ISAKMP:(1005): processing NONCE payload. message ID = 3040223100 Aug 17 09:30:44.166 GMT: ISAKMP:(1005): processing KE payload. message ID = 3040223100 Aug 17 09:30:44.194 GMT: ISAKMP:(1005): processing ID payload. message ID = 3040223100 Aug 17 09:30:44.194 GMT: ISAKMP:(1005): processing ID payload. message ID = 3040223100 Aug 17 09:30:44.194 GMT: ISAKMP:(1005):QM Responder gets spi Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Node 3040223100, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE Aug 17 09:30:44.194 GMT: ISAKMP:(1005): Creating IPSec SAs Aug 17 09:30:44.194 GMT: inbound SA from 123.123.123.123 to 62.189.124.19 (f/i) 0/ 0 (proxy 123.123.123.123 to 62.189.124.19) Aug 17 09:30:44.194 GMT: has spi 0x31518712 and conn_id 0 Aug 17 09:30:44.194 GMT: lifetime of 3600 seconds Aug 17 09:30:44.194 GMT: lifetime of 4608000 kilobytes Aug 17 09:30:44.194 GMT: outbound SA from 62.189.124.19 to 123.123.123.123 (f/i) 0/0 (proxy 62.189.124.19 to 123.123.123.123) Aug 17 09:30:44.194 GMT: has spi 0x18E13B20 and conn_id 0 Aug 17 09:30:44.194 GMT: lifetime of 3600 seconds Aug 17 09:30:44.194 GMT: lifetime of 4608000 kilobytes Aug 17 09:30:44.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I DLE Aug 17 09:30:44.194 GMT: ISAKMPundeb:(1005):Sending an IKE IPv4 Packet. Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Node 3040223100, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 Aug 17 09:30:44.222 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R) QM_IDLE Aug 17 09:30:44.222 GMT: ISAKMP:(1005):deleting node -1254744196 error FALSE reason "QM done (await)" Aug 17 09:30:44.222 GMT: ISAKMP:(1005):Node 3040223100, Inpug allut = IKE_MESG_FROM_PEER, IKE_QM_EXCH Aug 17 09:30:44.222 GMT: ISAKMP:(1005):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE Aug 17 09:30:44.222 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R) QM_IDLE Aug 17 09:30:44.222 GMT: ISAKMP: set new node 275210595 to QM_IDLE Aug 17 09:30:44.222 GMT: ISAKMP:(1005): processing HASH payload. message ID = 275210595 Aug 17 09:30:44.222 GMT: ISAKMP:(1005): processing DELETE payload. message ID = 275210595 Aug 17 09:30:44.222 GMT: ISAKMP:(1005):peer does not do paranoid keepalives. Aug 17 09:30:44.222 GMT: ISAKMP:(1005):deleting node 275210595 error FALSE reason "Informational (in) sta te 1" Aug 17 09:30:49.194 GMT: ISAKMP: set new node -1026633818 to QM_IDLE Aug 17 09:30:49.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I
IPSEC Debug:
Aug 17 09:34:54.200 GMT: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 231.231.231.231, sa_proto= 50, sa_spi= 0x7260F28B(1918956171), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3741 sa_lifetime(k/sec)= (4503543/3600), (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0, local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1), remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1) Aug 17 09:34:54.200 GMT: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 123.123.123.123, sa_proto= 50, sa_spi= 0xD5EDCA64(3589130852), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3742 sa_lifetime(k/sec)= (4503543/3600), (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0, local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1), remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1) Aug 17 09:35:04.156 GMT: IPSEC(validate_proposal_request): proposal part #1 Aug 17 09:35:04.156 GMT: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 231.231.231.231:0, remote= 123.123.123.123:0, local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1), remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Aug 17 09:35:04.160 GMT: Crypto mapdb : proxy_match src addr : 231.231.231.231 dst addr : 123.123.123.123 protocol : 47 src port : 0 dst port : 0 Aug 17 09:35:04.204 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s) Aug 17 09:35:04.204 GMT: Crypto mapdb : proxy_match src addr : 231.231.231.231 dst addr : 123.123.123.123 protocol : 47 src port : 0 dst port : 0 Aug 17 09:35:04.204 GMT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and p eer 123.123.123.123 Aug 17 09:35:04.204 GMT: IPSEC(create_sa): sa created, (sa) sa_dest= 231.231.231.231, sa_proto= 50, sa_spi= 0x87CC37F0(2278307824), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3749 sa_lifetime(k/sec)= (4528946/3600) Aug 17 09:35:04.204 GMT: IPSEC(create_sa): sa created, (sa) sa_dest= 123.123.123.123, sa_proto= 50, sa_spi= 0xA599AE4E(2778312270), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3750 sa_lifetime(k/sec)= (4528946/3600) Aug 17 09:35:04.204 GMT: IPSEC(early_age_out_sibling): sibling outbound SPI C294811C expiring in 30 secon ds due to it's a duplicate SA bundle. Aug 17 09:35:04.228 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s) Aug 17 09:35:04.228 GMT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Aug 17 09:35:04.228 GMT: IPSEC(key_engine_enable_outbound): enable SA with spi 2778312270/50 Aug 17 09:35:04.228 GMT: IPSEC(update_current_outbound_sa): get enable SA peer 123.123.123.123 current outbo und sa to SPI A599AE4E Aug 17 09:35:04.228 GMT: IPSEC(update_current_outbound_sa): updated peer 123.123.123.123 current outbound sa to SPI A599AE4E Aug 17 09:35:04.228 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s) Aug 17 09:35:04.228 GMT: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP Aug 17 09:35:14.200 GMT: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 231.231.231.231, sa_proto= 50, sa_spi= 0x47681E4(74875364), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3747 sa_lifetime(k/sec)= (4505809/3600), (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0, local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1), remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1) Aug 17 09:35:14.200 GMT: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 123.123.123.123, sa_proto= 50, sa_spi= 0x1D2FF923(489683235), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3748 sa_lifetime(k/sec)= (4505809/3600), (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0, local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1), remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1) Aug 17 09:35:24.156 GMT: IPSEC(validate_proposal_request): proposal part #1 Aug 17 09:35:24.156 GMT: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 231.231.231.231:0, remote= 123.123.123.123:0, local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1), remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1), protocol= ESP, transform= NONE (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
I couldn't spot anything obvious in there. Nothing at least to indicate why ISAKMP is telling IPSEC to tear down the SA. Is there anything else I can debug that might help?
08-17-2015 03:56 AM
Awesome.
Managed to fix it - turns out that one of the other guys that worked here had already set up a crypto map, tunnel interface and ACL for this site! I had glazed over it each time I took a look at show run on the head end router!
It was basically getting confused as it had the same destination IP configured twice in a different crypto set.
I removed this tunnel and everything associated with it, and the VPN tunnel came straight up!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: