cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1150
Views
0
Helpful
4
Replies

Weird GRE IPSec VPN issue - won't bring up the tunnel

Greg Dent
Level 1
Level 1

Hi all,

 

I have been building these GRE VPN tunnels for a few years now. Standard practice and well documented.

 

Having some weird issues in the lab. Trying to get one of our spare IP Dedicated lines up on GRE to test some routing changes, and it just refuses to connect. The outside interface is pingable from the internet and I can even log on to the router from externally - not secure, but I'm holding off applying the ACL until I can resolve this.

It's a pretty basic setup - here's the config for the remote end:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp key ######## address 123.123.123.123
!
crypto ipsec transform-set transform-LLEMEA esp-3des esp-sha-hmac
!
crypto map LLEMEA 1 ipsec-isakmp
 set peer 123.123.123.123
 set transform-set transform-LLEMEA
 set pfs group2
 match address 101
!
interface Tunnel1
 description vpn-tunnel
 ip address 111.111.111.111 255.255.255.252
 ip tcp adjust-mss 1340
 tunnel source g0/0
 bandwidth #####
 tunnel destination 123.123.123.123
!
router eigrp 456
network 123.123.0.0
network 231.231.0.0
network 111.111.0.0
 no auto-summary
!
access-list 101 permit gre host 231.231.231.231 host 123.123.123.123
!
int gig0/0
crypto map LLEMEA

 

And the config from the head-end:

crypto isakmp key ######## address 231.231.231.231
!
crypto map LLEMEA 10 ipsec-isakmp
description lab-crypto
set peer 231.231.231.231
set transform-set transform-LLEMEA
set pfs group2
match address 110
exit
!
interface tunnel10
description lab-vpn
ip address 111.111.111.112 255.255.255.252
band 20480
tunnel source GigabitEthernet0/0
tunnel destination 231.231.231.231
!
access-list 110 permit gre host 123.123.123.123 host 231.231.231.231

 

Before you ask, the remote router has a fully working outside interface, with working NAT etc. and a default route that is good. I can ping the head-end router from the remote end, and vice-versa. The tunnel interface is up on both ends, but the SA refuses to work.

 

Our routing instance is set up the same both ends. The head-end router is currently serving about 30 other sites, and they have identical configs, aside from the IP addressing.

 

Debugging ISAKMP and IPSEC revealed nothing of any use - no obvious errors like PSK typos or anything (I actually entered the PSK in about 5 times as this is usually the problem!).

 

Any ideas!?

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Greg

Are the IPs in your example configuration the actual IPs you are using, specifically the tunnel IP addresses ?

Jon

Hi Jon,

No, those are dummy IP's. Stripped out anything I thought might be even remotely sensitive.

I can assure you that I've triple checked, and then quadruple checked that the IP addys are all correct on the actual config.

Cheers

Greg Dent
Level 1
Level 1

Thought I might attach some of the debug I gleaned off the remote router... I've stripped out the public IP addressing again, so don't worry too much about that...

 

ISAKMP debug:

Aug 17 09:30:24.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I
DLE      
Aug 17 09:30:24.194 GMT: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Aug 17 09:30:24.194 GMT: ISAKMP:(1005):Node 3957264405, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Aug 17 09:30:24.194 GMT: ISAKMP:(1005):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Aug 17 09:30:24.214 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R)
QM_IDLE      
Aug 17 09:30:24.214 GMT: ISAKMP:(1005):deleting node -337702891 error FALSE reason "QM done (await)"
Aug 17 09:30:24.214 GMT: ISAKMP:(1005):Node 3957264405, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Aug 17 09:30:24.214 GMT: ISAKMP:(1005):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Aug 17 09:30:24.218 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R)
QM_IDLE      
Aug 17 09:30:24.218 GMT: ISAKMP: set new node 1554036998 to QM_IDLE      
Aug 17 09:30:24.218 GMT: ISAKMP:(1005): processing HASH payload. message ID = 1554036998
Aug 17 09:30:24.218 GMT: ISAKMP:(1005): processing DELETE payload. message ID = 1554036998
Aug 17 09:30:24.218 GMT: ISAKMP:(1005):peer does not do paranoid keepalives.

Aug 17 09:30:24.218 GMT: ISAKMP:(1005):deleting node 1554036998 error FALSE reason "Informational (in) st
ate 1"
Aug 17 09:30:29.194 GMT: ISAKMP: set new node -1236556008 to QM_IDLE      
Aug 17 09:30:29.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I
DLE      
Aug 17 09:30:29.194 GMT: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Aug 17 09:30:29.194 GMT: ISAKMP:(1005):purging node -1236556008
Aug 17 09:30:29.194 GMT: ISAKMP:(1005):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Aug 17 09:30:29.194 GMT: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Aug 17 09:30:34.194 GMT: ISAKMP: set new node 486729671 to QM_IDLE      
Aug 17 09:30:34.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I
DLE      
Aug 17 09:30:34.194 GMT: ISAKMP:(1005):Sending an IKE IPv4 Packet.
Aug 17 09:30:34.194 GMT: ISAKMP:(1005):purging node 486729671
Aug 17 09:30:34.194 GMT: ISAKMP:(1005):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Aug 17 09:30:34.194 GMT: ISAKMP:(1005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Aug 17 09:30:34.222 GMT: ISAKMP:(1005):purging node -1980856964
Aug 17 09:30:34.222 GMT: ISAKMP:(1005):purging node 1354008488
Aug 17 09:30:44.146 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R)
QM_IDLE      
Aug 17 09:30:44.146 GMT: ISAKMP: set new node -1254744196 to QM_IDLE      
Aug 17 09:30:44.146 GMT: ISAKMP:(1005): processing HASH payload. message ID = 3040223100
Aug 17 09:30:44.146 GMT: ISAKMP:(1005): processing SA payload. message ID = 3040223100
Aug 17 09:30:44.146 GMT: ISAKMP:(1005):Checking IPSec proposal 1
Aug 17 09:30:44.146 GMT: ISAKMP: transform 1, ESP_3DES
Aug 17 09:30:44.146 GMT: ISAKMP:   attributes in transform:
Aug 17 09:30:44.146 GMT: ISAKMP:      encaps is 1 (Tunnel)
Aug 17 09:30:44.146 GMT: ISAKMP:      SA life type in seconds
Aug 17 09:30:44.146 GMT: ISAKMP:      SA life duration (basic) of 3600
Aug 17 09:30:44.146 GMT: ISAKMP:      SA life type in kilobytes
Aug 17 09:30:44.146 GMT: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Aug 17 09:30:44.146 GMT: ISAKMP:      authenticator is HMAC-SHA
Aug 17 09:30:44.146 GMT: ISAKMP:      group is 2
Aug 17 09:30:44.146 GMT: ISAKMP:(1005):atts are acceptable.
Aug 17 09:30:44.166 GMT: ISAKMP:(1005): processing NONCE payload. message ID = 3040223100
Aug 17 09:30:44.166 GMT: ISAKMP:(1005): processing KE payload. message ID = 3040223100
Aug 17 09:30:44.194 GMT: ISAKMP:(1005): processing ID payload. message ID = 3040223100
Aug 17 09:30:44.194 GMT: ISAKMP:(1005): processing ID payload. message ID = 3040223100
Aug 17 09:30:44.194 GMT: ISAKMP:(1005):QM Responder gets spi
Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Node 3040223100, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Aug 17 09:30:44.194 GMT: ISAKMP:(1005): Creating IPSec SAs
Aug 17 09:30:44.194 GMT:         inbound SA from 123.123.123.123 to 62.189.124.19 (f/i)  0/ 0
        (proxy 123.123.123.123 to 62.189.124.19)
Aug 17 09:30:44.194 GMT:         has spi 0x31518712 and conn_id 0
Aug 17 09:30:44.194 GMT:         lifetime of 3600 seconds
Aug 17 09:30:44.194 GMT:         lifetime of 4608000 kilobytes
Aug 17 09:30:44.194 GMT:         outbound SA from 62.189.124.19 to 123.123.123.123 (f/i) 0/0
        (proxy 62.189.124.19 to 123.123.123.123)
Aug 17 09:30:44.194 GMT:         has spi  0x18E13B20 and conn_id 0
Aug 17 09:30:44.194 GMT:         lifetime of 3600 seconds
Aug 17 09:30:44.194 GMT:         lifetime of 4608000 kilobytes
Aug 17 09:30:44.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I
DLE      
Aug 17 09:30:44.194 GMT: ISAKMPundeb:(1005):Sending an IKE IPv4 Packet.
Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Node 3040223100, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Aug 17 09:30:44.194 GMT: ISAKMP:(1005):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Aug 17 09:30:44.222 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R)
QM_IDLE      
Aug 17 09:30:44.222 GMT: ISAKMP:(1005):deleting node -1254744196 error FALSE reason "QM done (await)"
Aug 17 09:30:44.222 GMT: ISAKMP:(1005):Node 3040223100, Inpug allut = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Aug 17 09:30:44.222 GMT: ISAKMP:(1005):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
Aug 17 09:30:44.222 GMT: ISAKMP (1005): received packet from 123.123.123.123 dport 500 sport 500 Global (R)
QM_IDLE      
Aug 17 09:30:44.222 GMT: ISAKMP: set new node 275210595 to QM_IDLE      
Aug 17 09:30:44.222 GMT: ISAKMP:(1005): processing HASH payload. message ID = 275210595
Aug 17 09:30:44.222 GMT: ISAKMP:(1005): processing DELETE payload. message ID = 275210595
Aug 17 09:30:44.222 GMT: ISAKMP:(1005):peer does not do paranoid keepalives.

Aug 17 09:30:44.222 GMT: ISAKMP:(1005):deleting node 275210595 error FALSE reason "Informational (in) sta
te 1"
Aug 17 09:30:49.194 GMT: ISAKMP: set new node -1026633818 to QM_IDLE      
Aug 17 09:30:49.194 GMT: ISAKMP:(1005): sending packet to 123.123.123.123 my_port 500 peer_port 500 (R) QM_I

 

IPSEC Debug:

Aug 17 09:34:54.200 GMT: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 231.231.231.231, sa_proto= 50,
    sa_spi= 0x7260F28B(1918956171),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3741
    sa_lifetime(k/sec)= (4503543/3600),
  (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0,
    local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1),
    remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1)
Aug 17 09:34:54.200 GMT: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 123.123.123.123, sa_proto= 50,
    sa_spi= 0xD5EDCA64(3589130852),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3742
    sa_lifetime(k/sec)= (4503543/3600),
  (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0,
    local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1),
    remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1)
Aug 17 09:35:04.156 GMT: IPSEC(validate_proposal_request): proposal part #1
Aug 17 09:35:04.156 GMT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 231.231.231.231:0, remote= 123.123.123.123:0,
    local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1),
    remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Aug 17 09:35:04.160 GMT: Crypto mapdb : proxy_match
        src addr     : 231.231.231.231
        dst addr     : 123.123.123.123
        protocol     : 47
        src port     : 0
        dst port     : 0
Aug 17 09:35:04.204 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 17 09:35:04.204 GMT: Crypto mapdb : proxy_match
        src addr     : 231.231.231.231
        dst addr     : 123.123.123.123
        protocol     : 47
        src port     : 0
        dst port     : 0
Aug 17 09:35:04.204 GMT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and p
eer 123.123.123.123
Aug 17 09:35:04.204 GMT: IPSEC(create_sa): sa created,
  (sa) sa_dest= 231.231.231.231, sa_proto= 50,
    sa_spi= 0x87CC37F0(2278307824),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3749
    sa_lifetime(k/sec)= (4528946/3600)
Aug 17 09:35:04.204 GMT: IPSEC(create_sa): sa created,
  (sa) sa_dest= 123.123.123.123, sa_proto= 50,
    sa_spi= 0xA599AE4E(2778312270),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3750
    sa_lifetime(k/sec)= (4528946/3600)
Aug 17 09:35:04.204 GMT: IPSEC(early_age_out_sibling): sibling outbound SPI C294811C expiring in 30 secon
ds due to it's a duplicate SA bundle.
Aug 17 09:35:04.228 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 17 09:35:04.228 GMT: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Aug 17 09:35:04.228 GMT: IPSEC(key_engine_enable_outbound): enable SA with spi 2778312270/50
Aug 17 09:35:04.228 GMT: IPSEC(update_current_outbound_sa): get enable SA peer 123.123.123.123 current outbo
und sa to SPI A599AE4E
Aug 17 09:35:04.228 GMT: IPSEC(update_current_outbound_sa): updated peer 123.123.123.123 current outbound sa
 to SPI A599AE4E
Aug 17 09:35:04.228 GMT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 17 09:35:04.228 GMT: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Aug 17 09:35:14.200 GMT: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 231.231.231.231, sa_proto= 50,
    sa_spi= 0x47681E4(74875364),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3747
    sa_lifetime(k/sec)= (4505809/3600),
  (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0,
    local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1),
    remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1)
Aug 17 09:35:14.200 GMT: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 123.123.123.123, sa_proto= 50,
    sa_spi= 0x1D2FF923(489683235),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3748
    sa_lifetime(k/sec)= (4505809/3600),
  (identity) local= 231.231.231.231:0, remote= 123.123.123.123:0,
    local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1),
    remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1)
Aug 17 09:35:24.156 GMT: IPSEC(validate_proposal_request): proposal part #1
Aug 17 09:35:24.156 GMT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 231.231.231.231:0, remote= 123.123.123.123:0,
    local_proxy= 231.231.231.231/255.255.255.255/47/0 (type=1),
    remote_proxy= 123.123.123.123/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

I couldn't spot anything obvious in there. Nothing at least to indicate why ISAKMP is telling IPSEC to tear down the SA. Is there anything else I can debug that might help?

Awesome.

Managed to fix it - turns out that one of the other guys that worked here had already set up a crypto map, tunnel interface and ACL for this site! I had glazed over it each time I took a look at show run on the head end router!

It was basically getting confused as it had the same destination IP configured twice in a different crypto set.

I removed this tunnel and everything associated with it, and the VPN tunnel came straight up!!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: