Solved: Re: AWS gre ipsec - csr 1000v

imleo · ‎04-23-2020

Hi, I'm trying to setup a VPN with an on-premise environment and AWS, the tunnel is mean to use gre and ipsec. The pase 1 is completed but the Phase 2 is rejected by the other peer

This is the sanitized configuration on AWS:

! isakmp policy
crypto isakmp policy 1
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400
 exit
!
crypto isakmp key SHARED_KEY address 210.20.70.1
!
! ipsec transform and protocol
crypto ipsec transform-set AES256-SHA-TUNNEL esp-aes 256 esp-sha-hmac
 mode transport
 exit
!
! access-list
ip access-list extended FISERV-ACL
 permit gre host 24.100.10.38 host 210.20.70.1
 exit
!
! crypto map
crypto map FISERV-MAP 5 ipsec-isakmp
 set peer 210.20.70.1
 set transform-set AES256-SHA-TUNNEL
 match address FISERV-ACL
 exit
!
! apply crypto map to outside interface
interface GigabitEthernet1
 crypto map FISERV-MAP
 exit
!
! tunnel interface
interface Tunnel129
 description GRE to FISERV
 ip address 10.9.32.114 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 keepalive 30 3
 tunnel source GigabitEthernet1
 tunnel destination 210.20.70.1
 exit
!
! route fiserv ip
ip route 10.30.64.99 255.255.255.255 Tunnel129 name FISERV

on-premise env:

crypto isakmp policy 5
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 86400

crypto ipsec transform-set aessha_tunnel esp-aes 256 esp-sha-hmac
 mode transport

crypto keyring OX_MX vrf VPN-INET 
 pre-shared-key address 24.100.10.38 key SHARED_KEY

crypto isakmp profile OX_MX
 vrf VPN-INET
 keyring OX_MX
 match identity address 24.100.10.38 255.255.255.255 VPN-INET
 isakmp authorization list default

ip access-list extended OX_MX
 permit gre host 210.20.70.1 host 24.100.10.38

crypto map VPN-INET-Client 28 ipsec-isakmp 
 set peer 24.100.10.38
 set transform-set aessha
 set isakmp-profile OX_MX
 match address OX_MX

interface Tunnel129
 description GRE to OX_MX 
 ip vrf forwarding VPN-INET
 ip address 10.9.32.113 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 keepalive 30 3
 tunnel source 210.20.70.1
 tunnel destination 24.100.10.38
 tunnel vrf VPN-INET

ip route vrf VPN-INET 10.9.64.248 255.255.255.248 Tunnel129 name OX_MX
ip prefix-list Subnet-Client seq 23 permit 10.9.64.248/29 le 32

logs on AWS:

ip-172-17-11-90# debug crypto isakmp
*Apr 23 16:38:26.599: %SYS-5-CONFIG_I: Configured from console by ec2-user on vty0 (181.189.168.73)
*Apr 23 16:38:43.332: ISAKMP-PAK: (0):received packet from 210.20.70.1 dport 500 sport 500 Global (N) NEW SA
*Apr 23 16:38:43.332: ISAKMP: (0):Created a peer struct for 210.20.70.1, peer port 500
*Apr 23 16:38:43.332: ISAKMP: (0):New peer created peer = 0x80007F1A377A9620 peer_handle = 0x80000000400014D5
*Apr 23 16:38:43.332: ISAKMP: (0):Locking peer struct 0x80007F1A377A9620, refcount 1 for crypto_isakmp_process_block
*Apr 23 16:38:43.332: ISAKMP: (0):local port 500, remote port 500
*Apr 23 16:38:43.332: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F1A37823260
*Apr 23 16:38:43.332: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 23 16:38:43.332: ISAKMP: (0):Old State = IKE_READY  New State = IKE_R_MM1

*Apr 23 16:38:43.333: ISAKMP: (0):processing SA payload. message ID = 0
*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID is NAT-T v7
*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID is NAT-T v3
*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID is NAT-T v2
*Apr 23 16:38:43.333: ISAKMP: (0):found peer pre-shared key matching 210.20.70.1
*Apr 23 16:38:43.333: ISAKMP: (0):local preshared key found
*Apr 23 16:38:43.333: ISAKMP: (0):Scanning profiles for xauth ...
*Apr 23 16:38:43.333: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 23 16:38:43.333: ISAKMP: (0):      encryption AES-CBC
*Apr 23 16:38:43.333: ISAKMP: (0):      keylength of 256
*Apr 23 16:38:43.333: ISAKMP: (0):      hash SHA256
*Apr 23 16:38:43.333: ISAKMP: (0):      default group 14
*Apr 23 16:38:43.333: ISAKMP: (0):      auth pre-share
*Apr 23 16:38:43.333: ISAKMP: (0):      life type in seconds
*Apr 23 16:38:43.333: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Apr 23 16:38:43.333: ISAKMP: (0):atts are acceptable. Next payload is 3
*Apr 23 16:38:43.333: ISAKMP: (0):Acceptable atts:actual life: 86400
*Apr 23 16:38:43.333: ISAKMP: (0):Acceptable atts:life: 0
*Apr 23 16:38:43.333: ISAKMP: (0):Fill atts in sa vpi_length:4
*Apr 23 16:38:43.333: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Apr 23 16:38:43.333: ISAKMP: (0):Returning Actual lifetime: 86400
*Apr 23 16:38:43.333: ISAKMP: (0):Started lifetime timer: 86400.

*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Apr 23 16:38:43.333: ISAKMP: (0):vendor ID is NAT-T v7
*Apr 23 16:38:43.333: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.334: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Apr 23 16:38:43.334: ISAKMP: (0):vendor ID is NAT-T v3
*Apr 23 16:38:43.334: ISAKMP: (0):processing vendor id payload
*Apr 23 16:38:43.334: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Apr 23 16:38:43.334: ISAKMP: (0):vendor ID is NAT-T v2
*Apr 23 16:38:43.334: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 23 16:38:43.334: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Apr 23 16:38:43.334: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 23 16:38:43.334: ISAKMP-PAK: (0):sending packet to 210.20.70.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 23 16:38:43.334: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 23 16:38:43.334: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 23 16:38:43.334: ISAKMP: (0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Apr 23 16:38:43.478: ISAKMP-PAK: (0):received packet from 210.20.70.1 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 23 16:38:43.478: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 23 16:38:43.478: ISAKMP: (0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Apr 23 16:38:43.478: ISAKMP: (0):processing KE payload. message ID = 0
*Apr 23 16:38:43.487: ISAKMP: (0):processing NONCE payload. message ID = 0
*Apr 23 16:38:43.487: ISAKMP: (0):found peer pre-shared key matching 210.20.70.1
*Apr 23 16:38:43.487: ISAKMP: (1652):processing vendor id payload
*Apr 23 16:38:43.487: ISAKMP: (1652):vendor ID is DPD
*Apr 23 16:38:43.487: ISAKMP: (1652):processing vendor id payload
*Apr 23 16:38:43.487: ISAKMP: (1652):speaking to another IOS box!
*Apr 23 16:38:43.487: ISAKMP: (1652):processing vendor id payload
*Apr 23 16:38:43.487: ISAKMP: (1652):vendor ID seems Unity/DPD but major 229 mismatch
*Apr 23 16:38:43.487: ISAKMP: (1652):vendor ID is XAUTH
*Apr 23 16:38:43.487: ISAKMP: (1652):received payload type 20
*Apr 23 16:38:43.487: ISAKMP: (1652):NAT found, both nodes inside NAT
*Apr 23 16:38:43.487: ISAKMP: (1652):received payload type 20
*Apr 23 16:38:43.487: ISAKMP: (1652):My hash no match -  this node inside NAT
*Apr 23 16:38:43.487: ISAKMP: (1652):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 23 16:38:43.487: ISAKMP: (1652):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Apr 23 16:38:43.487: ISAKMP-PAK: (1652):sending packet to 210.20.70.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Apr 23 16:38:43.487: ISAKMP: (1652):Sending an IKE IPv4 Packet.
*Apr 23 16:38:43.488: ISAKMP: (1652):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 23 16:38:43.488: ISAKMP: (1652):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Apr 23 16:38:43.493: %SYS-4-LOGGING_PERSISTENT_OVERRUN: Logging persistent command exceeded its size. Oldest logging-persistent file was deleted (file name: bootflash:/syslog/log_20200423-145043).
*Apr 23 16:38:43.633: ISAKMP-PAK: (1652):received packet from 210.20.70.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
*Apr 23 16:38:43.633: ISAKMP: (1652):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 23 16:38:43.633: ISAKMP: (1652):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Apr 23 16:38:43.633: ISAKMP: (1652):processing ID payload. message ID = 0
*Apr 23 16:38:43.633: ISAKMP: (1652):ID payload
	next-payload : 8
	type         : 1
*Apr 23 16:38:43.633: ISAKMP: (1652):	address      : 210.20.70.1
*Apr 23 16:38:43.633: ISAKMP: (1652):	protocol     : 17
	port         : 0
	length       : 12
*Apr 23 16:38:43.633: ISAKMP: (0):peer matches *none* of the profiles
*Apr 23 16:38:43.634: ISAKMP: (1652):processing HASH payload. message ID = 0
*Apr 23 16:38:43.634: ISAKMP: (1652):processing NOTIFY INITIAL_CONTACT protocol 1
	spi 0, message ID = 0, sa = 0x80007F1A37823260
*Apr 23 16:38:43.634: ISAKMP: (1652):SA authentication status:
	authenticated
*Apr 23 16:38:43.634: ISAKMP: (1652):SA has been authenticated with 210.20.70.1
*Apr 23 16:38:43.634: ISAKMP: (1652):Detected port floating to port = 4500
*Apr 23 16:38:43.634: ISAKMP: (1652):Trying to find existing peer 172.17.11.90/210.20.70.1/4500/
*Apr 23 16:38:43.634: ISAKMP: (1652):Found existing peer 80007F1A376FA840 to reuse, free 80007F1A377A9620
*Apr 23 16:38:43.634: ISAKMP: (0):Unlocking peer struct 0x80007F1A377A9620 Reuse existing peer, count 0
*Apr 23 16:38:43.634: ISAKMP: (0):Deleting peer node by peer_reap for 210.20.70.1: 80007F1A377A9620
*Apr 23 16:38:43.635: ISAKMP: (0):Locking peer struct 0x80007F1A376FA840, refcount 2 for Reuse existing peer
*Apr 23 16:38:43.635: ISAKMP: (1652):SA authentication status:
	authenticated
*Apr 23 16:38:43.635: ISAKMP: (1652):Process initial contact,
bring down existing phase 1 and 2 SA's with local 172.17.11.90 remote 210.20.70.1 remote port 4500
*Apr 23 16:38:43.635: ISAKMP: (1651):Received delete SA on GigabitEthernet1 with reason "Receive initial contact"
*Apr 23 16:38:43.635: ISAKMP: (1651):peer does not do paranoid keepalives.
*Apr 23 16:38:43.635: ISAKMP-ERROR: (1651):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 210.20.70.1)
*Apr 23 16:38:43.635: ISAKMP: (1652):Setting UDP ENC peer struct 0x0 sa= 0x80007F1A37823260
*Apr 23 16:38:43.635: ISAKMP: (1652):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 23 16:38:43.635: ISAKMP: (1652):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Apr 23 16:38:43.635: ISAKMP: (1651):set new node 3324080063 to QM_IDLE
*Apr 23 16:38:43.635: ISAKMP-PAK: (1651):sending packet to 210.20.70.1 my_port 4500 peer_port 4500 (R) QM_IDLE
*Apr 23 16:38:43.635: ISAKMP: (1651):Sending an IKE IPv4 Packet.
*Apr 23 16:38:43.636: ISAKMP: (1651):purging node 3324080063
*Apr 23 16:38:43.636: ISAKMP: (1651):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 23 16:38:43.636: ISAKMP: (1651):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Apr 23 16:38:43.636: ISAKMP: (1652):SA is doing
*Apr 23 16:38:43.636: ISAKMP: (1652):pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 23 16:38:43.636: ISAKMP: (1652):ID payload
	next-payload : 8
	type         : 1
*Apr 23 16:38:43.636: ISAKMP: (1652):	address      : 172.17.11.90
*Apr 23 16:38:43.636: ISAKMP: (1652):	protocol     : 17
	port         : 0
	length       : 12
*Apr 23 16:38:43.636: ISAKMP: (1652):Total payload length: 12
*Apr 23 16:38:43.636: ISAKMP-PAK: (1652):sending packet to 210.20.70.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Apr 23 16:38:43.636: ISAKMP: (1652):Sending an IKE IPv4 Packet.
*Apr 23 16:38:43.636: ISAKMP: (1652):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 23 16:38:43.636: ISAKMP: (1652):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Apr 23 16:38:43.636: ISAKMP-ERROR: (1651):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 210.20.70.1)
*Apr 23 16:38:43.636: ISAKMP: (0):Unlocking peer struct 0x80007F1A376FA840 for isadb_mark_sa_deleted(), count 1
*Apr 23 16:38:43.636: ISAKMP: (1651):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 23 16:38:43.636: ISAKMP: (1651):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Apr 23 16:38:43.636: ISAKMP: (1652):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR
*Apr 23 16:38:43.636: ISAKMP: (1652):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Apr 23 16:38:43.636: ISAKMP: (1652):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Apr 23 16:38:43.636: ISAKMP: (1652):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 23 16:39:30.066: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel129, changed state to down
*Apr 23 16:39:43.332: ISAKMP-PAK: (0):received packet from 210.20.70.1 dport 500 sport 500 Global (N) NEW SA
*Apr 23 16:39:43.332: ISAKMP: (0):Created a peer struct for 210.20.70.1, peer port 500
*Apr 23 16:39:43.332: ISAKMP: (0):New peer created peer = 0x80007F19D9A8B948 peer_handle = 0x80000000400014D7

From the logs catch my eye the lines:

*Apr 23 16:38:43.636: ISAKMP: (1652):SA is doing
*Apr 23 16:38:43.636: ISAKMP: (1652):pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 23 16:38:43.636: ISAKMP: (1652):ID payload
	next-payload : 8
	type         : 1
*Apr 23 16:38:43.636: ISAKMP: (1652):	address      : 172.17.11.90
*Apr 23 16:38:43.636: ISAKMP: (1652):	protocol     : 17
	port         : 0
	length       : 12

172.17.11.90 is the private IP of my outside interface (the one holding the public IP), I don't know if in this step the csr should be using the public ip

interface: GigabitEthernet1
    Crypto map tag: FISERV-MAP, local addr 172.17.11.90

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (24.100.10.38/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (210.20.70.1/255.255.255.255/47/0)
   current_peer 210.20.70.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.17.11.90, remote crypto endpt.: 210.20.70.1
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

Thanks in advance for all the help

imleo · ‎04-27-2020

The problem with the above configuration is on the line "permit gre host... ". On AWS an EC2 instance doesn't know the EIP associated with it's interface so the GRE traffic being created on the EC2 will have the Private IP address of its interface and not the public one

We changed the ipsec crypto map for an ipsec profile and the connection was up

crypto keyring F_ARG
local-address GigabitEthernet1
pre-shared-key address 100.20.71.3 key PRESHARED_KEY
!
crypto isakmp policy 5
encryption aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp profile F_ARG
keyring F_ARG
match identity address 100.20.71.3 255.255.255.255
local-address GigabitEthernet1
!
crypto ipsec transform-set AES256-SHA-TUNNEL esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile F_ARG
set transform-set AES256-SHA-TUNNEL
set pfs group2
!
interface Tunnel129
description GRE to F_ARG
ip address 10.9.32.114 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 100.20.71.3
tunnel protection ipsec profile F_ARG
ip virtual-reassembly

Now I need to setup a NAT in my VPN, if someone has some information about this It will be awesome :)!

View solution in original post

imleo · ‎04-27-2020

The problem with the above configuration is on the line "permit gre host... ". On AWS an EC2 instance doesn't know the EIP associated with it's interface so the GRE traffic being created on the EC2 will have the Private IP address of its interface and not the public one

We changed the ipsec crypto map for an ipsec profile and the connection was up

crypto keyring F_ARG
local-address GigabitEthernet1
pre-shared-key address 100.20.71.3 key PRESHARED_KEY
!
crypto isakmp policy 5
encryption aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp profile F_ARG
keyring F_ARG
match identity address 100.20.71.3 255.255.255.255
local-address GigabitEthernet1
!
crypto ipsec transform-set AES256-SHA-TUNNEL esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile F_ARG
set transform-set AES256-SHA-TUNNEL
set pfs group2
!
interface Tunnel129
description GRE to F_ARG
ip address 10.9.32.114 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 100.20.71.3
tunnel protection ipsec profile F_ARG
ip virtual-reassembly

Now I need to setup a NAT in my VPN, if someone has some information about this It will be awesome :)!

quinn-imagine · ‎01-21-2024

Hello Imleo, can you please share the complete configuration? I noticed you did not set isakmp profile in the ipsec profile. Also did you apply any ACL?

I have the same problem with AWS for GRE over IPsec tunnel, so I would appreciate to know more about your solution.

Thanks