09-27-2017 01:43 PM - edited 03-12-2019 04:34 AM
Hi all,
I am trying to setup a VTI based IPSec VPN in GNS3 using IOS c7200-adventerprisek9-mz.152-4.S7
The topology is attached. Tunnel is between R1 and R3.
The tunnel comes up and IKE and IPSEC SAs are build. From R1 I can ping 192.168.2.1 using source of 192.168.1.1 (local LAN int) but cannot ping anything else in the R2 LAN, like 192.168.2.11, 192.168.2.10 etc.
The same applies in reverse, from R2 I can ping 192.168.1.1 (R1 LAN int) using source of 192.168.2.1 (R2 LAN int) but nothing behind R1 (like 192.168.1.10.192.168.1.11, etc.)
Enabling debug ip icmp on R5 and R6 I have noticed the following two things:
Attempt sourced from R1 (VPN gateway)
If I start a ping from R1 the pings reach R6 on remote site but reply traffic from R6 does not get encapsulated and forwarded through the tunnel by R2.
If I start a ping from R2 the pings reach R5 on remote site but reply traffic from R5 does not get encapsulated and forwarded through the tunnel by R1.
Attempt sourced from LAN host (R5 or R6)
If I start a ping from R6 to remote site IPs the following happens:
R6#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/15/28 ms
R6#
*Sep 27 20:32:01.987: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.11, topology BASE, dscp 0 topoid 0
*Sep 27 20:32:02.011: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.11, topology BASE, dscp 0 topoid 0
*Sep 27 20:32:02.039: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.11, topology BASE, dscp 0 topoid 0
*Sep 27 20:32:02.055: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.11, topology BASE, dscp 0 topoid 0
*Sep 27 20:32:02.063: ICMP: echo reply rcvd, src 192.168.2.1, dst 192.168.2.11, topology BASE, dscp 0 topoid 0
R6#
R6#
R6#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6#
R6#
R6#
R6#ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6#
The same happens if I start a ping from R5 to remote site IPs.
All above happens either if using IKEv1 or IKEv2. I have also tried using OSPF, EIGRP and static routes. Result is the same. This tells me that something wrong must be either with the IOS version, or with GNS3, or with my configs.
Please for your help to solve this thing so I can use it in production. Any help much appreciated!!!
Following are the configs using IKEv1 (IKEv2 config is in place but not used)
R1 Config
R1#sh run
Building configuration...
Current configuration : 3067 bytes
!
! Last configuration change at 19:24:58 UTC Wed Sep 27 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy IKEV2-POLICY
match fvrf any
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring IKEV2-KEYRING
peer 23.0.0.1
description *** THIS DESCRIBES r2.mycompany.local ***
address 23.0.0.1
identity fqdn r2.mycompany.local
pre-shared-key local cisco-local
pre-shared-key remote cisco-remote
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote fqdn r2.mycompany.local
identity local fqdn r1.mycompany.local
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 14
crypto isakmp key cisco123 address 23.0.0.1
!
!
crypto ipsec transform-set IPSEC-TRANS-SET esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set IKEV1-TRANS-SET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile IKEV1-PROFILE
set transform-set IKEV1-TRANS-SET
set pfs group14
!
crypto ipsec profile IPSEC-PROFILE
set transform-set IPSEC-TRANS-SET
set pfs group14
set ikev2-profile IKEV2-PROFILE
!
crypto ipsec profile default
set transform-set IPSEC-TRANS-SET
set pfs group5
set ikev2-profile IKEV2-PROFILE
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
description *** IKEV2 IPSEC TUNNEL TO R2 ***
ip unnumbered FastEthernet0/0
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf 1 area 0
shutdown
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 23.0.0.1
!
interface Tunnel1
description *** IKEV1 IPSEC TUNNEL TO R2 ***
ip unnumbered Loopback0
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 23.0.0.1
tunnel protection ipsec profile IKEV1-PROFILE
!
interface FastEthernet0/0
description *** LINK TO R3 ***
ip address 13.0.0.1 255.255.255.252
ip nat outside
speed auto
duplex auto
!
interface FastEthernet0/1
description *** LAN ***
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
duplex auto
!
router ospf 1
router-id 1.1.1.1
network 192.168.1.0 0.0.0.255 area 0
!
ip nat inside source list INTERNET-PAT-ACL interface FastEthernet0/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 13.0.0.2
!
ip access-list standard INTERNET-PAT-ACL
permit 192.168.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R1#
R2 Config
R2#sh run
Building configuration...
Current configuration : 2839 bytes
!
! Last configuration change at 19:26:36 UTC Wed Sep 27 2017
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring IKEV2-KEYRING
peer 13.0.0.1
description *** THIS DESCRIBES r1.mycompany.local ***
address 13.0.0.1
identity fqdn r1.mycompany.local
pre-shared-key local cisco-remote
pre-shared-key remote cisco-local
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote fqdn r1.mycompany.local
identity local fqdn r2.mycompany.local
authentication remote pre-share
authentication local pre-share
keyring local IKEV2-KEYRING
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 14
crypto isakmp key cisco123 address 13.0.0.1
!
!
crypto ipsec transform-set IPSEC-TRANS-SET esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set IKEV1-TRANS-SET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile IKEV1-PROFILE
set transform-set IKEV1-TRANS-SET
set pfs group14
!
crypto ipsec profile IPSEC-PROFILE
set transform-set IPSEC-TRANS-SET
set pfs group14
set ikev2-profile IKEV2-PROFILE
!
crypto ipsec profile default
set transform-set IPSEC-TRANS-SET
set pfs group5
set ikev2-profile IKEV2-PROFILE
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip unnumbered FastEthernet0/0
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf 1 area 0
shutdown
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 13.0.0.1
!
interface Tunnel1
description *** IKEV1 IPSEC TUNNEL TO R1 ***
ip unnumbered Loopback0
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf 1 area 0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 13.0.0.1
tunnel protection ipsec profile IKEV1-PROFILE
!
interface FastEthernet0/0
description *** LINK TO R3 ***
ip address 23.0.0.1 255.255.255.252
speed auto
duplex auto
!
interface FastEthernet0/1
description *** LAN ***
ip address 192.168.2.1 255.255.255.0
speed auto
duplex auto
!
router ospf 1
router-id 2.2.2.2
network 192.168.2.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 23.0.0.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
R2#
Following are some of my troubleshooting checks:
On R1:
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
13.0.0.1 23.0.0.1 QM_IDLE 1012 ACTIVE
IPv6 Crypto ISAKMP SA
R1#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 13.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 23.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 397, #pkts encrypt: 397, #pkts digest: 397
#pkts decaps: 396, #pkts decrypt: 396, #pkts verify: 396
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 13.0.0.1, remote crypto endpt.: 23.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x9A575E0A(2589416970)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0xE98DC736(3918382902)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 19, flow_id: 19, sibling_flags 80004040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4171339/3468)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9A575E0A(2589416970)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 20, flow_id: 20, sibling_flags 80004040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4171339/3468)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1#
R1#
R1#
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 13.0.0.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 13.0.0.2
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
13.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 13.0.0.0/30 is directly connected, FastEthernet0/0
L 13.0.0.1/32 is directly connected, FastEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1
L 192.168.1.1/32 is directly connected, FastEthernet0/1
O 192.168.2.0/24 [110/1001] via 2.2.2.2, 01:13:30, Tunnel1
R1#
R1#
R1#
R1#
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:35 2.2.2.2 Tunnel1
R1#
09-27-2017 02:25 PM
Hi,
Sorry if I miss something but what about the routing on R5 and R6, they no how to respond to remote network?
You have encaps and decaps which is good, but how did you define which traffic will be encap/decap?
09-27-2017 02:35 PM
Hi Flavio,
R5 and R6 are used as pure LAN hosts with IP routing disabled. I have defined ip default-gateway to each of them pointing to the respected edge router (R1 is the default gateway for R5 and R2 is the DG for R6).
As long as how to define which traffic to be encaped/decaped, I don't use any dedicated ACL. As far as I have understand up to now (still learning the VTI method), using a static VTI for point-to-point VPNs does not need any ACL to define which traffic to encrypt/decrypt as opposed to implementing crypto-maps. I think that all traffic that is sent out the tunnel interface or received on the tunnel interface is being automatically encrypted and decrypted (correct me if I am wrong).
Thanks
09-28-2017 05:24 AM
Any help anyone on this one? Why is reply traffic not get encrypted?
Thanks
09-28-2017 10:38 AM
Out of curiosity have you tried using "tunnel mode gre ip" on the tunnel interfaces instead of "tunnel mode ipsec ipv4"? When settting up VPNs in GNS3 I've had to use gre.
09-29-2017 01:28 AM
If I set "tunnel mode gre ip" pings start working between all hosts on the two LANs. But encryption is not used, no encrypted packet is ever being send across and no IKE nor IPSEC SAs are buing build, so communication is unencrypted
Thanks for the input thought
09-29-2017 02:10 AM
09-29-2017 02:48 AM
Hi,
below is the output of debug crypto isakmp:
R2(config-if)#tunnel protection ipsec profile IKEV1-PROFILE
R2(config-if)#
*Sep 29 09:41:45.483: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Sep 29 09:41:45.507: ISAKMP:(0): SA request profile is (NULL)
*Sep 29 09:41:45.511: ISAKMP: Created a peer struct for 13.0.0.1, peer port 500
*Sep 29 09:41:45.511: ISAKMP: New peer created peer = 0x65B824F0 peer_handle = 0x80000006
*Sep 29 09:41:45.515: ISAKMP: Locking peer struct 0x65B824F0, refcount 1 for isakmp_initiator
*Sep 29 09:41:45.515: ISAKMP: local port 500, remote port 500
*Sep 29 09:41:45.519: ISAKMP: set new node 0 to QM_IDLE
*Sep 29 09:41:45.519: ISAKMP:(0):insert sa successfully sa = 67DBCB50
*Sep 29 09:41:45.523: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Sep 29 09:41:45.523: ISAKMP:(0):found peer pre-shared key matching 13.0.0.1
*Sep 29 09:41:45.527: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Sep 29 09:41:45.527: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Sep 29 09:41:45.531: ISAKMP:(0)
R2(config-if)#: constructed NAT-T vendor-03 ID
*Sep 29 09:41:45.531: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Sep 29 09:41:45.535: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Sep 29 09:41:45.535: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Sep 29 09:41:45.535: ISAKMP:(0): beginning Main Mode exchange
*Sep 29 09:41:45.539: ISAKMP:(0): sending packet to 13.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 09:41:45.539: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 09:41:45.623: ISAKMP (0): received packet from 13.0.0.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Sep 29 09:41:45.627: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 29 09:41:45.627: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Sep 29 09:41:45.631: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 29 09:41:45.631: ISAKMP:(0): processing vendor id payload
*Sep 29 09:41:45.631: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 29 09:41:45.631: ISAK
R2(config-if)#MP (0): vendor ID is NAT-T RFC 3947
*Sep 29 09:41:45.631: ISAKMP:(0):found peer pre-shared key matching 13.0.0.1
*Sep 29 09:41:45.631: ISAKMP:(0): local preshared key found
*Sep 29 09:41:45.635: ISAKMP : Scanning profiles for xauth ...
*Sep 29 09:41:45.635: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 29 09:41:45.635: ISAKMP: encryption AES-CBC
*Sep 29 09:41:45.635: ISAKMP: keylength of 256
*Sep 29 09:41:45.635: ISAKMP: hash SHA512
*Sep 29 09:41:45.635: ISAKMP: default group 14
*Sep 29 09:41:45.635: ISAKMP: auth pre-share
*Sep 29 09:41:45.635: ISAKMP: life type in seconds
*Sep 29 09:41:45.635: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 29 09:41:45.635: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 29 09:41:45.635: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 29 09:41:45.635: ISAKMP:(0):Acceptable atts:life: 0
*Sep 29 09:41:45.635: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 29 09:41:45
R2(config-if)#.635: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Sep 29 09:41:45.635: ISAKMP:(0):Returning Actual lifetime: 86400
*Sep 29 09:41:45.635: ISAKMP:(0)::Started lifetime timer: 86400.
*Sep 29 09:41:45.635: ISAKMP:(0): processing vendor id payload
*Sep 29 09:41:45.635: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 29 09:41:45.635: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 29 09:41:45.635: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 29 09:41:45.635: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Sep 29 09:41:45.639: ISAKMP:(0): sending packet to 13.0.0.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Sep 29 09:41:45.639: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 09:41:45.639: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 29 09:41:45.639: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Sep 29 09:41:45.807: ISAKMP (0): received packet from 13.0.0.1 dport 500 sport 500 Global (I) MM_SA_SE
R2(config-if)#TUP
*Sep 29 09:41:45.811: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 29 09:41:45.811: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Sep 29 09:41:45.811: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 29 09:41:45.955: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 29 09:41:45.955: ISAKMP:(0):found peer pre-shared key matching 13.0.0.1
*Sep 29 09:41:45.959: ISAKMP:(1033): processing vendor id payload
*Sep 29 09:41:45.959: ISAKMP:(1033): vendor ID is Unity
*Sep 29 09:41:45.959: ISAKMP:(1033): processing vendor id payload
*Sep 29 09:41:45.959: ISAKMP:(1033): vendor ID is DPD
*Sep 29 09:41:45.959: ISAKMP:(1033): processing vendor id payload
*Sep 29 09:41:45.959: ISAKMP:(1033): speaking to another IOS box!
*Sep 29 09:41:45.959: ISAKMP:received payload type 20
*Sep 29 09:41:45.959: ISAKMP (1033): His hash no match - this node outside NAT
*Sep 29 09:41:45.959: ISAKMP:received payload type 20
*Sep 29 09:41:45.959: ISAKMP (1033): No N
R2(config-if)#AT Found for self or peer
*Sep 29 09:41:45.959: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 29 09:41:45.959: ISAKMP:(1033):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Sep 29 09:41:45.963: ISAKMP:(1033):Send initial contact
*Sep 29 09:41:45.963: ISAKMP:(1033):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 29 09:41:45.963: ISAKMP (1033): ID payload
next-payload : 8
type : 1
address : 23.0.0.1
protocol : 17
port : 500
length : 12
*Sep 29 09:41:45.963: ISAKMP:(1033):Total payload length: 12
*Sep 29 09:41:45.963: ISAKMP:(1033): sending packet to 13.0.0.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 29 09:41:45.963: ISAKMP:(1033):Sending an IKE IPv4 Packet.
*Sep 29 09:41:45.963: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 29 09:41:45.963: ISAKMP:(1033):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Sep 29 09:41:45.983: ISAKMP (1033): received packet f
R2(config-if)#rom 13.0.0.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 29 09:41:45.987: ISAKMP:(1033): processing ID payload. message ID = 0
*Sep 29 09:41:45.991: ISAKMP (1033): ID payload
next-payload : 8
type : 1
address : 13.0.0.1
protocol : 17
port : 500
length : 12
*Sep 29 09:41:45.995: ISAKMP:(0):: peer matches *none* of the profiles
*Sep 29 09:41:45.995: ISAKMP:(1033): processing HASH payload. message ID = 0
*Sep 29 09:41:45.999: ISAKMP:(1033):SA authentication status:
authenticated
*Sep 29 09:41:45.999: ISAKMP:(1033):SA has been authenticated with 13.0.0.1
*Sep 29 09:41:46.003: ISAKMP: Trying to insert a peer 23.0.0.1/13.0.0.1/500/, and inserted successfully 65B824F0.
*Sep 29 09:41:46.007: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 29 09:41:46.007: ISAKMP:(1033):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Sep 29 09:41:46.007: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 29 09:41:46.
R2(config-if)#007: ISAKMP:(1033):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Sep 29 09:41:46.007: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 29 09:41:46.007: ISAKMP:(1033):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Sep 29 09:41:46.011: ISAKMP:(1033):beginning Quick Mode exchange, M-ID of 2915858363
*Sep 29 09:41:46.011: ISAKMP:(1033):QM Initiator gets spi
*Sep 29 09:41:46.011: ISAKMP:(1033): sending packet to 13.0.0.1 my_port 500 peer_port 500 (I) QM_IDLE
*Sep 29 09:41:46.011: ISAKMP:(1033):Sending an IKE IPv4 Packet.
*Sep 29 09:41:46.011: ISAKMP:(1033):Node 2915858363, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Sep 29 09:41:46.011: ISAKMP:(1033):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Sep 29 09:41:46.011: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Sep 29 09:41:46.011: ISAKMP:(1033):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Sep 29 09:41:46.231: ISAKMP (1033): received packet from 13.0.0.1 dport
R2(config-if)#500 sport 500 Global (I) QM_IDLE
*Sep 29 09:41:46.235: ISAKMP:(1033): processing HASH payload. message ID = 2915858363
*Sep 29 09:41:46.239: ISAKMP:(1033): processing SA payload. message ID = 2915858363
*Sep 29 09:41:46.239: ISAKMP:(1033):Checking IPSec proposal 1
*Sep 29 09:41:46.243: ISAKMP: transform 1, ESP_AES
*Sep 29 09:41:46.243: ISAKMP: attributes in transform:
*Sep 29 09:41:46.243: ISAKMP: encaps is 1 (Tunnel)
*Sep 29 09:41:46.247: ISAKMP: SA life type in seconds
*Sep 29 09:41:46.247: ISAKMP: SA life duration (basic) of 3600
*Sep 29 09:41:46.247: ISAKMP: SA life type in kilobytes
*Sep 29 09:41:46.247: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Sep 29 09:41:46.247: ISAKMP: authenticator is HMAC-SHA
*Sep 29 09:41:46.247: ISAKMP: key length is 256
*Sep 29 09:41:46.251: ISAKMP: group is 14
*Sep 29 09:41:46.251: ISAKMP:(1033):atts are acceptable.
*Sep 29 09:41:46.251: ISAKMP:(1033): processing NONCE payload
R2(config-if)#. message ID = 2915858363
*Sep 29 09:41:46.251: ISAKMP:(1033): processing KE payload. message ID = 2915858363
*Sep 29 09:41:46.375: ISAKMP:(1033): processing ID payload. message ID = 2915858363
*Sep 29 09:41:46.375: ISAKMP:(1033): processing ID payload. message ID = 2915858363
*Sep 29 09:41:46.375: ISAKMP:(1033):Node 2915858363, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Sep 29 09:41:46.375: ISAKMP:(1033):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Sep 29 09:41:46.383: ISAKMP: Failed to find peer index node to update peer_info_list
*Sep 29 09:41:46.387: ISAKMP:(1033):Received IPSec Install callback... proceeding with the negotiation
*Sep 29 09:41:46.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
*Sep 29 09:41:46.451: ISAKMP:(1033): sending packet to 13.0.0.1 my_port 500 peer_port 500 (I) QM_IDLE
*Sep 29 09:41:46.455: ISAKMP:(1033):Sending an IKE IPv4 Packet.
*Sep 29 09:41:46.455: ISAKMP:(1033):deleting node -1379
R2(config-if)#108933 error FALSE reason "No Error"
*Sep 29 09:41:46.459: ISAKMP:(1033):Node 2915858363, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Sep 29 09:41:46.459: ISAKMP:(1033):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
*Sep 29 09:41:47.003: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel1 from LOADING to FULL, Loading Done
R2(config-if)#end
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#s
*Sep 29 09:42:00.399: %SYS-5-CONFIG_I: Configured from console by console
R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
13.0.0.1 23.0.0.1 QM_IDLE 1033 ACTIVE
IPv6 Crypto ISAKMP SA
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 23.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 13.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 23.0.0.1, remote crypto endpt.: 13.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x1ACC49A0(449595808)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0xEF298895(4012476565)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 17, flow_id: 17, sibling_flags 80004040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4340490/3576)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1ACC49A0(449595808)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18, flow_id: 18, sibling_flags 80004040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4340490/3576)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R2#
R2#
R2#
R2#
R2#
R2#
R2#
R2#ping 192.168.1.1 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/44 ms
R2#
R2#
R2#
R2#
R2#
R2#ping 192.168.1.11 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
....
*Sep 29 09:42:36.459: ISAKMP:(1033):purging node -1379108933.
Success rate is 0 percent (0/5)
R2#
As you can see IKEv1 and IPSEC SAs are being build OK. Pings between edge routers work. Pinging anything behind the edge router does not work.
In general any traffic NOT initiated by the edge router does not get encrypted by the edge router (either R1 or R2) and send across.
Really hope you can figure something out.
Thanks
09-29-2017 11:44 AM
Using "tunnel mode gre ip" doesn't mean that the traffic is unencrypted, it means traffic is encapsulated within GRE and a new IP header added before encapulsating the gre/ip packet within IPSec. The VTI would still have "tunnel protection ipsec profile IKEV1-PROFILE" applied therefore traffic would still be encrypted. You can see this by running wireshark on the external interface between R2 and R3, you'll see ESP traffic.
I've labbed this in GNS3 and have observed the same issue as you - cannot ping R6 ip, until changing to tunnel mode gre ip, I can then ping.
10-02-2017 05:25 AM
Hi RJI,
I agree with you that using "tunnel mode gre ip" encapsulates the packets within GRE, still that alone does not provide encryption. Only if by adding an IPSEC profile for tunnel protection by issuing command "tunnel protection ipsec profile XXX" IPSEC (and encryption) is engaged, otherwise no encryption is applied to traffic.
I have retried using "tunnel mode gre ip" on the tunnel interface and the result is that both IKE and IPSEC SAs are build but they are flapping, which results to no OSPF neighborship being formed. In addition, since no OSPF adjacency is formed between R1 and R2, no route to remote LAN is learned and no ping works as expected. Below is the "debug crypto isakmp" that shows that the IKE and IPSEC SAs are flapping:
FLAPPING IKE/IPSEC
R2#
*Oct 2 12:15:12.135: ISAKMP:(1007):purging node -1477449341
R2#
*Oct 2 12:15:13.507: ISAKMP:(1008):purging node 1155918101
*Oct 2 12:15:13.507: ISAKMP:(1008):purging node -668427467
R2#
*Oct 2 12:15:28.111: ISAKMP (1007): received packet from 13.0.0.1 dport 500 sport 500 Global (I) QM_IDLE
*Oct 2 12:15:28.111: ISAKMP: set new node 1532224116 to QM_IDLE
*Oct 2 12:15:28.115: ISAKMP:(1007): processing HASH payload. message ID = 1532224116
*Oct 2 12:15:28.119: ISAKMP:(1007): processing SA payload. message ID = 1532224116
*Oct 2 12:15:28.119: ISAKMP:(1007):Checking IPSec proposal 1
*Oct 2 12:15:28.119: ISAKMP: transform 1, ESP_AES
*Oct 2 12:15:28.123: ISAKMP: attributes in transform:
*Oct 2 12:15:28.123: ISAKMP: encaps is 1 (Tunnel)
*Oct 2 12:15:28.123: ISAKMP: SA life type in seconds
*Oct 2 12:15:28.127: ISAKMP: SA life duration (basic) of 3600
*Oct 2 12:15:28.127: ISAKMP: SA life type in kilobytes
*Oct 2 12:15:28.131: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Oct 2 12:15:28.131: ISAKMP: authenticator is HMAC-SHA
*Oct 2 12:15:28.131: ISAKMP: key length is 256
*Oct 2 12:15:28.131
R2#: ISAKMP: group is 5
*Oct 2 12:15:28.131: ISAKMP:(1007):atts are acceptable.
*Oct 2 12:15:28.131: ISAKMP:(1007): IPSec policy invalidated proposal with error 8
*Oct 2 12:15:28.131: ISAKMP:(1007): phase 2 SA policy not acceptable! (local 23.0.0.1 remote 13.0.0.1)
*Oct 2 12:15:28.131: ISAKMP: set new node 391557373 to QM_IDLE
*Oct 2 12:15:28.131: ISAKMP:(1007):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1736876976, message ID = 391557373
*Oct 2 12:15:28.135: ISAKMP:(1007): sending packet to 13.0.0.1 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 2 12:15:28.135: ISAKMP:(1007):Sending an IKE IPv4 Packet.
*Oct 2 12:15:28.135: ISAKMP:(1007):purging node 391557373
*Oct 2 12:15:28.135: ISAKMP:(1007):deleting node 1532224116 error TRUE reason "QM rejected"
*Oct 2 12:15:28.135: ISAKMP:(1007):Node 1532224116, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 2 12:15:28.135: ISAKMP:(1007):Old State = IKE_QM_READY New State = IKE_QM_READY
*Oct 2 12:15:29.81
R2#5: ISAKMP: set new node 0 to QM_IDLE
*Oct 2 12:15:29.815: SA has outstanding requests (local 105.126.236.236 port 500, remote 105.126.237.8 port 500)
*Oct 2 12:15:29.815: ISAKMP:(1008): sitting IDLE. Starting QM immediately (QM_IDLE )
*Oct 2 12:15:29.815: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of 3221566694
*Oct 2 12:15:29.819: ISAKMP:(1008):QM Initiator gets spi
*Oct 2 12:15:29.819: ISAKMP:(1008): sending packet to 13.0.0.1 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 2 12:15:29.819: ISAKMP:(1008):Sending an IKE IPv4 Packet.
*Oct 2 12:15:29.819: ISAKMP:(1008):Node 3221566694, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 2 12:15:29.819: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Oct 2 12:15:29.859: ISAKMP (1008): received packet from 13.0.0.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 2 12:15:29.859: ISAKMP: set new node -1863752534 to QM_IDLE
*Oct 2 12:15:29.859: ISAKMP:(1008): processing HASH payload
R2#. message ID = 2431214762
*Oct 2 12:15:29.859: ISAKMP:(1008): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1771817042, message ID = 2431214762, sa = 0x697EEB3C
*Oct 2 12:15:29.859: ISAKMP:(1008): deleting spi 1771817042 message ID = 3221566694
*Oct 2 12:15:29.859: ISAKMP:(1008):deleting node -1073400602 error TRUE reason "Delete Larval"
*Oct 2 12:15:29.859: ISAKMP:(1008):deleting node -1863752534 error FALSE reason "Informational (in) state 1"
*Oct 2 12:15:29.859: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 2 12:15:29.859: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#
*Oct 2 12:15:42.139: ISAKMP:(1007):purging node -1293236451
R2#
R2#sh ip ospf neighbor
R2#
CONFIGS
Here are the configs of R1 and R3 using "tunnel mode gre ip" (this command does not show in "show run" since tunnel mode gre is the default mode for a tunnel interface):
R1
R1#sh run int tunnel 1
Building configuration...
Current configuration : 240 bytes
!
interface Tunnel1
description *** IKEV1 IPSEC TUNNEL TO R2 ***
ip unnumbered Loopback0
ip mtu 1440
ip tcp adjust-mss 1400
tunnel source FastEthernet0/0
tunnel destination 23.0.0.1
tunnel protection ipsec profile IKEV1-PROFILE
end
R1#sh run | section crypto
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 14
crypto isakmp key cisco123 address 23.0.0.1
crypto ipsec transform-set IKEV1-TRANS-SET esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile IKEV1-PROFILE
set transform-set IKEV1-TRANS-SET
set pfs group5
R1#
R2
R2#sh run int tunnel 1
Building configuration...
Current configuration : 240 bytes
!
interface Tunnel1
description *** IKEV1 IPSEC TUNNEL TO R1 ***
ip unnumbered Loopback0
ip mtu 1440
ip tcp adjust-mss 1400
tunnel source FastEthernet0/0
tunnel destination 13.0.0.1
tunnel protection ipsec profile IKEV1-PROFILE
end
R2#
R2#sh run | section crypto
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 14
crypto isakmp key cisco123 address 13.0.0.1
crypto ipsec transform-set IKEV1-TRANS-SET esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile IKEV1-PROFILE
set transform-set IKEV1-TRANS-SET
set pfs group5
R2#
The strange thing is that in a similar setup implementing DMVPN everything works fine, internal LAN hosts can ping remote LAN hosts. The differences of the DMVPN config related to the tunnel interface is that in DMVPN the configuration is "tunnel mode gre multipoint" and NHRP is used. Also in DMVPN a tunnel protection ipsec profile is used to provide encryption.
I don't know why on DMVPN everything works (this too uses a VTI tunnel interface) but on a Point-to-Point VPN using static or dynamic VTI interfaces it does not work.
Any suggestions from anyone???
Thank you
10-10-2017 04:51 AM
I am refreshing the post in case someone could offer some help on this issue.
In short when setting up an IPSec VPN using SVTIs, the tunnel comes up and pings from routers are possible but nothing sourced from LAN hosts works. Traffic sourced from LAN hosts gets encrypted on the way out to the remote site, but return traffic does not get encrypted from the remote edge router.
If someone has seen this behavior please share some thoughts...
Thanks
06-08-2019 05:26 AM - edited 06-08-2019 05:27 AM
Hi,
I had a similar problem using dynamips and IOS c7200-advipservicesk9-mz.152-4.S5
The packets were dropped somewhere in the device.
I think the above IOS does not work properly with dynamips.
After testing the same identical config with GNS+IOU the problem disappeared, so draw your conclusions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide