Re: Gre-IPsec Tunnel using Profiles

janihustler · ‎11-07-2017

we have 2 tunnels setup between the customer and us. we are trying to have a GRE-IPsec tunnel between us (Primary & Secondary) we have the tunnels up and active when I do a "sh crypto session", "sh crypto isakmp sa"shows no errors.

In the show crypto session" command output the no.of Active SAs: keeps on increasing every few seconds or minutes. I tried to clear crypto sa, also used the spi-recovery command but it did not help. Please can you share some insight on why this is happening and how do we troubleshoot it ? Thanks!

Francesco Molino · ‎11-07-2017

Hi

Can you share the output of show crypto isakmp sa?
Have ran a debug crypto isakmp and crypto ipsec?

Can you share the config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

janihustler · ‎11-08-2017

Both the IP's on my side are Loopbacks (192.168.50.1 & 192.168.50.5)

I ran both the debugs got the following errors:

sh crypto session

Interface: Tunnel12
Profile: S1-ISAKMP
Session status: UP-ACTIVE
Peer: 192.168.10.1 port 500
Session ID: 0
IKEv1 SA: local 192.168.50.1/500 remote 192.168.10.1/500 Active
IPSEC FLOW: permit 47 host 192.168.50.1 host 192.168.10.1
Active SAs: 10, origin: crypto map

Interface: Tunnel13
Profile: S1-ISAKMP
Session status: UP-ACTIVE
Peer: 192.168.20.1 port 500
Session ID: 0
IKEv1 SA: local 192.168.50.5/500 remote 192.168.20.1/500 Active
IPSEC FLOW: permit 47 host 192.168.50.5 host 192.168.20.1
Active SAs: 8, origin: crypto map

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 192.168.50.1 QM_IDLE 151063 ACTIVE S1-ISAKMP
192.168.20.1 192.168.50.5 QM_IDLE 151064 ACTIVE S1-ISAKMP

config:

crypto keyring S1
pre-shared-key address 192.168.10.1 key happy-eddie

crypto isakmp key spoAZIu address 192.168.10.1
crypto isakmp key spoAZIu address 192.168.20.1

crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5

crypto isakmp profile S1-ISAKMP
keyring S1
match identity address 192.168.10.1 255.255.255.255
match identity address 192.168.20.1 255.255.255.255

crypto ipsec transform-set S1-TSET esp-aes 256 esp-sha-hmac
mode transport

crypto ipsec profile S1-IPSEC
set transform-set S1-TSET
set isakmp-profile S1-ISAKMP

interface Tunnelxx
ip vrf forwarding sort
ip address <ip add of the tunnel> <subnet mask>
ip tcp adjust-mss 1360
tunnel source <ip add>
tunnel destination <ip add>
tunnel protection ipsec profile S1-IPSEC
crypto engine slot 3/0 inside

Thank you for your response let me know incase of additional information required.

Francesco Molino · ‎11-08-2017

Hi

You're using crypto keyring to define your psk. However, you're missing one end router and the password isn't the same configured on crypto isakmp key.
Can you align them please? Only keyring is used.

I'm looking it through my iPhone and maybe missing something but i see your ike up.
Can you detail your issue and do a debug to see if everything is coming up correctly (see my 1st reply where i mentioned the debug you should run)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

janihustler · ‎11-15-2017

Hi Francesco,

I am really sorry to reply this late, we debugged a few things on our device which is cisco 7609, and found out that the interface for the outgoing traffic did not have the encryption module enabled on it. We enabled it on the interface and then it is working fine now with 2 Active SA's. I am not sure whether this was the root issue or this is the solution for the problem, but it did solve the issue in our case.

Also the missing one end router (was for the customer so I could not get that) and for the password Only keyring is used (noted this ) and aligned the required password .Thanks for the help Franscesco.

Francesco Molino · ‎11-15-2017

Happy that you solved your issue.
You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question