12-20-2010 09:46 AM - edited 02-21-2020 05:02 PM
I’m hoping someone out there will be able to help with an issue I’m seeing with Cisco IOS router to router GRE/IPSec VPN setup as described below...
<Router1>-----<FW (ASA)>---------{Internet}---------<FW (ASA)>-----<Router2>
All configuration is in place, interesting traffic defined, tunnel interfaces at both ends are up, phase 1 and phase 2 authentication works and VPN establishes... from one end only.
I can ping from router 1 to router 2 and VPN establishes. When pinging from router 2 to router 1 ping request times out and the show crypto isakmp sa command displays MM_KEY_EXCH
If I then ping across from router 1 to router 2 the ping request going the other way starts and traffic passes and state goes to QM_IDLE
VPN pass-through is enabled on both firewalls and ACLs are in place to allow the traffic to pass.
See my configuration below to see how this is setup. I’ve used a tunnel interface as the router this VPN terminates on only has one in/out physical interface. There is no crypto map as the crypto ipsec profile replaces this and as such no ACL is required, instead interesting traffic is identified by ip route.
Your assistance with this matter will be appreciated. Please find attached diag for better idea of the setup.
Somebody has already mentioned to me that NHRP might need enabling on tunnel interface?
Router1###
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key Rxx8XXX address X.X.X.136 no-xauth
!
!
crypto ipsec transform-set VPN_BACKUP_TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPINE_VPN_PROF
set transform-set VPN_BACKUP_TS
set pfs group14
!
interface Tunnel0
ip address 172.30.30.1 255.255.255.252
tunnel source fa0/1
tunnel destination X.X.X.136
tunnel mode ipsec ipv4
tunnel protection ipsec profile SPINE_VPN_PROF
ip route 172.X.X.X 255.255.0.0 172.30.30.2
Router2###
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
crypto isakmp key Rxx8XXX address X.X.X.131 no-xauth
!
!
crypto ipsec transform-set VPN_BACKUP_TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SPINE_VPN_PROF
set transform-set VPN_BACKUP_TS
set pfs group14
!
interface Tunnel0
ip address 172.30.30.2 255.255.255.252
tunnel source fa0/0
tunnel destination X.X.X.131
tunnel mode ipsec ipv4
tunnel protection ipsec profile SPINE_VPN_PROF
ip route 172.X.X.X 255.255.0.0 172.30.30.1
12-20-2010 09:47 AM
12-20-2010 10:58 AM
Could you post the configs on ASA's and some debug outpus from the routers (debug crypto isakmp)
And one more thing, according to the configs you are using IPsec VTIs, no GRE is involved. (
tunnel mode ipsec ipv4)
Regards,
Oszkar
12-20-2010 11:25 AM
Ricardo,
During main mode key exchange is performed in message 3 and 4. In addition nat detection also occurs in 3 and 4. During message 5 and 6 if nat has been detected the messages will switch to using udp/4500. Confirm that the firewalls are permitting udp 4500 through the box.
It sounds like the firewall on the Router 1 is not allowing connections inbound to be established. Perhaps you can look at that firewalls configs/logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide