Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1385
Views
5
Helpful
3
Replies

GRE/IPsec VPN Issues

ricardo1831
Level 1
Level 1

‎12-20-2010 09:46 AM - edited ‎02-21-2020 05:02 PM

I’m hoping someone out there will be able to help with an issue I’m seeing with Cisco IOS router to router GRE/IPSec VPN setup as described below...

                 

<Router1>-----<FW (ASA)>---------{Internet}---------<FW (ASA)>-----<Router2>

All configuration is in place, interesting traffic defined, tunnel interfaces at both ends are up, phase 1 and phase 2 authentication works and VPN establishes... from one end only.

I can ping from router 1 to router 2 and VPN establishes. When pinging from router 2 to router 1 ping request times out and the show crypto isakmp sa command displays MM_KEY_EXCH

If I then ping across from router 1 to router 2 the ping request going the other way starts and traffic passes and state goes to QM_IDLE

VPN pass-through is enabled on both firewalls and ACLs are in place to allow the traffic to pass.

See my configuration below to see how this is setup. I’ve used a tunnel interface as the router this VPN terminates on only has one in/out physical interface. There is no crypto map as the crypto ipsec profile replaces this and as such no ACL is required, instead interesting traffic is identified by ip route.

Your assistance with this matter will be appreciated. Please find attached diag for better idea of the setup.

Somebody has already mentioned to me that NHRP might need enabling on tunnel interface?

Router1###

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key Rxx8XXX address X.X.X.136 no-xauth

!

!

crypto ipsec transform-set VPN_BACKUP_TS esp-aes 256 esp-sha-hmac

!

crypto ipsec profile SPINE_VPN_PROF

set transform-set VPN_BACKUP_TS

set pfs group14

!

interface Tunnel0

ip address 172.30.30.1 255.255.255.252

tunnel source fa0/1

tunnel destination X.X.X.136

tunnel mode ipsec ipv4

tunnel protection ipsec profile SPINE_VPN_PROF

ip route 172.X.X.X 255.255.0.0 172.30.30.2

Router2###

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 14

crypto isakmp key Rxx8XXX address X.X.X.131 no-xauth

!

!

crypto ipsec transform-set VPN_BACKUP_TS esp-aes 256 esp-sha-hmac

!

crypto ipsec profile SPINE_VPN_PROF

set transform-set VPN_BACKUP_TS

set pfs group14

!

interface Tunnel0

ip address 172.30.30.2 255.255.255.252

tunnel source fa0/0

tunnel destination X.X.X.131

tunnel mode ipsec ipv4

tunnel protection ipsec profile SPINE_VPN_PROF

ip route 172.X.X.X 255.255.0.0 172.30.30.1

Labels:
0 Helpful
3 Replies 3

ricardo1831
Level 1
Level 1

‎12-20-2010 09:47 AM

Please find attached diag for better idea of the setup.

77367-VPN Issue Diag.vsd.zip
0 Helpful

oszkari
Level 1
Level 1

‎12-20-2010 10:58 AM

Could you post the configs on ASA's and some debug outpus from the routers (debug crypto isakmp)

And one more thing, according to the configs  you are using IPsec VTIs, no GRE is involved. (

tunnel mode ipsec ipv4)

Regards,

Oszkar

0 Helpful

Jay Young
Cisco Employee
Cisco Employee

‎12-20-2010 11:25 AM

Ricardo,

During main mode key exchange is performed in message 3 and 4.  In addition nat detection also occurs in 3 and 4.  During message 5 and 6 if nat has been detected the messages will switch to using udp/4500.  Confirm that the firewalls are permitting udp 4500 through the box.

It sounds like the firewall on the Router 1 is not allowing connections inbound to be established.  Perhaps you can look at that firewalls configs/logs.

Customers Also Viewed These Support Documents