cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1590
Views
0
Helpful
4
Replies

GRE over IPSEC encaps no decaps

spencercook
Level 1
Level 1

Hi all, hope you can help.

I've normally been the one to get lumbered with VPN's, and I'm simulating a layout (in GNS3) for someone to view prior to configuring the new kit.  

There'll be several remote and mobile sites, so my plan was an IPSEC tunnel from the company firewall (FW) to the mobile router outside intf.  

Then a GRE tunnel over this using loopback interfaces from the mobile router to the central router.

I'm pinging out fine, but not over the tunnel.  Both ends get encaps and no decaps.  I've tried two no nat options.  And now stuck.  The ipsec debug doesn't show any errors.  I know I've missed something.

Things to change after test is

1 encryption types won't be 3des

2 mtu/path/mss adjustments will be added to the live envrionments.

Included is the diagram of what's to be achieved.

FW/Mobil/Central configs

sh crypto ipsec sa output from both ipsec devices.

Thanks.

4 Replies 4

spencercook
Level 1
Level 1

Noticed missing routes

192.168.0.0/16 from fw inbound to central, and 192.168.0.2/32 outbound

Still no joy

could you please check if pase 1 is up

sh crypto isakmp sa

also ping 172.16.2.2 from FW

Hi, PH1 and PH2 are both up.  I've also now shutdown the interfaces Tu0 on both GRE ends, and added the VPC's ip addresses to the interesting traffic, in a bid to complete the ipsec issue first.  You'll see the second PH2 as the last output below.

FW(config)#do ping 172.16.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/30/44 ms
FW(config)#do sh crypto isa sa
dst src state conn-id slot status
172.16.2.2 10.132.0.2 QM_IDLE 1 0 ACTIVE

FW(config)#do crypto ipsec sa
crypto ipsec sa
^
% Invalid input detected at '^' marker.

FW(config)#do sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: s2s-map, local addr 10.132.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.0.2/255.255.255.255/47/0)
current_peer 172.16.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7953, #pkts encrypt: 7953, #pkts digest: 7953
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 545, #recv errors 0

local crypto endpt.: 10.132.0.2, remote crypto endpt.: 172.16.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4CC8A718(1288218392)

inbound esp sas:
spi: 0x77CF9CE8(2010094824)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4505987/2125)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x4CC8A718(1288218392)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4505987/2124)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.132.32.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.132.50.2/255.255.255.255/0/0)
current_peer 172.16.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.132.0.2, remote crypto endpt.: 172.16.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x416BFC22(1097595938)

inbound esp sas:
spi: 0x75440F03(1967394563)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4430503/2707)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x416BFC22(1097595938)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4430498/2705)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Thanks

spencercook
Level 1
Level 1

Slept on it and sorted the issue.

The outside interface ACL was permitting GRE/AHP/ISAKMP 500/non-500 but not ESP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: