Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2124
Views
0
Helpful
4
Replies

GRE over IPSEC encaps no decaps

spencercook
Level 1
Level 1

‎09-21-2016 02:18 AM - edited ‎02-21-2020 08:59 PM

Hi all, hope you can help.

I've normally been the one to get lumbered with VPN's, and I'm simulating a layout (in GNS3) for someone to view prior to configuring the new kit.  

There'll be several remote and mobile sites, so my plan was an IPSEC tunnel from the company firewall (FW) to the mobile router outside intf.  

Then a GRE tunnel over this using loopback interfaces from the mobile router to the central router.

I'm pinging out fine, but not over the tunnel.  Both ends get encaps and no decaps.  I've tried two no nat options.  And now stuck.  The ipsec debug doesn't show any errors.  I know I've missed something.

Things to change after test is

1 encryption types won't be 3des

2 mtu/path/mss adjustments will be added to the live envrionments.

Included is the diagram of what's to be achieved.

FW/Mobil/Central configs

sh crypto ipsec sa output from both ipsec devices.

Thanks.

Labels:
Preview file
88 KB
Preview file
3 KB
Preview file
2 KB
Preview file
3 KB
Preview file
4 KB
0 Helpful
4 Replies 4

spencercook
Level 1
Level 1

‎09-21-2016 03:09 AM

Noticed missing routes

192.168.0.0/16 from fw inbound to central, and 192.168.0.2/32 outbound

Still no joy

0 Helpful

Pawan Raut
Level 4
Level 4
In response to spencercook

‎09-21-2016 03:48 AM

could you please check if pase 1 is up

sh crypto isakmp sa

also ping 172.16.2.2 from FW

0 Helpful

spencercook
Level 1
Level 1
In response to Pawan Raut

‎09-21-2016 05:30 AM

Hi, PH1 and PH2 are both up.  I've also now shutdown the interfaces Tu0 on both GRE ends, and added the VPC's ip addresses to the interesting traffic, in a bid to complete the ipsec issue first.  You'll see the second PH2 as the last output below.

FW(config)#do ping 172.16.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/30/44 ms
FW(config)#do sh crypto isa sa
dst src state conn-id slot status
172.16.2.2 10.132.0.2 QM_IDLE 1 0 ACTIVE

FW(config)#do crypto ipsec sa
crypto ipsec sa
^
% Invalid input detected at '^' marker.

FW(config)#do sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: s2s-map, local addr 10.132.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (192.168.0.2/255.255.255.255/47/0)
current_peer 172.16.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7953, #pkts encrypt: 7953, #pkts digest: 7953
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 545, #recv errors 0

local crypto endpt.: 10.132.0.2, remote crypto endpt.: 172.16.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4CC8A718(1288218392)

inbound esp sas:
spi: 0x77CF9CE8(2010094824)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4505987/2125)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x4CC8A718(1288218392)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4505987/2124)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.132.32.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.132.50.2/255.255.255.255/0/0)
current_peer 172.16.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 10.132.0.2, remote crypto endpt.: 172.16.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x416BFC22(1097595938)

inbound esp sas:
spi: 0x75440F03(1967394563)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4430503/2707)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x416BFC22(1097595938)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: s2s-map
sa timing: remaining key lifetime (k/sec): (4430498/2705)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Thanks

0 Helpful

spencercook
Level 1
Level 1

‎09-22-2016 02:57 AM

Slept on it and sorted the issue.

The outside interface ACL was permitting GRE/AHP/ISAKMP 500/non-500 but not ESP.

0 Helpful
Customers Also Viewed These Support Documents