Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
5
Helpful
4
Replies

GRE over IPSEC lab, crypto session down.

Go to solution
gianlucaplatania
Level 1
Level 1

‎07-27-2021 09:10 AM

Hello everyone,

I can't seem to be able to make two routers connected over ipsec communicate and I don't understand the reason since I followed a course step by step . I probably made a typo of some kind but I don't really understand the problem. I'll put my lab here for those who want to download it and help. The routers involved are ROUTER 1 and ROUTER 2. Thank you for your help!

 

https://ufile.io/kn9my07r

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to gianlucaplatania

‎07-28-2021 04:09 AM

@gianlucaplatania 

You are using a GRE tunnel over a Crypto Map. The GRE tunnel doesn't by default communicate with the remote peer, so configure a keepalive on the tunnel interfaces. That way they will generate traffic, which in turn will match the crypto map interesting traffic ACL and trigger the establishment of the VPN tunnel.

 

interface tunnel 1
 keepalive 10 3

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎07-27-2021 09:14 AM

@gianlucaplatania 

Please provide the running configuration on both routers, provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" and any ike/ipsec debugs.

 

 

0 Helpful

Go to solution
gianlucaplatania
Level 1
Level 1
In response to Rob Ingram

‎07-27-2021 01:54 PM

Here it is. As you can see, nothing pops up with show crypto isakmp sa.

 

 

ROUTER 1

Current configuration : 3534 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Giuky.1993 address 0.0.0.0
!
!
crypto ipsec transform-set GIANLU esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 192.0.2.2
set transform-set GIANLU
match address GRE-IN-IPSEC
!
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel1
ip address 192.168.0.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 192.0.2.2
!
interface GigabitEthernet0/0
ip address 198.51.100.1 255.255.255.252
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
crypto map VPN
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE-IN-IPSEC
permit gre any any
!
ipv6 ioam timestamp

 


Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA


Router#sh crypto ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: VPN, local addr 198.51.100.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 192.0.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 198.51.100.1, remote crypto endpt.: 192.0.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

 

ROUTER 2

Current configuration : 3537 bytes
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key Giuky.1993 address 0.0.0.0
!
!
crypto ipsec transform-set GIANLU esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 198.51.100.1
set transform-set GIANLU
match address GRE-IN-IPSEC
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.0.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 198.51.100.1
!
interface GigabitEthernet0/0
ip address 192.0.2.2 255.255.255.252
ip ospf 1 area 0
duplex auto
speed auto
media-type rj45
crypto map VPN
!
interface GigabitEthernet0/1
no ip address
ip ospf 1 area 0
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended GRE-IN-IPSEC
permit gre any any
!
ipv6 ioam timestamp


Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

 

sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: VPN, local addr 192.0.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)
current_peer 198.51.100.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.0.2.2, remote crypto endpt.: 198.51.100.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gianlucaplatania

‎07-28-2021 04:09 AM

@gianlucaplatania 

You are using a GRE tunnel over a Crypto Map. The GRE tunnel doesn't by default communicate with the remote peer, so configure a keepalive on the tunnel interfaces. That way they will generate traffic, which in turn will match the crypto map interesting traffic ACL and trigger the establishment of the VPN tunnel.

 

interface tunnel 1
 keepalive 10 3

 

Go to solution
gianlucaplatania
Level 1
Level 1
In response to Rob Ingram

‎07-28-2021 06:54 AM

Thank you so much, that was the issue! 

0 Helpful
Customers Also Viewed These Support Documents