04-20-2008 12:51 PM - edited 02-21-2020 03:41 PM
Hi. I have such of configuration R1(Gre/Ipsec) --> Pix ( Ipsec) - R2 ( Gre).
On my side is only R1. I've attached the R1 CONFIGURATION. Ipsec is up but GRE is not . I can not ping the loopback interfaces. Keepalive is fine and when i debug the tunnel , it sends keepalive. Can anyone help me?
04-22-2008 07:41 AM
when you enter the command "show crypto ipsec sa peer y.y.y.y" do you see any :-
#pkts encaps: ??, #pkts encrypt: ??
#pkts decaps: ??, #pkts decrypt: ??
????
04-22-2008 07:49 AM
sho cry ipse sa pee y.y.y.y
interface: FastEthernet0/0
Crypto map tag: credins, local addr z.z.z.z
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.23/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.5.22/255.255.255.255/0/0)
current_peer y.y.y.y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11009, #pkts encrypt: 11009, #pkts digest: 11009
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: z.z.z.z, remote crypto endpt.: y.y.y.y
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x33BC72B3(867988147)
inbound esp sas:
spi: 0xE53E1082(3846049922)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 93, flow_id: 93, crypto map: credins
sa timing: remaining key lifetime (k/sec): (4598391/1770)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x33BC72B3(867988147)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 94, flow_id: 94, crypto map: credins
sa timing: remaining key lifetime (k/sec): (4598369/1763)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel1
Crypto map tag: credins, local addr 192.168.5.23
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.23/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.5.22/255.255.255.255/0/0)
current_peer y.y.y.y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.5.23, remote crypto endpt.: y.y.y.y
path mtu 1476, ip mtu 1476, ip mtu idb Tunnel1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
04-22-2008 07:51 AM
OK - thanks, I see you are encapsulating and encrypting...But you are not getting anything back from the remote end.
Do have the configuraion of the remote end ASA & Router??
04-22-2008 07:55 AM
Unfortunately no. But they say that they have 35 clients and they've run the configurations properly. I've seen a lot of configurations with GRE/IPSEC and all were like this one ( i've configured ). I don't know what else to do. Let's say that now i'm a little confused. In fact i suspect about there configuration. May be they missed smth.
04-22-2008 08:00 AM
In all honesty - without the other half, the problem will be difficult to solve. Here's the thing - the VPN is established....so 30% of the config is OK. The ACL's in the remote device ASA that indicate interesting traffic is needed, the crypto map/match list is required/and no-nat ACL. And of course, the tunnel/loopback and static routes related to this are needed from their router.
I am sure if you asked for a "Sanitised" config - i.e only the config that relates to this VPN/GRE tunnel from the ASA & Router, they might have no objections??
04-22-2008 08:09 AM
Unfortunately they can't give me the schema of connection between their router and Pix. I have only some data of the Gre and ipsec their configuration. Here they are:
Router:
interface Loopback17
ip address 192.168.5.22 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
interface Tunnel17
ip unnumbered Loopback17
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
keepalive 10 3
tunnel source Loopback17
tunnel destination 192.168.5.23
I don't know anything about their internal routes.
Pix:
crypto ipsec transform-set zzzzzz esp-aes-256 esp-sha-hmac
crypto map transacty-map 46 ipsec-isakmp
crypto map transacty-map 46 match address zzzzz
crypto map transacty-map 46 set peer zzzzz
crypto map transacty-map 46 set transform-set zzzzzz
crypto map transacty-map 46 set security-association lifetime seconds 3600 kilobytes 4608000
access-list zzzzzz permit ip host 192.168.5.22 host 192.168.5.23
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
Smth else. Did you see my router configuration attached. Did i missed smth. I don't know if i must add any routing.
04-22-2008 08:13 AM
The config is missing key information:-
1) The no-nat ACL in the PIX
2) The static routes in the PIX - you tunnel IP should be pointing outside, so the PIX know to encrypt it.
3) The static routes in the Router - your tunnel IP should be pointing to the PIX.
And of couse - if they could priovide a vital peice of information the "show crypto ipsec sa peer x.x.x.x" from the PIX, this would reveal a great deal?
04-22-2008 08:25 AM
I have only the router on my side. The pix and the other router for ending the GRE are on their property. At this moment they aren't avaible. At my router the ip address of their loopback for GRE should be routed at my external gateway or at their external ip address wich is y.y.y.y???
04-23-2008 07:10 AM
To be honest, without the information from their side, it is extremly difficult to figure out the problem. This information is key.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide