Solved: Re: GRE tunnel goes down whenever I add ipsec profile

dgawaya1 · ‎06-10-2024

Hi experts,
Im trying to configure ipsec/gre tunnel but it goes down when I enable the tunnel profile. I have used the above document as a step by step guide.

////
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.75.1.1
tunnel protection ipsec profile ipsec_prof

SYD1PAXVR002#sh int tunnel10
Tunnel10 is up, line protocol is down
Hardware is Tunnel
Description: Vivienne Court GRE/IPsec tunnel
Internet address is 10.2.2.1/30

////
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.2 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel destination 10.75.1.2
tunnel protection ipsec profile ipsec_prof

MHM Cisco World · ‎06-16-2024

esp-gcm 256 <<- one side use esp-gcm 256 and other use esp-aes this mismatch is drop the tunnel

MHM

View solution in original post

Rob Ingram · ‎06-10-2024

@dgawaya1 please provide the relevant crypto configuration:-

show crypto ikev2 policy
show crypto ikev2 proposal
show crypto ikev2 profile
show crypto ipsec transform-set
show crypto ipsec profile

I assume the IKEV2/IPSec SA are not established, run show crypto ikev2 sa and show crypto ipsec sa provide the output if they are established.

If they are not established enable debug crypto ikev2 packet and debug crypto ikev2 internal and provide the output of the debug.

dgawaya1 · ‎06-11-2024

Please check

Rob Ingram · ‎06-11-2024

@dgawaya1 Have you explictly defined the pre-shared key under the IKEv2 profile itself? As you haven't referenced a KEYRING under the IKEv2 profile.

You also need to align the tunnel mode on the tunnel interface on both routers, use either "ipsec ipv4" or "greip"

If you still have issues, the debug commands previously provided would provide further information to assist troubleshooting.

dgawaya1 · ‎06-11-2024

I have run those two commands. Pls see attached

MHM Cisco World · ‎06-11-2024

tunnel mode ipsec ipv4 <- you need this line in both tunnel

Otherwise one side will use ipsec and other will use gre/ipsec

MHM

dgawaya1 · ‎06-11-2024

I configured this but no much change.

MHM Cisco World · ‎06-11-2024

From Router share

Show crypto session

MHM

dgawaya1 · ‎06-11-2024

SYD1PAXVR002#show crypto session
Crypto session current status

Interface: Tunnel10
Session status: DOWN
Peer: 10.75.1.1 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

MHM Cisco World · ‎06-11-2024

Show crypto ikev2 stat

I think the limit is zero and it bug but let check it

MHM

dgawaya1 · ‎06-11-2024

SYD1PAXVR002#show crypto ikev2 stats
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0 negotiating: 0
Total outgoing IKEv2 SA Count: 0 active: 0 negotiating: 0
Incoming IKEv2 Requests: 65 accepted: 65 rejected: 0
Outgoing IKEv2 Requests: 61 accepted: 61 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0
Total init sa request rejected due to queue limit : 0
Sessions with Quantum Resistance: 0 Manual: 0 Dynamic: 0
PPK Identity Mismatch: 0
PPK Retrieve Failure - ALL: 0 With PPK Required: 0
PPK Authentication Failure - ALL: 0 With PPK Required: 0

SYD2PAXVR002#sh crypto ikev2 stats
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0 negotiating: 0
Total outgoing IKEv2 SA Count: 0 active: 0 negotiating: 0
Incoming IKEv2 Requests: 65 accepted: 65 rejected: 0
Outgoing IKEv2 Requests: 63 accepted: 63 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0
Total init sa request rejected due to queue limit : 0
Sessions with Quantum Resistance: 0 Manual: 0 Dynamic: 0
PPK Identity Mismatch: 0
PPK Retrieve Failure - ALL: 0 With PPK Required: 0
PPK Authentication Failure - ALL: 0 With PPK Required: 0

MHM Cisco World · ‎06-11-2024

crypto ikev2 limit max-sa limit 500

crypto ikev2 limit max-in-negotiation-sa 500

Do this and check tunnel again

MHM

dgawaya1 · ‎06-11-2024

tunnel still down

MHM Cisco World · ‎06-11-2024

Also need this

Call admin 1000

Share again after add this command

show crypto ikev2 stats

MHM

dgawaya1 · ‎06-11-2024

@MHM Cisco World I do not have that command