06-10-2024 11:50 PM
Hi experts,
Im trying to configure ipsec/gre tunnel but it goes down when I enable the tunnel profile. I have used the above document as a step by step guide.
////
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 10.75.1.1
tunnel protection ipsec profile ipsec_prof
SYD1PAXVR002#sh int tunnel10
Tunnel10 is up, line protocol is down
Hardware is Tunnel
Description: Vivienne Court GRE/IPsec tunnel
Internet address is 10.2.2.1/30
////
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.2 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel destination 10.75.1.2
tunnel protection ipsec profile ipsec_prof
Solved! Go to Solution.
06-11-2024 05:00 AM
call admin limit 1000
MHM
06-11-2024 05:15 AM - edited 06-11-2024 05:15 AM
I added the command "call admi limit 1000. Its still down. I also removed all ipsec related configs then added them afresh..
06-11-2024 05:19 AM
show crypto ikev2 stats <- share this
Also what you meaning by this
"" I also removed all ipsec related configs""
MHM
06-11-2024 05:49 AM
OK get it
can I see the config of IKEv2
MHM
06-11-2024 12:05 PM
Here is the whole config
///
crypto ikev2 keyring ikev2_key
peer mypeer
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
crypto ikev2 profile ikev2_prof
match identity remote address 10.75.1.1
authentication remote pre-share
authentication local pre-share
keyring local ikev2
crypto ipsec transform-set tfs esp-aes esp-sha-hmac
esn
mode tunnel
crypto ipsec profile ipsec_prof
set transform-set tfs
set ikev2-profile ikev2_prof
interface Tunnel10
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_prof
///
06-14-2024 08:54 AM
sorry for my late reply
can you share
debug crypto ikev2 error <<- both side if you can
also the tunnel is config without tunnel source and tunnel destination or it typo
MHM
06-16-2024 03:46 PM
@MHM Cisco World it actually has the source and destination. both sides. Here is one side of the config
!
interface Tunnel10
description Vivienne Court GRE/IPsec tunnel
ip address 10.2.2.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/0
tunnel destination 10.75.1.1
tunnel protection ipsec profile ipsec_prof
end
NB. Both side of the logs are attached here
06-16-2024 03:57 PM
esp-gcm 256 <<- one side use esp-gcm 256 and other use esp-aes this mismatch is drop the tunnel
MHM
06-16-2024 04:27 PM
@MHM Cisco World that is correct. Thanks for your help again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide