Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
0
Replies

GRE Tunnel secure with IPSec not coming UP- Phase 2 VPN problem-no IPSEC cryptomap exists for local address A2.B2.C2.D2

Abhishek Nagar
Level 1
Level 1

‎12-15-2014 06:49 AM - edited ‎02-21-2020 07:59 PM

Dear Colleagues

 

I am trying to achieve GRE Tunnel over IPSec VPN on Cisco 1841 router.

A2.B2.C2.D2 = TUNNEL SOURCE

W1.X1.Y1.Z1= TUNNEL DESTINATION

A3.B3.C3.D3= LOOPBACK ADDRESS 

W2.X2.Y2.Z2= BGP PEER NEIGHBOUR

A1.B1.C1.D1= NETWORK published

 

I am running out of idea, that why am I getting below error

"no IPSEC cryptomap exists for local address A2.B2.C2.D2"

Please share your experience, or any troubleshooting steps, 

Please note, there is already one GRE tunnel over IPSEC is working on the same router, following the same configuration.

 

Below is configuration at my end, 

Phase 1 is setup correctly, 

 

 

Site 2 Configuration

crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2

 
cryptoisakmp key SITE5KEY address W1.X1.Y1.Z1

crypto ipsec transform-set SITE5VPN esp-aes 256 esp-sha-hmac 

crypto map SITE5 20 ipsec-isakmp 
 description SITE5_IPSEC_GRX
 set peer W1.X1.Y1.Z1
 set transform-set SITE5VPN 
 match address 102
 
interface Tunnel20
 description GRE tunnel to SITE5 GRX
 ip unnumbered Loopback20
 ip mtu 1400
 keepalive 5 3
 tunnel source A2.B2.C2.D2
 tunnel destination W1.X1.Y1.Z1
 crypto map SITE5
 
interface Loopback20
 ip address A3.B3.C3.D3 255.255.255.255
 
interface FastEthernet0/1.3
 description GRX_SITE5_IPVPN_6509_1/39
 encapsulation dot1Q 556
 ip address A2.B2.C2.D2 255.255.255.248
 nosnmp trap link-status
 crypto map SITE5
!

router bgp 64906
 bgp log-neighbor-changes
 neighbor W2.X2.Y2.Z2 remote-as 64905
 neighbor W2.X2.Y2.Z2 description To-SITE5-IPSEC
 neighbor W2.X2.Y2.Z2 ebgp-multihop 5
 neighbor W2.X2.Y2.Z2 update-source Loopback20
 neighbor W2.X2.Y2.Z2 version 4
 address-family ipv4
 no auto-summary
 synchronization
 network A1.B1.C1.D1 mask 255.255.255.0
 exit-address-family
!


ip access-list extended SITE5_IN
 permitip host W1.X1.Y1.Z1 host A2.B2.C2.D2
 permitgre host W1.X1.Y1.Z1 host A2.B2.C2.D2
!  

access-list 102 permit ip host A2.B2.C2.D2 host W1.X1.Y1.Z1
access-list 102 permitgre host A2.B2.C2.D2 host W1.X1.Y1.Z1

route-map localonly permit 20
 match as-path 20

 

 

Site2_GRX#show crypto isakmp sa
dst             src             state          conn-id slot status
A2.B2.C2.D2   W1.X1.Y1.Z1    QM_IDLE            451    0 ACTIVE

Site2_GRX#sh ip int brie
Tunnel20                   A3.B3.C3.D3     YES TFTP   up                    down 

 

 

Debug 


*Dec 15 14:35:32.273: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= A2.B2.C2.D2, remote= W1.X1.Y1.Z1, 
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2
*Dec 15 14:35:32.277: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address A2.B2.C2.D2
*Dec 15 14:35:32.277: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at W1.X1.Y1.Z1 

Labels:
Preview file
3 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents