cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6129
Views
3
Helpful
6
Replies

How to troubleshoot an IPSec over GRE tunnel ?

anthony_chedid1
Level 1
Level 1

Hello, 

My topology consists of two firewalls connected through the "Internet" (router) and behind each firewall there is a Router.

On the routers I have configured a GRE tunnel which is successful, then I configured an IPsec tunnel on the Firewalls.

I didn't change the mode to transport mode in the transform-set configuration.

Everything works; if I connect a PC to the router it can ping another PC on the other router. However if I change the mode to transport mode they cannot.

I was wondering how can I make sure that the IPSec over GRE tunnel is really working? How can I troubleshoot it or trace the packets?

Thank you. 

1 Accepted Solution

Accepted Solutions

I was wondering how can I make sure that the IPSec over GRE tunnel is really working? How can I troubleshoot it or trace the packets?

To check the VPN tunnel is working fine, check the output of
show crypto isakmp sa
show crypto ipsec sa

Here are the debug commands
debug crypto condition peer x.x.x.x , x.x.x.x = peer IP
debug  crypto isakmp 200
debug crypto ipsec 200

You shall see ACTIVE int the first output and non-zero encaps and decaps on the latter output.

For the GRE tunnel,
check the tunnel status via "show ip int brief"

Additionally, you can configure keepalive via the command:

Router# configure terminal
Router(config)#interface tunnel0
Router(config-if)#keepalive 5 4

and then run "debug tunnel keepalive" to see tunnel hello packets going to and from the router.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

6 Replies 6

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi Anthony,

You would need only tunnel mode to encapsulate the ESP as the IPSEC is over the internet and between two gateways.

Transport mode should not work.

Regards,

Aditya

Please rate helpful posts.

So what I did is right ?

Are both the GRE and IPSec tunnels working together ?

Hi Anthony,

That was fast. :)

Yes you did it the correct way.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Isn't there any troubleshooting command to make sure that IPSec over GRE is working as it should? 

I'm sorry for asking these questions but I want to be 100 % sure that the desired tunnel is working correctly.

Hi Anthony,

You can use the following commands on the router:

show ip int br | ex unas

show cry isa sa

sh cry ipsec sa peer <>

This would show you the tunnel interface status.

Also on the ASA check the status of tunnel using :

show cry ips sa 

Regards,

Aditya

Please rate helpful posts.

I was wondering how can I make sure that the IPSec over GRE tunnel is really working? How can I troubleshoot it or trace the packets?

To check the VPN tunnel is working fine, check the output of
show crypto isakmp sa
show crypto ipsec sa

Here are the debug commands
debug crypto condition peer x.x.x.x , x.x.x.x = peer IP
debug  crypto isakmp 200
debug crypto ipsec 200

You shall see ACTIVE int the first output and non-zero encaps and decaps on the latter output.

For the GRE tunnel,
check the tunnel status via "show ip int brief"

Additionally, you can configure keepalive via the command:

Router# configure terminal
Router(config)#interface tunnel0
Router(config-if)#keepalive 5 4

and then run "debug tunnel keepalive" to see tunnel hello packets going to and from the router.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/