Solved: How to troubleshoot an IPSec over GRE tunnel ?

anthony_chedid1 · ‎03-18-2016

Hello,

My topology consists of two firewalls connected through the "Internet" (router) and behind each firewall there is a Router.

On the routers I have configured a GRE tunnel which is successful, then I configured an IPsec tunnel on the Firewalls.

I didn't change the mode to transport mode in the transform-set configuration.

Everything works; if I connect a PC to the router it can ping another PC on the other router. However if I change the mode to transport mode they cannot.

I was wondering how can I make sure that the IPSec over GRE tunnel is really working? How can I troubleshoot it or trace the packets?

Thank you.

Dinesh Moudgil · ‎03-18-2016

I was wondering how can I make sure that the IPSec over GRE tunnel is really working? How can I troubleshoot it or trace the packets?

To check the VPN tunnel is working fine, check the output of
show crypto isakmp sa
show crypto ipsec sa

Here are the debug commands
debug crypto condition peer x.x.x.x , x.x.x.x = peer IP
debug crypto isakmp 200
debug crypto ipsec 200

You shall see ACTIVE int the first output and non-zero encaps and decaps on the latter output.

For the GRE tunnel,
check the tunnel status via "show ip int brief"

Additionally, you can configure keepalive via the command:

Router# configure terminal
Router(config)#interface tunnel0
Router(config-if)#keepalive 5 4

and then run "debug tunnel keepalive" to see tunnel hello packets going to and from the router.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Aditya Ganjoo · ‎03-18-2016

Hi Anthony,

You would need only tunnel mode to encapsulate the ESP as the IPSEC is over the internet and between two gateways.

Transport mode should not work.

Regards,

Aditya

Please rate helpful posts.

anthony_chedid1 · ‎03-18-2016

So what I did is right ?

Are both the GRE and IPSec tunnels working together ?

Aditya Ganjoo · ‎03-18-2016

Hi Anthony,

That was fast. :)

Yes you did it the correct way.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

anthony_chedid1 · ‎03-18-2016

Isn't there any troubleshooting command to make sure that IPSec over GRE is working as it should?

I'm sorry for asking these questions but I want to be 100 % sure that the desired tunnel is working correctly.

Aditya Ganjoo · ‎03-18-2016

Hi Anthony,

You can use the following commands on the router:

show ip int br | ex unas

show cry isa sa

sh cry ipsec sa peer <>

This would show you the tunnel interface status.

Also on the ASA check the status of tunnel using :

show cry ips sa

Regards,

Aditya

Please rate helpful posts.

Dinesh Moudgil · ‎03-18-2016

I was wondering how can I make sure that the IPSec over GRE tunnel is really working? How can I troubleshoot it or trace the packets?

To check the VPN tunnel is working fine, check the output of
show crypto isakmp sa
show crypto ipsec sa

Here are the debug commands
debug crypto condition peer x.x.x.x , x.x.x.x = peer IP
debug crypto isakmp 200
debug crypto ipsec 200

You shall see ACTIVE int the first output and non-zero encaps and decaps on the latter output.

For the GRE tunnel,
check the tunnel status via "show ip int brief"

Additionally, you can configure keepalive via the command:

Router# configure terminal
Router(config)#interface tunnel0
Router(config-if)#keepalive 5 4

and then run "debug tunnel keepalive" to see tunnel hello packets going to and from the router.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/