11-08-2016 05:59 AM
Hi,
I am trying to set up an VPN tunnel between two Cisco routers using FlexVPN. The IKEv2 tunnel seems to be UP and same for the IPsec tunnels, however no traffic is able to pass over the tunnel.
Looking at the details of the VPN :
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0.1
Uptime: 20:29:17
Session status: UP-ACTIVE
Peer: IP port 4500 fvrf: GRE ivrf: GRE
IKEv2 SA: local IP/4500 remote IP/4500 Active
Capabilities:(none) connid:2 lifetime:23:49:30
IPSEC FLOW: permit 47 host IP host IP
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 54735 drop 0 life (KB/Sec) 4330881/12642
Outbound: #pkts enc'ed 91411 drop 0 life (KB/Sec) 4325172/12642
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 68 life (KB/Sec) 4335581/85769
Outbound: #pkts enc'ed 67 drop 0 life (KB/Sec) 4335576/85769
I am having everything dropped on one of the two peers. So then looking at the details of the IPsec SA, we can see :
##pkts replay failed (rcv): 68
Also, I have this log message :
Nov 8 14:36:57 MET: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Replay Failure:srcadr=IP,dstadr=IP,size=144
So it looks it is the anti-replay mechanism which is dropping the traffic on one direction. First, I do not understand why it is blocking all traffic, and also I did try to disable this mechanism or to increase the window but that did not change anything. Also the second peer is fine, and does not drop anything.
Let me add I am using a VTI, and the same tunnel with GRE/IPsec with IKEv1 works fine.
If you have any idea or input, please go ahead :)
11-08-2016 11:20 AM
Hi,
Can you share a sanitized config of the Flex VPN?
Hope this info helps!!
Rate if helps you!!
-JP-
11-09-2016 07:19 AM
Sure, have a look below:
Peer1
crypto ikev2 keyring peer2
peer IP
address IP
pre-shared-key local PSK
pre-shared-key remote PSK
!
crypto ikev2 profile IKEv2-profile
match fvrf VRF
match identity remote fqdn peer2
identity local fqdn peer1
authentication remote pre-share
authentication local pre-share
keyring local peer2
!
crypto ipsec profile ipsec-profile
set security-association replay window-size 1024
set transform-set trans-2
set ikev2-profile IKEv2-profile
!
interface Tunnel1184
vrf forwarding VRF
ip address IP
ip mtu 1220
ip tcp adjust-mss 1180
ip ospf mtu-ignore
ip ospf cost 1000
keepalive 10 3
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile
tunnel source IP
tunnel destination IP
tunnel vrf VRF
=================================
Peer2
crypto ikev2 keyring peer1
peer IP
address IP
pre-shared-key local PSK
pre-shared-key remote PSK
!
crypto ikev2 profile IKEv2-profile
match identity remote fqdn peer1
identity local fqdn peer2
authentication local pre-share
authentication remote pre-share
keyring peer1
!
crypto ipsec profile ipsec-profile
set security-association replay window-size 1024
set transform-set trans-2
set ikev2-profile IKEv2-profile
!
interface Tunnel10
ip address IP
ip mtu 1220
ip tcp adjust-mss 1180
ip ospf cost 1000
ip ospf mtu-ignore
load-interval 30
keepalive 10 3
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-profile
tunnel source IP
tunnel destination IP
Also, I did reproduce the configuration on GNS3, and it is working like a charm..
Thanks,
11-09-2016 03:11 PM
Hi
I noticed this;
IPSEC FLOW: permit 47 host IP host IP
which looks like it's using GRE.. do you have multiple tunnels configured?
cheers
11-10-2016 12:49 AM
It is a migration from an IKEv1 tunnel with GRE/IPsec to IKEv2 with VTI only. So this is probably coming from the old tunnel
11-23-2016 09:32 PM
Hi I think is bug ...
i would recommend you to refer the document .
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCef47566/?referring_site=bugquickviewredir
Regards ,
Mani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide