06-07-2019 09:24 PM - edited 02-21-2020 09:40 PM
Dear all,
I would like to request to help for my Gre-Over-IPsec problem.
I configuration gre over ipsec tunnel for my DC to branches.
I already create 3 links with certification authenication.Now i got error in two sites .My DC router is HP 6600 and my branches use cisco and HP router also.I got this issue in two site one site using HP routers and other site using HP MSR router.The below log is i collected from MSR braches router. Please see below config in HP 6600 of DC router. when i remove ike-profile 1 in ipsec policy ,the tunnel is up.when i assign again,tunnel is down. How can troubleshoot.It is certificate error ?
ipsec policy aksd 1 isakmp 
transform-set trans1 
security acl 3200 
remote-address 192.16.1.2 
ike-profile 1 
# 
# 
ike profile 1 
certificate domain aksd 
local-identity address 192.16.1.2 
match remote identity address 192.16.1.1 
proposal 2 
ike proposal 2 
authentication-method rsa-signature 
encryption-algorithm aes-cbc-256 
dh group14 
*Jun 5 16:52:34:113 2019 R2 IKE/7/Event: IKE thread 366519743152 processes a job.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Decrypt the packet.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Hash Payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Security Association Payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Nonce Payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Identification Payload (IPsec DOI).
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Identification Payload (IPsec DOI).
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Process HASH payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Event: Validated HASH(1) successfully.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Process IPsec ID payload.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Process IPsec ID payload.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP.
*Jun 5 16:52:34:114 2019 R2 IPSEC/7/Event:
The policy's acl or ike profile does not match the flow, Name = AKSD, Seqnum = 1
*Jun 5 16:52:34:114 2019 R2 IPSEC/7/Event:
The policy's acl or ike profile does not match the flow, Name = AKSD, Seqnum = 2
*Jun 5 16:52:34:114 2019 R2 IKE/7/Error: Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Error: Failed to negotiate IPsec SA.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Event: Delete IPsec SA.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Encrypt the packet.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Construct notification packet: INVALID_ID_INFORMATION.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Sending packet to 192.16.1.2 remote port 500, local port 500.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet:
I-Cookie: 50d6f8f4b4273993
R-Cookie: 55ba871bd6e9c0de
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: ead936d0
length: 68
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Sending an IPv4 packet.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/event:
Enter IPsec output process, Flag : 0x1000080, Data length : 48.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/event:
Can't find block-flow node.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/packet:
Failed to find SA by SP.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/packet:
The reason of dropping packet is no available IPsec tunnel.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/event:
Sent SA-Acquire message : SP ID = 1
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/Event:
Received negotiatiate SA message from IPsec kernel.
*Jun 5 16:52:34:120 2019 R2 IKE/7/Event: Received SA acquire message from IPsec.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: IKE thread 366519743152 processes a job.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: Begin Quick mode exchange.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: IKE thread 366519743152 pro cesses a job.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Set attributes according to phase 2 transform.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Encapsulation mode is Tunnel.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: in seconds 
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Life duration is 3600.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: in kilobytes 
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Life duration is 1843200.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Authentication algorithm is HMAC-SHA1.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Key length is 256 bytes.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Transform ID is AES-CBC.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Construct transform 1.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Construct IPsec proposal 1.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Construct IPsec SA payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct NONCE payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct IPsec ID payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct IPsec ID payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct HASH(1) payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Encrypt the packet.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Sending packet to 192.16.1.2 remote port 500, local port 500.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet:
I-Cookie: 50d6f8f4b4273993
R-Cookie: 55ba871bd6e9c0de
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 6fc97ac7
length: 164
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Sending an IPv4 packet.
*Jun 5 16:52:34:126 2019 R2 IKE/7/Packet: Received packet from 192.16.1.2 source port 500 destination port 500.
*Jun 5 16:52:34:127 2019 R2 IPSEC/7/error:
The SA doesn't exist in kernel.
Solved! Go to Solution.
06-09-2019 12:11 AM
06-08-2019 12:24 AM
06-08-2019 09:54 PM
Hi ,
I already check proposal is same.
i worry proposal include certificate.will it be certificate error?
I only have HP router configuration.Please help me .
06-09-2019 12:11 AM
06-09-2019 11:39 PM - edited 06-09-2019 11:49 PM
Hi ,
I already changed.But still got error.when i remove ike profile,Ipsec sa is still active.Let me know can i ping from interface that ipsec applyed to the interface that without ipsec plicy applied.
06-19-2019 07:31 AM
06-19-2019 07:34 AM
Hi,
Let me know hash payload doesn't match error also mean ike phase 1 ?
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide