AS I mentioned this GRE

sanjay.khurana · ‎08-22-2015

Hi,

We have cisco UC540 Voice router which is capable to perform L2L vpn tunnel , I have build vpn tunnel between 2 sites.

This tunnel is basically GRE over IPSec. However ipsec tunnel phase 1 & 2 comes up perfectly but I am unable to send traffic between both peers.

As per phase 2 I can see packets are encapsulated but not decapsulated at both side. I need help to identify this issue.

here is config :

Site A

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SSn@!23 address 103.40.64.116
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!

interface Tunnel14
description *** IPSec Tunnel to MMMMSite ***
ip address 172.35.1.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 113.193.8.146
tunnel destination 103.40.64.116
tunnel protection ipsec profile protect-gre

Site 2

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SSn@!23 address 113.193.8.146
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
!

interface Tunnel14
description *** IPSec Tunnel to Vasai Site ***
ip address 172.35.1.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 103.40.64.116
tunnel destination 113.193.8.146
tunnel protection ipsec profile protect-gre

tunnel are up but getting following Errors :

Site A :

interface: Tunnel14
Crypto map tag: Tunnel14-head-0, local addr 113.193.8.146

protected vrf: (none)
local ident (addr/mask/prot/port): (113.193.8.146/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (103.40.64.116/255.255.255.255/47/0)
current_peer 103.40.64.116 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2874, #pkts encrypt: 2874, #pkts digest: 2874
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 26, #recv errors 0

local crypto endpt.: 113.193.8.146, remote crypto endpt.: 103.40.64.116
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xBC5A7A3A(3160046138)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDF8C5AE3(3750517475)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 45, flow_id: Onboard VPN:45, sibling_flags 80000006, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4410793/84178)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xBC5A7A3A(3160046138)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 46, flow_id: Onboard VPN:46, sibling_flags 80000006, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4408461/84178)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Site B:

interface: Tunnel14
Crypto map tag: Tunnel14-head-0, local addr 103.40.64.116

protected vrf: (none)
local ident (addr/mask/prot/port): (103.40.64.116/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (113.193.8.146/255.255.255.255/47/0)
current_peer 113.193.8.146 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 103.40.64.116, remote crypto endpt.: 113.193.8.146
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF8C5AE3(3750517475)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xBC5A7A3A(3160046138)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000006, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4455851/86357)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xDF8C5AE3(3750517475)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000006, crypto map: Tunnel14-head-0
sa timing: remaining key lifetime (k/sec): (4455841/86357)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

johnlloyd_13 · ‎08-22-2015

hi,

i suspect there's a misconfigured crypto ACL.

could you post a show access-list output from both VPN peers?

sanjay.khurana · ‎08-22-2015

AS I mentioned this GRE tunnel with IPsec protection profile..so there is no need to enable ACL for no nat..

rizwanr74 · ‎08-24-2015

Hello Sanjay,

Remove the "mode transport" from both sides, make sure there is static-route for destination address at both side, last but not least make sure there is traffic is being initiated from both sides of the tunnel.

Thanks

IPSEC L2L VPN Phase 2 Issue packets are not decaps both end