cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
573
Views
0
Helpful
3
Replies
sanjay.khurana
Beginner

IPSEC L2L VPN Phase 2 Issue packets are not decaps both end

Hi,

We have cisco UC540 Voice router which is capable to perform L2L vpn tunnel , I have build vpn tunnel between 2 sites.

 

This tunnel is basically GRE over IPSec. However ipsec tunnel phase 1 & 2 comes up perfectly but I am unable to send traffic between both peers.

 

As per phase 2 I can see packets are encapsulated but not decapsulated at both side. I need help to identify this issue. 

 

here is config :

 

Site A 


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key SSn@!23 address 103.40.64.116
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS 
!         


interface Tunnel14
 description *** IPSec Tunnel to MMMMSite ***
 ip address 172.35.1.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 113.193.8.146
 tunnel destination 103.40.64.116
 tunnel protection ipsec profile protect-gre

Site 2 

 

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key SSn@!23 address 113.193.8.146
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set TS 
!         


interface Tunnel14
 description *** IPSec Tunnel to Vasai Site ***
 ip address 172.35.1.2 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 103.40.64.116
 tunnel destination 113.193.8.146
 tunnel protection ipsec profile protect-gre

 

tunnel are up but getting following Errors :

 

Site A :

 


interface: Tunnel14
    Crypto map tag: Tunnel14-head-0, local addr 113.193.8.146

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (113.193.8.146/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (103.40.64.116/255.255.255.255/47/0)
   current_peer 103.40.64.116 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2874, #pkts encrypt: 2874, #pkts digest: 2874
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 26, #recv errors 0

     local crypto endpt.: 113.193.8.146, remote crypto endpt.: 103.40.64.116
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBC5A7A3A(3160046138)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xDF8C5AE3(3750517475)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 45, flow_id: Onboard VPN:45, sibling_flags 80000006, crypto map: Tunnel14-head-0
        sa timing: remaining key lifetime (k/sec): (4410793/84178)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBC5A7A3A(3160046138)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 46, flow_id: Onboard VPN:46, sibling_flags 80000006, crypto map: Tunnel14-head-0
        sa timing: remaining key lifetime (k/sec): (4408461/84178)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

 

Site B:

 

interface: Tunnel14
    Crypto map tag: Tunnel14-head-0, local addr 103.40.64.116

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (103.40.64.116/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (113.193.8.146/255.255.255.255/47/0)
   current_peer 113.193.8.146 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 103.40.64.116, remote crypto endpt.: 113.193.8.146
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xDF8C5AE3(3750517475)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBC5A7A3A(3160046138)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000006, crypto map: Tunnel14-head-0
        sa timing: remaining key lifetime (k/sec): (4455851/86357)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xDF8C5AE3(3750517475)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000006, crypto map: Tunnel14-head-0
        sa timing: remaining key lifetime (k/sec): (4455841/86357)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

          

3 REPLIES 3
johnlloyd_13
Engager

hi,

i suspect there's a misconfigured crypto ACL.

could you post a show access-list output from both VPN peers?

AS I mentioned this GRE tunnel with IPsec protection profile..so there is no need to enable ACL for no nat..

Hello Sanjay,

 

Remove the "mode transport" from both sides, make sure there is static-route for destination address at both side, last but not least make sure there is traffic is being initiated from both sides of the tunnel.

 

Thanks

Content for Community-Ad