03-28-2019 04:00 AM - edited 02-21-2020 09:36 PM
Hi all,
I'd like some help with an scenario I've got. I have two routers ASR 1K which have a VRF on the LAN interface and another VRF on the WAN interface. By configuring route-leaking I can ping from LAN to LAN and works fine. The problem arrises when I try to establish an IPSec session between them.
I create keyrings and profiles associated to the LAN interfaces but I have to apply the crypto map to the WAN interfaces and doing so IKE phase 1 doesn't find the profile. If, on the other hand, I associate the keyrings and profiles to the WAN VRF, it negotiates fine IKE phase 1 but not phase 2.
Is it a software limitation or I might be due to a bug? Any ideas on how to configure it?
Here are the error messages
ISAKMP-ERROR: (0):Preshared authentication offered but does not match policy!
ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
ISAKMP-ERROR: (0):no offers accepted!
ISAKMP-ERROR: (0):phase 1 SA policy not acceptable!
Thanks,
Best regards.
03-28-2019 09:29 AM
03-29-2019 01:57 AM
Sure, here is the configuration:
crypto keyring customer vrf vrf-LAN
pre-shared-key address 0.0.0.0 0.0.0.0 key customer (here we tested also with the exact ip address too)
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 21600
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp profile PROFILE1
vrf vrf-LAN
keyring customer
match identity address <IP> <MASK> vrf-LAN
keepalive 60 retry 2
crypto ipsec security-association lifetime seconds 18000
crypto ipsec security-association replay disable
crypto ipsec transform-set transform esp-3des esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map CRYPTOMAP local-address GigabitEthernet0/0/0
crypto map CRYPTOMAP 2001 ipsec-isakmp
set peer <IP> <MASK>
set security-association idle-time 200 default
set transform-set transform
set isakmp-profile PROFILE1
match address 2001
interface GigabitEthernet0/0/2
ip vrf forwarding VRF-WAN
ip address <IP> <MASK>
no ip redirects
no ip proxy-arp
crypto map CRYPTOMAP
end
interface GigabitEthernet0/0/0
ip vrf forwarding vrf-LAN
ip address <IP> <MASK>
no ip redirects
ip directed-broadcast
no ip proxy-arp
As you can see all which as to do with IPSEC (keyring, profile, etc...) is linked to the LAN VRF (vrf-LAN) but the crypto map is applied to the WAN interface, which is on a differente VRF
03-29-2019 02:14 AM
Hi, Try the modifications below in bold.
crypto keyring customer vrf VRF-WAN
pre-shared-key address 0.0.0.0 0.0.0.0 key customer
crypto isakmp profile PROFILE1
vrf vrf-LAN
keyring customer
match identity address <IP> <MASK> VRF-WAN
HTH
03-29-2019 05:20 AM
Hi,
Thanks for the reply.
By doing this it goes through phase 1 but fails phase 2, like it happened to me on similar tests with "mixed" configurations referencing one VRF and the other. The error now is this:
ISAKMP-ERROR: (1006):IPSec policy invalidated proposal with error 8
ISAKMP-ERROR: (1006):phase 2 SA policy not acceptable!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: