ā09-10-2021 01:13 PM
I am using CML for learning purposes and have created an IPSEC tunnel (see diagram). The ISAKMP SA is in the QM_IDLE state on CE1 and CE2
CE-1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.1.1.1 QM_IDLE 1009 ACTIVE
the IPSEC SA is established and active
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.1.1.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1406, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9937D863(2570573923)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9B6FA16F(2607784303)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 129, flow_id: SW:129, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
spi: 0xA392E117(2744312087)
transform: ah-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 129, flow_id: SW:129, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound pcp sas:
outbound esp sas:
spi: 0x85C4AF47(2244259655)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 130, flow_id: SW:130, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
spi: 0x9937D863(2570573923)
transform: ah-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 130, flow_id: SW:130, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound pcp sas:
I have a ping going from the 10.10.100.10 to 10.1.1.2 and similar in the opposite direction.
A static route directs the traffic into the tunnel
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 2.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2.1.1.1, remote crypto endpt.: 1.1.1.1
plaintext mtu 1406, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9937D863(2570573923)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9B6FA16F(2607784303)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 129, flow_id: SW:129, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
spi: 0xA392E117(2744312087)
transform: ah-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 129, flow_id: SW:129, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound pcp sas:
outbound esp sas:
spi: 0x85C4AF47(2244259655)
transform: esp-256-aes ,
in use settings ={Tunnel, }
conn id: 130, flow_id: SW:130, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
spi: 0x9937D863(2570573923)
transform: ah-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 130, flow_id: SW:130, sibling_flags 80000070, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4336427/317)
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound pcp sas:
CE-1#sh ip route 10.1.1.2
Routing entry for 10.1.1.0/24
Known via "static", distance 1, metric 0
Redistributing via bgp 65002
Advertised by bgp 65002
Routing Descriptor Blocks:
* 5.5.5.2
Route metric is 0, traffic share count is 1
what am i doing wrong?
Solved! Go to Solution.
ā09-13-2021 04:50 AM
according to your config you use VTI not classic IPSec,
and config is OK but make this change
for pre-shared key use address as 0.0.0.0/0 and for static route please change from next-hop to outlet interface "tunnel".
ā09-10-2021 08:00 PM
can you share config ?
ā09-10-2021 11:04 PM
You've got an active AH SA (ah-sha384-hmac) for hashing, but an ESP SA (esp-256-aes) for encryption.
Change the IPSec transform set to use ESP for encryption and hashing.
E.g. - "crypto ipsec transform-set TSET esp-aes 256 esp-sha256-hmac"
ā09-12-2021 11:53 PM
ā09-11-2021 12:55 PM
Would be helpful to see the configuration of both sides of the tunnel. By the looks of it CE-2 is advertising 10.1.1.2 over BGP and not via the tunnel interface.
ā09-13-2021 12:47 AM
ā09-13-2021 04:50 AM
according to your config you use VTI not classic IPSec,
and config is OK but make this change
for pre-shared key use address as 0.0.0.0/0 and for static route please change from next-hop to outlet interface "tunnel".
ā09-13-2021 07:19 AM
Hi
thanks that worked. So is this just the vaguries of CML Lab or IOS config. What is the difference between stipulating the interface rather than the IP address of the interface.
Similarly the key peer address being 0.0.0.0/0 rather than the specific peer?
ā09-13-2021 07:21 AM
Interesting, I mentioned for you to check routing earlier that it looked like BGP was advertising it out the physical interface. Didnt you check it then?
ā09-13-2021 07:34 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: