cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
759
Views
40
Helpful
20
Replies

Ipsec tunnel up no transmitted packets

Alekin
Beginner
Beginner

Hi Folks,

I need some help please, it seems I'm missing something but can't figure it out at the moment. I have identical sites using this setup and they are functioning fine.

My setup is a small branch with a cable modem, I have a Cisco 881 routers connected and have configured an ipsec vpn to my HQ. The tunnel is up both phase 1 and phase 2 but traffic is not going over the tunnel.

The access list for the crypto map is being hit as I turned on logging, if I do an extended ping or trace using the svi on the router I get nothing. I have added the router config below

!
crypto ikev2 proposal MyProposal
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy My-policy
match fvrf any
proposal MyProposal
!
crypto ikev2 keyring My-keyring
peer peer1
address 37.32.117.31
pre-shared-key local XXXXXX
pre-shared-key remote XXXXXX
!
crypto ikev2 profile My-profile
match identity remote address 172.20.65.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local My-keyring
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set My-transform-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map AllowToHOBranch 1 ipsec-isakmp
set peer 37.32.117.31
set security-association lifetime seconds 28800
set transform-set My-transform-set
set pfs group19
set ikev2-profile My-profile
match address 99
!
interface FastEthernet0
no ip address
!
interface FastEthernet4
ip address 58.44.101.117 255.255.255.240
ip tcp adjust-mss 1232
crypto map AllowToHOBranch
!
interface Vlan1
ip address 172.21.17.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 58.44.101.117
!
access-list 99 permit ip 172.21.17.0 0.0.0.255 any

 

Output pf show crypto
sh crypto ikev2 sa


IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 58.44.101.116/4500 37.32.117.31/4500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4187 sec

No packets seen on the sh crypto ipsec sa peer command

Any help will be greatly appreciated.

Thanks

20 Replies 20

I'm also checking and comparing versions with my other branch routers, some are same model ad definite have DH 19 configured.

One difference I noticed on 2 working ones was the Ikev2 sa had PRF:256 which is not in the non-working one. PRF is not in the running config though.

Working Branch

Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/14934 sec

Non Working Branch

Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4187 sec

you get it I think 

@Alekin what is the difference in hardware and software versions between the working and non-working site?

In IKEv2, PRF (pseudo-random function) would be set to the same as the defined hash algorithm if not explictly defined....however I'd expect it to be displayed in the output once the IKEv2 SA have been established.

 

No difference in hardware, only IOS image was different!!

And that was the issue as the upgrade resolved the connectivity.

 

Alekin
Beginner
Beginner

This issue is now resolved, I had to upgrade the image and this fixed the tunnels.

Lesson learnt, don't overlook IOS version, could've had this resolved much earlier.

Many thanks to @Rob Ingram @MHM Cisco World for contributions and sanity checks along the way, your help was greatly appreciated.

You are so so welcome friend. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers