cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2641
Views
0
Helpful
2
Replies

ipsec virtual tunnel protocol down.

paul amaral
Level 4
Level 4

hi i have a virtual ip sec tunnel setup to a sonicwall that appears to have a working active phase1/2 but the tunnel interfaces protocol is down and thus i can route traffic. I know this virtual ipsec tunnel works 100% to another cisco router but its not working to a sonicwall.

thanks paul

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key XXXX address 70.xx.xx.xx

!

crypto ipsec transform-set POSTRANS esp-3des esp-sha-hmac

!

crypto ipsec profile POS_ipsec_profile1

description to Centrix POS VENDOR

set security-association lifetime seconds 28800

set transform-set POSTRANS

!

interface Tunnel1
description to Main location
ip unnumbered Serial0/0/0
tunnel source Serial0/0/0
tunnel destination 209.213.xx.xx
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile1

Tunnel2 is up, line protocol is down

  Hardware is Tunnel

  Description: to POS KeyCentrix VPN

  Interface is unnumbered. Using address of Serial0/0/0 (209.xx.xx.xx)

  MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive set (30 sec), retries 3

  Tunnel source 209.213.91.42 (Serial0/0/0), destination 70.xx.xx.xx

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Path MTU Discovery, ager 10 mins, min MTU 92

  Tunnel transport MTU 1500 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "POS_ipsec_profile1")

Interface: Tunnel2

Session status: UP-ACTIVE

Peer: 70.168.141.54 port 500

  IKE SA: local 209.xx.xx.xx/500 remote 70.xx.xx.xx/500 Active

  IPSEC FLOW: permit ip 10.20.55.0/255.255.255.0 172.16.245.0/255.255.255.0

        Active SAs: 2, origin: crypto map

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 0, origin: crypto map

2 Replies 2

paul amaral
Level 4
Level 4

i finally got this to work, turns out ipsec VTI only works with cisco as it expects another tunnel interface on the other end for protocol and the 3rd party vpn boxes don't have that. I ended up using a crypto map with no actual tunnel interface and its working.

Hello Paul ,

Just to add:

DVTIs are standards based, so interoperability in a multiple-vendor environment is supported

Regards,

Note: I have seen scenarios workign for this

As an example this between a Cisco router and a Netscreen router

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Cisco-IOS-Virtual-Tunnel-Interface-VTI-Route-Based-VPN-to/td-p/35769

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC