07-06-2018 03:49 AM - edited 03-12-2019 05:26 AM
Good afternoon,
I ask to help in solving the problem:
gre over ipsec svti between cisco router and huawei ikev2 /
crypto ipsec transform-set AES-256-SHA-256 esp-aes 256 esp-sha256-hmac
mode tunnel
vpn in up'e but traffic does not go,
crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
traffic starts to go in what could be the problem?
version IOS Version 15.6 (3) M4, that on the side of huawei at the given time I can not know, if it is necessary to specify.
Thank you
07-06-2018 06:45 AM
is phase 1 (ikev2) sa and ipsec established?
do you see encrypt and decrypty bytes on the ipsec sa increase when you generate intersting traffic?
07-08-2018 07:25 PM
1) Tunnel-id Local Remote fvrf/ivrf Status
1 X.X.X.X/500 X.X.X.X/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17465 sec
2) sh crypto ipsec sa peer X.X.X.X
interface: Tunnel32
Crypto map tag: Tunnel32-head-0, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 66774
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0x27158FEB(655724523)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0xC317A9ED(3273107949)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 261, flow_id: Onboard VPN:261, sibling_flags 80000040, crypto map: Tunnel32-head-0
sa timing: remaining key lifetime (k/sec): (4203393/1105)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x27158FEB(655724523)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 262, flow_id: Onboard VPN:262, sibling_flags 80000040, crypto map: Tunnel32-head-0
sa timing: remaining key lifetime (k/sec): (4203459/1105)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
07-08-2018 07:40 PM
Traffic seems to be one way:
interface: Tunnel32
Crypto map tag: Tunnel32-head-0, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 <----------egress
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <----ingresss
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 66774
seems like a problem on the huwaie end.seeing no traffic coming into the tunnel from Huwaei (0 decapsulations)
07-08-2018 08:47 PM
07-09-2018 05:30 AM
MAC is: message authentication code, you are using HMAC on the cisco end. get on the huwaei and confirm you are using the same parameters otherwise you will never fix this issue.
07-09-2018 06:03 AM
07-09-2018 08:09 PM
07-10-2018 03:12 PM
02-26-2019 03:49 AM
If you want to use SHA2 algorithm between cisco and huawei you must activate compatible version of this algorithm (on side Huawei). F.E (Huawei AR 2240 in system view you need to put this command ip authentication sha2 compatible enable). I had a similar problem, this was solution.
02-26-2019 04:33 AM
Also if you want to use Huawei DPD mechanism (alternative Cisco keepalive) between Cisco and Huawei, you should change sequence of DPD message on side Huawei in configuration ike peer with this command dpd msg seq-hash-notify.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide