- Cisco Community
- Technology and Support
- Security
- VPN
- Ipsec VPN + HSRP encryption won't work between virtual IP and physical IP (Remote Side)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Ipsec VPN + HSRP encryption won't work between virtual IP and physical IP (Remote Side)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2020 12:52 AM - edited 10-30-2020 06:03 AM
gate01 = Router(C931-4p)
gate02 = Router 2 (C931-4p)
Mark01 = Remote Router (1841)
Problem: Ipsec VPN + HSRP encryption won't work between virtual IP and Physical IP (Remote Side)
Details:
The encryption and decryption in the Tunnel between Remote Router (Mark01: IP XX.XX.XX.8)
and Router 1(gate01/02: VIP XX.XX.XX.70) won't work.
Only it works when I set the peer between two physical IP addresses, whenever I set the peer between Physical and Virtual IP then it won't encrypt. The Tunnel is up and idle in anycase and it is Site to Site IPSEC with HSRP.
I would really appreciate if anyone knows the issue or any suggestion would be helpful. Many thanks in advance.
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2020 01:14 AM
Hi @Safirius
You can utilise HSRP with IOS IPSec VPN, see this reference for further information.
However generally it would be recommended to either define multiple peers in the crypto map on Mark01 router and configure DPD (Dead Peer Detection) or utilise a VTI (Virtual Tunnel Interface) with a dynamic routing protocol. Cisco considers crypto maps legacy, so a VTI would be preferred.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2020 06:03 AM - edited 10-30-2020 01:30 AM
Dear Rob Ingram, Thanks for your Reply.
I unfortunately cannot use multiple peers & DPD or VTI with a drp, because it is a productive system and the task is to submit the current configuration on a new model Cisco router. I have posted my config (example) and debugs. I hope this can let you find out the errors and mistakes.
For every suggestion and solutions, I will be glad. Thanks a world.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2020 02:10 AM
Configure HSRP name under your interfaces. Assign the HSRP name to the
crypto map. Then point the peers to VIP. This should work.
interface x/x
standby x name IPSEC
crypto map MAP redundancy IPSEC stateful
**** please remember to rate useful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-29-2020 04:12 AM - edited 10-30-2020 06:07 AM
Hi,
Thanks for your reply. Unfortunately I still havent found any solution. I think maybe Cisco doesnt support this or I have Hp Switch between routers or maybe some other problem. I used your suggestion and added stateful (crypto map MAP_NAME redundancy NAME stateful) but unfortunately still could not succeed. And I read somewhere that Cisco doesnt support stateful when LAN-to-LAN or Site to Site IpSec but I am not sure.
So I thought I post some debugs and hope it helps you to find out the reason why it doesn't work. I searched a lot and havent found any solution.
debug crypto ipsec error
debug crypto isakmp error
debug crypto engine error
--------
157208: *Aug 5 05:31:39.982 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xx.xx.xx.8 (Remote Interface)
157211: *Aug 5 05:32:29.964 UTC: IPSEC:(SESSION ID = 4) (ERROR) crypto_notify_rp Rejected notify RP, elapse time 998 < 1000
157213: *Aug 5 05:32:39.978 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xx.xx.8 (Remote Interface))
157214: *Aug 5 05:32:39.978 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xx.xx.8 (Remote Interface))
157215: *Aug 5 05:32:40.966 UTC: ISAKMP-ERROR: (0):Notify has no hash. Rejected.
157216: *Aug 5 05:32:40.966 UTC: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
157217: *Aug 5 05:32:40.966 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xx.xx.xx.8 (Remote Interface)
157218: *Aug 5 05:32:48.960 UTC: IPSEC:(SESSION ID = 4) (ERROR) crypto_notify_rp Rejected notify RP, elapse time 998 < 1000
157223: *Aug 5 05:33:10.962 UTC: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local XX.XX.XX.71, remote xx.xx.xx.8 (Remote Interface))
157224: *Aug 5 05:33:10.962 UTC: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
157225: *Aug 5 05:33:10.962 UTC: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
157231: *Aug 5 05:33:40.962 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xx.xx.8 (Remote Interface))
157232: *Aug 5 05:33:40.962 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xx.xx.8 (Remote Interface))
157233: *Aug 5 05:33:41.950 UTC: ISAKMP-ERROR: (0):Notify has no hash. Rejected.
157234: *Aug 5 05:33:41.950 UTC: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
157235: *Aug 5 05:33:41.950 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xx.xx.xx.8 (Remote Interface)
157241: *Aug 5 05:34:11.946 UTC: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local XX.XX.XX.71, remote xx.xx.xx.8 (Remote Interface))
157242: *Aug 5 05:34:11.946 UTC: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
157243: *Aug 5 05:34:11.946 UTC: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
157247: *Aug 5 05:34:27.380 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xx.8 has no SA and is not an initialization offer
157258: *Aug 5 05:34:57.798 UTC: ISAKMP: (1278):No NAT Found for self or peer
157259: *Aug 5 05:34:57.870 UTC: ISAKMP-ERROR: (1277):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer xx.xx.xx.8 (Remote Interface))
157260: *Aug 5 05:34:57.870 UTC: IPSEC(ipsec_get_crypto_session_id):
Invalid Payload Id
157261: *Aug 5 05:34:57.870 UTC: ISAKMP-ERROR: (1277):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer xx.xx.xx.8 (Remote Interface))
157262: *Aug 5 05:34:57.930 UTC: IPSEC(ipsec_process_proposal): invalid local address xx.xx.xx.170 (Virtual IP)
157263: *Aug 5 05:34:57.930 UTC: ISAKMP-ERROR: (1278):IPSec policy invalidated proposal with error 8
157272: *Aug 5 05:34:57.930 UTC: ISAKMP-ERROR: (1278):phase 2 SA policy not acceptable! (local xx.xx.xx.70(Virtual IP) remote xx.xx.xx.8)
157273: *Aug 5 05:34:57.930 UTC: ISAKMP-ERROR: (1278):deleting node -1254616584 error TRUE reason "QM rejected"
157276: *Aug 5 05:35:12.930 UTC: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local xx.xx.xx.171(Physical IP), remote xx.xx.xx.8(Remote Interface))
157277: *Aug 5 05:35:12.930 UTC: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
157278: *Aug 5 05:35:12.930 UTC: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
157296: *Aug 5 05:35:42.930 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xx.xx.8)
157297: *Aug 5 05:35:42.930 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xx.xx.8)
157298: *Aug 5 05:35:43.916 UTC: ISAKMP-ERROR: (0):Notify has no hash. Rejected.
157299: *Aug 5 05:35:43.918 UTC: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
157300: *Aug 5 05:35:43.918 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xx.xx.xx.8
Here is Compact Configuration of my Server Side Router and Remote Side: I hope this helps
---------------------------------------Server Side------------------------------------
gate01#show run
version 15.8
no ip source-route
no cdp run
track 10 interface GigabitEthernet4 line-protocol
track 30 interface GigabitEthernet5 line-protocol
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 3
encr aes 192
authentication pre-share
group 2
crypto isakmp policy 4
encr aes
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800 -----------> (the lifetime of isakmp policy should be greater than the lifetime of crypto map. Or equal)
crypto isakmp key My_Way2_remote address XX.XX.XX.8 no-xauth
crypto isakmp keepalive 30
!
crypto ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP_AES_192 esp-aes 192 esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP_AES_128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP_3DES esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile high
set security-association lifetime kilobytes 4000000
set security-association lifetime seconds 14400
set security-association idle-time 14400
set transform-set ESP_AES_256 ESP_AES_192 ESP_AES_128 ESP_3DES
set pfs group2
!
crypto map TUNNEL 1 ipsec-isakmp
set peer XX.XX.XX.8
set security-association lifetime kilobytes 4000000
set security-association lifetime seconds 28800
set security-association idle-time 14400
set transform-set ESP_AES_256 ESP_AES_192 ESP_AES_128 ESP_3DES ESP-3DES-MD5
set pfs group2
match address 102
reverse-route
!
interface Null0
no ip unreachables
!
interface GigabitEthernet4
ip address XX.XX.XX.XX XX.XX.XX.0 secondary
ip address XX.XX.XX.53 XX.XX.XX.XX
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
standby version 2
standby 2 ip XX.XX.XX.52
standby 2 ip XX.XX.XX.XX secondary
standby 2 priority 200
standby 2 preempt
standby 2 track 10 decrement 100
duplex auto
speed auto
no mop enabled
interface GigabitEthernet5
description INTERNET
ip address XX.XX.XX.71 XX.XX.XX.24
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect DEFAULT100 out
ip virtual-reassembly in max-reassemblies 64
ip verify unicast reverse-path
standby version 2
standby 3 ip XX.XX.XX.70
standby 3 priority 200
standby 3 preempt
standby 3 name NAME_
standby 3 track 30 decrement 100
duplex auto
speed auto
no mop enabled
crypto map TUNNEL redundancy NAME_
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX ( IP of next HOP )
ACL100 is on LAN1 Interface GigabitEthernet4 (Inside)
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
ACL101 is on WAN Side Interface =GigabitEthernet5
access-list 101 permit udp host XX.XX.XX.8 host XX.XX.XX.70 eq non500-isakmp
access-list 101 permit udp host XX.XX.XX.8 host XX.XX.XX.70 eq isakmp --> I get here Matches
access-list 101 permit icmp any host XX.XX.XX.170 echo
access-list 101 permit icmp any host XX.XX.XX.170 echo-reply
access-list 101 permit icmp any any time-exceeded --> I get here Matches
access-list 101 permit icmp any any unreachable
access-list 101 permit ip 10.XX.XX.0 0.0.0.255 20.XX.XX.0 0.0.0.255 --> I get here Matches LAN1 (10.xx.xx.xx) LAN2 (20.xx.xx.xx)
access-list 101 permit ip any any --> I get here Matches
ACL102 should be encrypted and used in Crypto map
access-list 102 (Interesting Traffic)
access-list 102 permit ip LAN2 20.XX.XX.XX LAN1 10.XX.XX.XX --> I get here Matches
-----------------------------------------------Remote Side-----------------------------------------------------
Mark01# show run
version 12.4
resource policy
ip subnet-zero
no ip source-route
ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 192
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 1vpn2mark3 address XX.XX.XX.70 no-xauth
crypto isakmp keepalive 30
!
crypto ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP_AES_192 esp-aes 192 esp-sha-hmac
crypto ipsec transform-set ESP_AES_128 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP_3DES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto ipsec profile high
set security-association lifetime kilobytes 4000000
set security-association lifetime seconds 14400
set security-association idle-time 14400
set transform-set ESP_AES_256 ESP_AES_192 ESP_AES_128 ESP_3DES
set pfs group2
!
crypto map TUNNEL 1 ipsec-isakmp
set peer XX.XX.XX.70
set security-association lifetime kilobytes 4000000
set security-association lifetime seconds 14400
set security-association idle-time 14400
set transform-set ESP_AES_256 ESP_AES_192 ESP_AES_128 ESP_3DES ESP-3DES-MD5
set pfs group2
match address 102
!
!
interface FastEthernet0/0
ip address 10.xx.xx.xx xx.xx.xx.xx
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address xx.xx.xx.8 xx.xx.xx.24
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip virtual-reassembly
ip tcp adjust-mss 1350
duplex auto
speed auto
no mop enabled
crypto map TUNNEL
!
no ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.1 (next hope from xx.xx.xx.8)
!
ip http server
no ip http secure-server
!
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host XX.XX.XX.70 host xx.xx.xx.1 eq non500-isakmp
access-list 101 permit udp host XX.XX.XX.70 host xx.xx.xx.8 eq non500-isakmp
access-list 101 permit udp host XX.XX.XX.70 host xx.xx.xx.1 eq isakmp
access-list 101 permit udp host XX.XX.XX.70 host xx.xx.xx.8 eq isakmp-------------------> (here are matches)
access-list 101 permit esp host XX.XX.XX.70 host xx.xx.xx.1
access-list 101 permit esp host XX.XX.XX.70 host xx.xx.xx.8
access-list 101 permit ahp host XX.XX.XX.70 host xx.xx.xx.1
access-list 101 permit ahp host XX.XX.XX.70 host xx.xx.xx.8
access-list 101 permit ip 20.xx.xx.xx (LAN2) 0.0.0.255 10.xx.xx.xx (LAN1) 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip 10.1.170.0 0.0.0.255 192.168.169.0 0.0.0.255----------------> (here are matches for interesting trafic)
----------------------------------------------------------------------------------------------------------------
*One thing which I noticed is that when I do "show standby brief from active Router", the Interface Gi5 (WAN-Side) is unknown. Is it normal?
gate01#show standby br
Interface Grp Pri P State Active Standby Virtual IP
Gi4 2 200 P Active local XX.XX.XX.54 XX.XX.XX.52
Gi5 3 200 P Active local unknown XX.XX.XX.70
------------------------------------------------------------------------------------------------------------------
* I have on the Server Side both Router IOS Versions are 15.8 and The remote Side (Router 1841) with IOS Version 12.4.
Maybe this is also one of the problem, isn't it ?
*Update to "unknown" issue:
I just removed standby version 2 from Gi5 and now IP of Interface has appeared when I do show standby. I am still confused if Standby Version 2 is not required for object tracking and other advanced options.
I hope you find out the problem/s.
Many many thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide