10-03-2020 03:16 PM
Hello guys.
I configured GRE IPsec but I get the following message.
oct 3 21:51:31.011: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.12.1
access is mandatory for crypto map. when i created access list for permitting gre traffic between R1 and R3 my OSPF goes down.
I think access-list block OSPF packets.
what is your recommendations?
thanks in advance !
I attach my configuration here..
R3#
R3#sh
R3#show runn
R3#show running-config
Building configuration...
Current configuration : 1551 bytes
!
! Last configuration change at 02:02:44 +04 Sun Oct 4 2020
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone +04 4 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
lifetime 3600
crypto isakmp key mypassword address 192.168.12.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
!
!
crypto map CM 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set TS
match address 100
!
!
!
!
!
interface Loopback0
ip address 172.16.3.3 255.255.255.0
!
interface Tunnel1
ip address 192.168.13.3 255.255.255.0
tunnel source 192.168.23.3
tunnel destination 192.168.12.1
!
interface Ethernet0/0
ip address 192.168.23.3 255.255.255.0
crypto map CM
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 100
network 172.16.3.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.12.1 255.255.255.255 192.168.23.2
!
access-list 100 permit gre any any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end
R3#
----------------------------------------------------------------------------------------------
R1#show running-config
Building configuration...
Current configuration : 1564 bytes
!
! Last configuration change at 01:48:20 +04 Sun Oct 4 2020
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone +04 4 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key mypassword address 192.168.23.3
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
!
!
crypto map CM 10 ipsec-isakmp
set peer 192.168.23.3
set transform-set TS
match address 100
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Tunnel1
ip address 192.168.13.1 255.255.255.0
tunnel source 192.168.12.1
tunnel destination 192.168.23.3
!
interface Ethernet0/0
ip address 192.168.12.1 255.255.255.0
crypto map CM
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 100
network 172.16.1.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.23.3 255.255.255.255 192.168.12.2
!
access-list 100 permit gre any any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end
10-03-2020 11:53 PM
You have DH group 5 configured on R1 isakmp policy, but not R3. These ISAKMP policies need to be identical.
Make the change if that fails provide the output of isakmp debugs.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide