IPSec

FazailHajiyev · ‎10-03-2020

Hello guys.

I configured GRE IPsec but I get the following message.

oct 3 21:51:31.011: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.12.1

access is mandatory for crypto map. when i created access list for permitting gre traffic between R1 and R3 my OSPF goes down.

I think access-list block OSPF packets.

what is your recommendations?

thanks in advance !

I attach my configuration here..

R3#
R3#sh
R3#show runn
R3#show running-config
Building configuration...

Current configuration : 1551 bytes
!
! Last configuration change at 02:02:44 +04 Sun Oct 4 2020
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone +04 4 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
lifetime 3600
crypto isakmp key mypassword address 192.168.12.1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
!
!
!
crypto map CM 10 ipsec-isakmp
set peer 192.168.12.1
set transform-set TS
match address 100
!
!
!
!
!
interface Loopback0
ip address 172.16.3.3 255.255.255.0
!
interface Tunnel1
ip address 192.168.13.3 255.255.255.0
tunnel source 192.168.23.3
tunnel destination 192.168.12.1
!
interface Ethernet0/0
ip address 192.168.23.3 255.255.255.0
crypto map CM
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 100
network 172.16.3.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.12.1 255.255.255.255 192.168.23.2
!
access-list 100 permit gre any any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end

R3#

----------------------------------------------------------------------------------------------

R1#show running-config
Building configuration...

Current configuration : 1564 bytes
!
! Last configuration change at 01:48:20 +04 Sun Oct 4 2020
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone +04 4 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key mypassword address 192.168.23.3
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
!
!
crypto map CM 10 ipsec-isakmp
set peer 192.168.23.3
set transform-set TS
match address 100
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.0
!
interface Tunnel1
ip address 192.168.13.1 255.255.255.0
tunnel source 192.168.12.1
tunnel destination 192.168.23.3
!
interface Ethernet0/0
ip address 192.168.12.1 255.255.255.0
crypto map CM
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router ospf 100
network 172.16.1.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.23.3 255.255.255.255 192.168.12.2
!
access-list 100 permit gre any any
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input all
!
!
end

Rob Ingram · ‎10-03-2020

Hi @FazailHajiyev

You have DH group 5 configured on R1 isakmp policy, but not R3. These ISAKMP policies need to be identical.

Make the change if that fails provide the output of isakmp debugs.

HTH