cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4045
Views
5
Helpful
9
Replies

Issue with IPSEC phase 2

Gallain
Level 1
Level 1

Hi, I'm trying to get an IPsec tunnel working, but it seems phase 2 isn't coming up.

 

Their subnet is a /27 public IP  and mine is a private IP subnet.

 

I've attached the crypto debug output.

 

I've also attached the config of the other end of the tunnel.

 

My config:

 

crypto isakmp policy 45
encr aes 256
authentication pre-share
group 5
lifetime 28800

crypto isakmp key xxxx address x.x.x.x

crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256
mode tunnel


crypto map IPSEC 45 ipsec-isakmp
set peer x.x.x.x
set transform-set xxxx
set pfs group5
match address xxxx


ip access-list extended xxxxxx
permit ip 192.168.10.0 0.0.0.255 x.x.x.x 0.0.0.31


ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 x.x.x.x 0.0.0.31
permit ip any any

 

ip access-list extended inbound-traffic
permit ip host x.x.x.x any

1 Accepted Solution

Accepted Solutions

@Gallain 

Your transform set looks incorrect, you are using AH and ESP encapsulation.

 

crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256

"A transform set combination of AH and ESP is not supported in Cisco IOS XE releases".

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html

 

Use ESP for both encryption and authentication. i.e.

 

crypto ipsec transform-set xxxx ESP-sha-hmac esp-aes 256

 

HTH

View solution in original post

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

what is this device model? what is the other side device you trying to establish a tunnel?

 

post below output :

 

#show crypto isakmp sa
#show crypto ipsec sa

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Javier Acuña
Spotlight
Spotlight

Greetings for the communication of the IPSec tunnel in phase 2, phase one must be established, be careful with the interesting traffic since it must be the same as the other peer that is communicating with you, be careful with the host Any command in the ACL since in many cases this can cause failures.


Remember to click on Helpfull to continue contributing to the cisco community

Gallain
Level 1
Level 1

Interestingly on the isakmp sa it looks like the source and destination are the wrong way round. All the other working tunnels on the few have my IP in the destination.

 

I'll find out what model of device the other side has.

 

 

#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                              src                 state      conn-id     status
(peer ip)                   (my ip)           QM_IDLE       4031     ACTIVE

 

show crypto ipsec sa


protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.224/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.74
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


One of the most important aspects is the traffic in the acl verifies with the extreme side and coordinates a verification

 

 

Remember to give the little star this helps me continue to continue with the community

The same host any command works for all the other ipsec tunnels on the firewall.

 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Looking at this, make sure you intiate the traffic onside and test, as i have requested post complete config and device information

also other side device information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

it is difficult to figure out which of the images belong to which side. Post the full running configs (sh run) of both sides...

@Gallain 

Your transform set looks incorrect, you are using AH and ESP encapsulation.

 

crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256

"A transform set combination of AH and ESP is not supported in Cisco IOS XE releases".

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html

 

Use ESP for both encryption and authentication. i.e.

 

crypto ipsec transform-set xxxx ESP-sha-hmac esp-aes 256

 

HTH

Thank you! That was it.