Solved: Re: Issue with IPSEC phase 2

Gallain · ‎02-25-2021

Hi, I'm trying to get an IPsec tunnel working, but it seems phase 2 isn't coming up.

Their subnet is a /27 public IP and mine is a private IP subnet.

I've attached the crypto debug output.

I've also attached the config of the other end of the tunnel.

My config:

crypto isakmp policy 45
encr aes 256
authentication pre-share
group 5
lifetime 28800

crypto isakmp key xxxx address x.x.x.x

crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256
mode tunnel

crypto map IPSEC 45 ipsec-isakmp
set peer x.x.x.x
set transform-set xxxx
set pfs group5
match address xxxx

ip access-list extended xxxxxx
permit ip 192.168.10.0 0.0.0.255 x.x.x.x 0.0.0.31

ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 x.x.x.x 0.0.0.31
permit ip any any

ip access-list extended inbound-traffic
permit ip host x.x.x.x any

Rob Ingram · ‎02-26-2021

@Gallain

Your transform set looks incorrect, you are using AH and ESP encapsulation.

crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256

"A transform set combination of AH and ESP is not supported in Cisco IOS XE releases".

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html

Use ESP for both encryption and authentication. i.e.

crypto ipsec transform-set xxxx ESP-sha-hmac esp-aes 256

HTH

View solution in original post

balaji.bandi · ‎02-25-2021

what is this device model? what is the other side device you trying to establish a tunnel?

post below output :

#show crypto isakmp sa
#show crypto ipsec sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Javier Acuña · ‎02-25-2021

Greetings for the communication of the IPSec tunnel in phase 2, phase one must be established, be careful with the interesting traffic since it must be the same as the other peer that is communicating with you, be careful with the host Any command in the ACL since in many cases this can cause failures.

Remember to click on Helpfull to continue contributing to the cisco community

Gallain · ‎02-25-2021

Interestingly on the isakmp sa it looks like the source and destination are the wrong way round. All the other working tunnels on the few have my IP in the destination.

I'll find out what model of device the other side has.

#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
(peer ip) (my ip) QM_IDLE 4031 ACTIVE

show crypto ipsec sa

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.224/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.74
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Javier Acuña · ‎02-25-2021

One of the most important aspects is the traffic in the acl verifies with the extreme side and coordinates a verification

Remember to give the little star this helps me continue to continue with the community

Gallain · ‎02-25-2021

The same host any command works for all the other ipsec tunnels on the firewall.

balaji.bandi · ‎02-26-2021

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Looking at this, make sure you intiate the traffic onside and test, as i have requested post complete config and device information

also other side device information.

BB