02-25-2021 06:54 PM - edited 02-25-2021 06:59 PM
Hi, I'm trying to get an IPsec tunnel working, but it seems phase 2 isn't coming up.
Their subnet is a /27 public IP and mine is a private IP subnet.
I've attached the crypto debug output.
I've also attached the config of the other end of the tunnel.
My config:
crypto isakmp policy 45
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key xxxx address x.x.x.x
crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256
mode tunnel
crypto map IPSEC 45 ipsec-isakmp
set peer x.x.x.x
set transform-set xxxx
set pfs group5
match address xxxx
ip access-list extended xxxxxx
permit ip 192.168.10.0 0.0.0.255 x.x.x.x 0.0.0.31
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 x.x.x.x 0.0.0.31
permit ip any any
ip access-list extended inbound-traffic
permit ip host x.x.x.x any
Solved! Go to Solution.
02-26-2021 07:55 AM - edited 02-26-2021 08:03 AM
Your transform set looks incorrect, you are using AH and ESP encapsulation.
crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256
"A transform set combination of AH and ESP is not supported in Cisco IOS XE releases".
 Use ESP for both encryption and authentication. i.e.
crypto ipsec transform-set xxxx ESP-sha-hmac esp-aes 256
HTH
02-25-2021 07:02 PM - edited 02-25-2021 07:02 PM
what is this device model? what is the other side device you trying to establish a tunnel?
post below output :
#show crypto isakmp sa
#show crypto ipsec sa
02-25-2021 07:22 PM
Greetings for the communication of the IPSec tunnel in phase 2, phase one must be established, be careful with the interesting traffic since it must be the same as the other peer that is communicating with you, be careful with the host Any command in the ACL since in many cases this can cause failures.
Remember to click on Helpfull to continue contributing to the cisco community
02-25-2021 07:30 PM - edited 02-25-2021 07:30 PM
Interestingly on the isakmp sa it looks like the source and destination are the wrong way round. All the other working tunnels on the few have my IP in the destination.
I'll find out what model of device the other side has.
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                              src                 state      conn-id     status
(peer ip)                   (my ip)           QM_IDLE       4031     ACTIVE
show crypto ipsec sa
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.224/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.74
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
02-25-2021 07:38 PM
One of the most important aspects is the traffic in the acl verifies with the extreme side and coordinates a verification
Remember to give the little star this helps me continue to continue with the community
02-25-2021 09:05 PM
The same host any command works for all the other ipsec tunnels on the firewall.
02-26-2021 02:19 AM
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Looking at this, make sure you intiate the traffic onside and test, as i have requested post complete config and device information
also other side device information.
 
					
				
		
02-26-2021 01:28 AM
Hello,
it is difficult to figure out which of the images belong to which side. Post the full running configs (sh run) of both sides...
02-26-2021 07:55 AM - edited 02-26-2021 08:03 AM
Your transform set looks incorrect, you are using AH and ESP encapsulation.
crypto ipsec transform-set xxxx ah-sha-hmac esp-aes 256
"A transform set combination of AH and ESP is not supported in Cisco IOS XE releases".
 Use ESP for both encryption and authentication. i.e.
crypto ipsec transform-set xxxx ESP-sha-hmac esp-aes 256
HTH
02-28-2021 02:39 PM
Thank you! That was it.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide