Solved: Issue with tunnel GRE IPSec

Adrian Caba Gutierrez · ‎07-23-2012

Hello, I have a link radio with a branch but the link of provider is untrusted so I configure a Tunnel GRE + IPSec but I am receiving this logs in my router.

%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

The topology is:

Router 1 C3825 IOS 12.4(25f) Fa0/2/2 -------- link radio -------------------- Router 2 C3825 IOS 15.1(4)M4 Gi0/1

I receive the logs in the Router 1 only.

The configurations are:

Router 1:

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key Andina12 address 172.20.127.114

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set TS esp-aes esp-md5-hmac

!

crypto ipsec profile protege-gre

set security-association lifetime seconds 86400

set transform-set TS

interface Tunnel0

description Tunnel GRE IPSec a Vibora

bandwidth 2000

ip address 172.20.127.117 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source 172.20.127.113

tunnel destination 172.20.127.114

tunnel protection ipsec profile protege-gre

interface FastEthernet0/2/2

description RadioEnlace a Vibora

switchport access vlan 74

bandwidth 2000

no cdp enable

interface Vlan74

bandwidth 2000

ip address 172.20.127.113 255.255.255.252

router eigrp 1

network 172.20.127.116 0.0.0.3

Router 2:

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key Andina12 address 172.20.127.113

!

crypto ipsec transform-set TS esp-aes esp-md5-hmac

!

crypto ipsec profile protege-gre

set security-association lifetime seconds 86400

set transform-set TS

interface Tunnel0

description Tunnel GRE IPSec a SCZ

bandwidth 2000

ip address 172.20.127.118 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source 172.20.127.114

tunnel destination 172.20.127.113

tunnel protection ipsec profile protege-gre

interface GigabitEthernet0/1

description Radio Enlace a SCZ

bandwidth 2000

ip address 172.20.127.114 255.255.255.252

duplex auto

speed auto

media-type rj45

no cdp enable

router eigrp 1

network 172.20.127.116 0.0.0.3

Thanks for the help.

Jennifer Halim · ‎07-23-2012

Yes, you can have just that configured:

crypto ipsec transform-set TS esp-aes

mode transport

Remember to change it on both routers.

View solution in original post

Jennifer Halim · ‎07-23-2012

Change the crypto ipsec mode to transport mode. By default it's tunnel mode.

crypto ipsec transform-set TS esp-aes esp-md5-hmac

mode transport

Adrian Caba Gutierrez · ‎07-23-2012

Thanks for the response I read in otrher post that the problem could be the "transform-set esp-md5-hmac" method of authentication I don't know whats is the problem because I only receive the log in the Router 1.

Adrian Caba Gutierrez · ‎07-23-2012

I put the transform-set in mode transport but the log continue appearing. Can I put the next transform-set.

crypto ipsec transform-set TS esp-aes

mode transport

Thanks

Jennifer Halim · ‎07-23-2012

Yes, you can have just that configured:

crypto ipsec transform-set TS esp-aes

mode transport

Remember to change it on both routers.

Adrian Caba Gutierrez · ‎07-24-2012

I made the configuration that you say Jennifer and didn't see logs again.

Thanks for the help.