Solved: Re: No show of isakmp-ipsec over GRE Tunnel activity

JScott1963 · ‎08-06-2021

I configured ISAKMP-IPSEC on my tunnel but I see no evidence of it functioning. The tunnel works fine. A traceroute shows 1 hop even though the two routers are physically separated by one router and two non-contiguous networks. There is simply no evidence the IPSec is operating. I am at a total loss as to what is going on. Any help or advice is appreciated.

Here is the report I get when issuing the sh crypto isakmp sa command.

Router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

Here is the tunnel setup for R1. R2 is mirrored.

Router1 = 192.168.45.1

Tunnel source = 170.156.45.1

Tunnel destination = 170.156.45.2 via R2's g0/0/0 200.110.16.2

Here is R1's IPSec config. R2's is the opposite MYTUNNEL address, Int, and Peer.

crypto ISAKMP policy 3
encryption aes
authentication pre-share
group 2
crypto ISAKMP key MYTUNNEL address 200.110.16.2
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
ip access-list extended MYLIST
permit tcp any any
permit udp any any
permit esp any any
permit icmp any any
permit gre any any
crypto map VPN 1 ipsec-isakmp
match address MYLIST
set transform-set ADMIN
set peer 200.110.16.2
int g0/0/1
crypto map VPN 1

Rob Ingram · ‎08-06-2021

@JScott1963

Not sure how the tunnel is working if there is no isakmp SAs built (unless they've a short timer and expired). Please provide the output of "show crypto ipsec sa"

Change your MYLIST ACL to match on IP not protocol and be specific with the source and destination. Example:-

ip access-list extended MYLIST
 permit ip 192.168.1.0 0.0.0.255 10.155.0.0 0.0.0.255

The configuration of the peer device's ACL needs to be the mirror, so reverse the source and destination networks.

You then need to generate interesting traffic from one of the source networks (as defined in the MYLIST ACL) for the VPN to establish.

If you are still having issue please enable isakmp debugs and provide the output for review.

EDIT: As you are actually runnning GRE over IPSec and not just a crypto map, you'd just need to permit gre in the MYLIST ACL.

View solution in original post

Rob Ingram · ‎08-06-2021

@JScott1963

Ok, so it does look like you are using GRE over IPSec VPN. A GRE tunnel interface is always going to be up and by default won't communicate with the peer. Enable keepalives on the tunnel interface, that should be enough to kick off the crypto to establish the tunnel.

Enable keepalive:-

interface tunnel1 
 keepalive 10 3

I assume you have routing in place to route over the tunnel interface?

If that doesn't work provide the full configuration, not just the crypto configuration.

View solution in original post

Rob Ingram · ‎08-06-2021

@JScott1963

Not sure how the tunnel is working if there is no isakmp SAs built (unless they've a short timer and expired). Please provide the output of "show crypto ipsec sa"

Change your MYLIST ACL to match on IP not protocol and be specific with the source and destination. Example:-

ip access-list extended MYLIST
 permit ip 192.168.1.0 0.0.0.255 10.155.0.0 0.0.0.255

The configuration of the peer device's ACL needs to be the mirror, so reverse the source and destination networks.

You then need to generate interesting traffic from one of the source networks (as defined in the MYLIST ACL) for the VPN to establish.

If you are still having issue please enable isakmp debugs and provide the output for review.

EDIT: As you are actually runnning GRE over IPSec and not just a crypto map, you'd just need to permit gre in the MYLIST ACL.

JScott1963 · ‎08-06-2021

Hi. Thank you for the help. Unfortunately I am still not getting any interesting traffic. Everything else works though and I am now getting a new message from sh run. This is what I have:

Router1 / R1 Tunnel logical source: 170.156.45.1 / Tunnel physical destination on Router2: 200.110.16.2
Conf t
crypto ISAKMP policy 3
encryption aes
authentication pre-share
group 2
crypto ISAKMP key MYTUNNEL address 170.156.45.2
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
ip access-list extended MYLIST
permit ip 170.156.45.1 0.0.0.255 200.110.16.2 0.0.0.255
permit eigrp any any
permit gre any any
exit
crypto map VPN 1 ipsec-isakmp
match address MYTUNNEL
set transform-set ADMIN
set peer 200.110.16.2
exit
int g0/0/1
crypto map VPN 1
exit

Router2 / R2 Tunnel logical source: 170.156.45.12/ Tunnel physical destination on Router1: 192.168.10.1
Conf t
crypto ISAKMP policy 3
encryption aes
authentication pre-share
group 2
crypto ISAKMP key MYTUNNEL address 170.156.45.1
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
ip access-list extended MYLIST
permit ip 170.156.45.2 0.0.0.255 192.168.10.1 0.0.0.255
permit eigrp any any
permit gre any any
exit
crypto map VPN 1 ipsec-isakmp
match address MYTUNNEL
set transform-set ADMIN
set peer 192.168.10.1
exit
int g0/0/0
crypto map VPN 1
exit

Router1's sh run report:

crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp key MYTUNNEL address 170.156.45.2
!
!
!
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
! Incomplete
set peer 200.110.16.2
set transform-set ADMIN
match address MYTUNNEL

Router2's sh run

crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp key MYTUNNEL address 192.168.10.1
!
!
!
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
! Incomplete
set peer 192.168.10.1
set peer 200.110.16.2
set transform-set ADMIN
match address MYTUNNEL

Rob Ingram · ‎08-06-2021

@JScott1963

You've create an ACL called MYLIST but your crypto map is matching address MYTUNNEL not MYLIST, so you should change the crypto map to "match address MYLIST"

If the change above does not work, provide the debug information and the output of "show crypto ipsec sa"

You mention in the title GRE- but you've not provided the configuration information for a GRE tunnel. Are you actually attempting to configure GRE over IPSec VPN?

JScott1963 · ‎08-06-2021

Thank you! I made the correction. But still nothing and debug shows nothing even though I enabled debug ISAKMP and IPSec.

Here is the sh crypto isakmp sa on Router1. Router2 shows the same.

=====================================================
Router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

=====================================================

Here is a tunnel report.

Router1#sh interfaces tunnel 1
Tunnel1 is up, line protocol is up (connected)
Hardware is Tunnel
Internet address is 170.156.45.1/30
MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.10.1 (GigabitEthernet0/0/1), destination 200.110.16.2
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255

===============================================

Router2#sh int tunnel 1

Tunnel1 is up, line protocol is up (connected)

Hardware is Tunnel

Internet address is 170.156.45.2/30

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 200.110.16.2 (GigabitEthernet0/0/0), destination 192.168.10.1

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

==============================================================

Rob Ingram · ‎08-06-2021

@JScott1963

Ok, so it does look like you are using GRE over IPSec VPN. A GRE tunnel interface is always going to be up and by default won't communicate with the peer. Enable keepalives on the tunnel interface, that should be enough to kick off the crypto to establish the tunnel.

Enable keepalive:-

interface tunnel1 
 keepalive 10 3

I assume you have routing in place to route over the tunnel interface?

If that doesn't work provide the full configuration, not just the crypto configuration.

JScott1963 · ‎08-06-2021

Thank you again! Unfortunately there is no menu choice for keepalive on int tunnel 1. I also tried int g0/0/0 which is the physical interface for that end of the tunnel. There is nothing called keepalive there either.

All I have is the following:

======================================

Router1(config)#int tunnel 1
Router1(config-if)#?
exit Exit from interface configuration mode
ip Interface Internet Protocol config commands
ipv6 IPv6 interface subcommands
no Negate a command or set its defaults
shutdown Shutdown the selected interface

tunnel protocol-over-protocol tunneling

========================================

JScott1963 · ‎08-06-2021

Here is the tunnel.

Router1

int tunnel 1
ip address 170.156.45.1 255.255.255.252
tunnel source g0/0/1
tunnel destination 200.110.16.2 <--Router2's physical interface
tunnel mode gre ip
exit

Router2
int tunnel 1
ip address 170.156.45.2 255.255.255.252
tunnel source g0/0/0
tunnel destination 192.168.10.1 <--Router1's physical interface
tunnel mode gre ip
exit
===================================
Here is the crypto.

Router1
Conf t
crypto ISAKMP policy 3
encryption aes
authentication pre-share
group 2
crypto ISAKMP key MYTUNNEL address 170.156.45.2 0.0.0.0
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
ip access-list extended MYLIST
permit ip 170.156.44.0 0.0.0.255 170.156.45.0 0.0.0.255
permit eigrp any any
permit gre any any
exit
crypto map VPN 1 ipsec-isakmp
match address MYLIST
set transform-set ADMIN
set peer 200.110.16.2
exit
int g0/0/1
crypto map VPN 1
exit

Router2
Conf t
crypto ISAKMP policy 3
encryption aes
authentication pre-share
group 2
crypto ISAKMP key MYTUNNEL address 170.156.44.1 0.0.0.0
crypto ipsec transform-set ADMIN esp-aes esp-sha-hmac
ip access-list extended MYLIST
permit ip 170.156.44.0 0.0.0.255 170.156.45.0 0.0.0.255
permit eigrp any any
permit gre any any
exit
crypto map VPN 1 ipsec-isakmp
match address MYLIST
set transform-set ADMIN
set peer 192.168.10.1
exit
int g0/0/0
crypto map VPN 1
exit

Rob Ingram · ‎08-07-2021

@JScott1963

I assume the issue is resolved as you've marked it as solved?

If not running a routing protocol between the tunnel IP addresses should also bring up the crypto tunnel if you cannot configure keepalives.

Not sure why keepalives is not configurable, what hardware and software version are you running?

JScott1963 · ‎08-07-2021

Yes. It just took some line-by-line research so I could finally understand what each phase is and what it does. I am running EIGRP, and I did finally get ISAKMP to come up. Thanks again for your help.