12-12-2008 09:59 AM - edited 02-21-2020 04:04 PM
I am currently having a problem with a VPN that i am setting up and traffic seems to disappear after it is unencrypted. when I ping the from one side of the tunnel to the other and do a show crypto ipsec sa I can see that both of esp SAs are active and that 5 packets have been decrypted. I have also checked the tunnel interface and it shows that no packets have been recieved and when i do traffic export on that interface I not see any traffic coming in. I have setup traffic export on the physical interface to make sure the traffic coming in makes it to the router and I can see ESP packets with the proper SPI coming in. I am not sure what else I can check to view where these packets are getting stopped any ideas?
###### Router 1 ######
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 removed address 1.1.1.2
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set MYSET
match address 101
interface Tunnel11
ip address 2.2.2.2 255.255.255.0
tunnel source fastEthernet0
tunnel destination 1.1.1.2
interface Fa0
ip address 1.1.1.1 255.255.255.0
crypto map MYMAP
access-list 101 permit gre host 1.1.1.1 host 1.1.1.2
###### Router 2 ######
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 removed address 1.1.1.1
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
mode transport
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address 101
interface Tunnel11
ip address 2.2.2.1 255.255.255.0
tunnel source fastEthernet0
tunnel destination 1.1.1.1
interface Fa0
ip address 1.1.1.2 255.255.255.0
crypto map MYMAP
access-list 101 permit gre host 1.1.1.2 host 1.1.1.1
12-16-2008 04:30 AM
Hi!
I don't know your IOS Version.
But try such a config (new type of GRE Tunnel):
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key test address 1.1.1.1
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
crypto ipsec profile MYVTI
set transform-set MYSET
interface Tunnel0
ip address 2.2.2.1 255.255.255.0
tunnel source fastEthernet0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MYVTI
interface Fa0
ip address 1.1.1.2 255.255.255.0
Maybe it helps.
12-16-2008 06:33 AM
I solved this problem. It turned out that the GRE endpoint was assigned to the wrong interface on the second router. I have two inputs to each router and I had the destination of one of the tunnels on an interface that wasn't setup for the VPN. So the packets didn't know where to go after they got decrypted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide