Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
679
Views
0
Helpful
1
Replies

Problem applying IPSec to GRE Tunnel

ricardo1831
Level 1
Level 1

‎02-22-2013 02:27 PM - edited ‎02-21-2020 06:43 PM

Fellow Support Community,

Any assistance or suggestions you can provide on a issue I have with a GRE tunnel and IPSec. I have a vessel offshore which has a GRE tunnel working between shore and vessel - this works fine and data passes between vessel and corporate LAN ok.

The problem comes when I apply the IPSec and ISAKMP parameters to each of the VTIs.

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_IPSEC_PROFILE

These commands and the associated pararameters are tried and tested and working fine for 5 other VPNs which are currently up and passing traffic. The working configuration for each endpoint is below. When the above commands are applied the VPN stays QM_IDLE but no data traffic passes over the tunnel. The VPN provides the connectivty back to corporate LAN so the site is effectively cut off

Any suggestions??

****HUB****

crypto keyring HELIX_VPN_KEYRING

pre-shared-key address B.B.B.B key xyz

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp invalid-spi-recovery

crypto isakmp profile VPN_ISAKMP_PROFILE

   keyring HELIX_VPN_KEYRING

   match identity address B.B.B.B 255.255.255.255

!

crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha-hmac

crypto ipsec nat-transparency spi-matching

!

crypto ipsec profile VPN_IPSEC_PROFILE

description ***  VPN IPsec Profile - RH - November 2012 ***

set transform-set VPN_TS

set pfs group2

set isakmp-profile VPN_ISAKMP_PROFILE

!

interface Tunnel128

description *** Vessel VPN Tunnel (JC1RT01:B.B.B.B) ***

ip address 10.0.75.130 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0.311

tunnel destination B.B.B.B

!

interface GigabitEthernet0/0.311

description *** ISP Public Subnet ***

encapsulation dot1Q 311

ip address A.A.A.A 255.255.255.248

!

ip route 10.2.88.0 255.255.255.0 10.0.75.129 name JC1_Data_Tu128

ip route 10.2.89.0 255.255.255.0 10.0.75.129 name JC1_Voice_Tu128

****REMOTE****

crypto keyring VPN_KEYRING vrf Internet

  pre-shared-key address A.A.A.A key xyz

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp invalid-spi-recovery

crypto isakmp profile VPN_ISAKMP_PROFILE

   vrf Internet

   keyring VPN_KEYRING

   match identity address A.A.A.A 255.255.255.255 Internet

!

crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha-hmac

crypto ipsec nat-transparency spi-matching

!

crypto ipsec profile VPN_IPSEC_PROFILE

description *** VPN IPsec Profile - RH - 30/01/13 ***

set transform-set VPN_TS

set pfs group2

set isakmp-profile VPN_ISAKMP_PROFILE

!

interface Tunnel128

description *** Jaya Crystal VPN Tunnel (VPNRTR01:A.A.A.A) ***

ip address 10.0.75.129 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source FastEthernet0/0.602

tunnel destination A.A.A.A

tunnel vrf Internet

!

interface FastEthernet0/0.602

description *** Vessel Provided Public IP Demark ***

encapsulation dot1Q 602

ip vrf forwarding Internet

ip address B.B.B.B 255.255.255.248

ip nat outside

ip virtual-reassembly in

!

ip route 0.0.0.0 0.0.0.0 10.0.75.130 name Tu128

1 person had this problem
Labels:
0 Helpful
1 Reply 1

ricardo1831
Level 1
Level 1

‎02-25-2013 03:49 AM

Any suggestions at all?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents