Solved: Re: Problem on establishing a GRE/IPsec tunnel between 2 cisco r

loc · ‎07-04-2006

Hi everyone,

I'm trying to establish a GRE IPsec tunnel between two cisco routers ( 2620XM and a 836).

I've created a the tunnel interfaces on both routers as follows,

2620XM

interface Tunnel0

ip address 10.1.5.2 255.255.255.252

tunnel source x.x.x.x

tunnel destination y.y.y.y

end

836

interface Tunnel0

ip address 10.1.5.1 255.255.255.252

tunnel source y.y.y.y

tunnel destination x.x.x.x

end

and the isakmp/ipsec configuration as follows,

2620XM

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key {key} address y.y.y.y no-xauth

!

crypto ipsec transform-set to_melissia esp-des esp-md5-hmac

!

crypto map myvpn 9 ipsec-isakmp

set peer y.y.y.y

set transform-set to_melissia

match address 101

2620XM-Router#sh ip access-lists 101

Extended IP access list 101

10 permit gre host x.x.x.x host y.y.y.y

836

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key {key} address x.x.x.x no-xauth

!

crypto ipsec transform-set to_metamorfosi esp-des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer x.x.x.x

set transform-set to_metamorfosi

match address 101

836-Router#sh access-lists 101

Extended IP access list 101

10 permit gre host y.y.y.y host x.x.x.x

unfortunately i got no isakmp security associations at all and when in debugging i get this output.

CRYPTO: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created -.

Any ideas why i get this result? Any assistance will be of great help

ThanKs!!!

Richard Burts · ‎07-14-2006

I believe that it is possible. It sounds to me like you are assuming that the address of the interface where the crypto map goes is the peering address. While that is the default action, it is possible to configure it differently.

As you have discovered the crypto map needs to be on the physical outbound interface. If you want the peering address to be something other than the address of the outbound physical inteface then you can add this command to your crypto map:

crypto map local-address

so if you put loopback0 as the interface_ID then it would use loopback0 as the peering address even though the crypto map may be assigned on serial0/0 or some other physical interface.

HTH

Rick

HTH

Rick

View solution in original post

hemendoz · ‎07-07-2006

This snippet of config looks good. Can you paste entire config (sanitized)? Even better would be if you could include the following debug output:

debug cry isa

debug cry ipsec

Hope this helps!

loc · ‎07-11-2006

Thanx for your reply,

Well i've attached the sanitized config files of both routers.

On the other hand i got no debugging output when in term mon and have turned on debug crypto isakmp, debug crypto ipsec and debug crypto engine.

As you will see in the configuration files the crypto map is applied to the FastEthernet 0/0.2 and Ethernet 0 to 2620 and 836 router accordingly. So the only debbuging i get is when i remove the crypto map from the interfaces and re-apply it. Then i get the following debbuging output:

IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created.

Do i miss something? Any ideas?

Thanx a lot

froggy3132000 · ‎07-11-2006

Can you post the following two commands?

sh crypto isakmp sa

sh crypto ipsec sa

loc · ‎07-11-2006

Hello,

Here is the output.

2620XM#sh crypto isakmp sa

dst src state conn-id slot

2620XM#sh crypto ipsec sa

interface: FastEthernet0/0.2

Crypto map tag: myvpn, local addr. x.x.x.x

protected vrf:

local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/47/0)

current_peer: y.y.y.y:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.2

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

and...

836-Router#sh crypto isakmp sa

dst src state conn-id slot status

Melissia-Router#sh crypto ipsec sa

interface: Ethernet0

Crypto map tag: myvpn, local addr y.y.y.y

protected vrf: (none)

local ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

hemendoz · ‎07-11-2006

You are not getting an IPSec tunnel to establish. It doesn't even look like there is any negotiation.

You wrote that you got this message on one side when attempting to build a IPSec tunnel "CRYPTO: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created". What happens if you try to initiate the IPSec connection from the other side? At the very least some debug output needs to appear.

btw, if you remove the crypto map and permit gre traffic in yor network, can you ping the remote tunnel address on each side? That is to say, from 836-Router can you ping 10.1.5.2, and vice versa?

also, i don't see any routes for traffic to the tunnel interface. how will each end node know to route traffic across the gre tunnel?

Hope this helps!

loc · ‎07-12-2006

Hello,

I've changed the peer ip address from the two routers and it worked. To be more specific in previous configuration i used the ips of the internal interfaces (FastEthernet 0/0.2 and Ethernet0 in 2620XM and 836 accordingly) as peer ips and tunnel endpoints.In new configuration i use the ips of the external interfaces (Serial 0/0:0 and Dialer1) and it works fine.

But still i wonder isn't it possible to establish GRE/IPsec tunnels between the routers using eg loopback interfaces?

Wilson Samuel · ‎07-12-2006

Hi,

Why don't you just put the crypto map entry also into the tunnel interface.

We have got many tunnels and I see that all of them are having it.

Richard Burts · ‎07-13-2006

Whether to put the crypto map on the tunnel changes depending on the version of the IOS. In older IOS the crypto map needs to be on the tunnel (as well as the outbound interface) but in recent code it is not necessary to be on the tunnel and the TAC suggested to me to only have the crypto map on the outbound physical interface.

HTH

Rick

HTH

Rick

hemendoz · ‎07-13-2006

Rick,

You are correct.

Before 12.2(13)T, crypto maps are required to apply to both GRE tunnel interface and physical interface. From 12.2(13)T and later you only need to apply crypto map on physical interface OR use "tunnel protection ipsec profile" under tunnel interface.

Hope that helps! If so, please rate.

Thanks

loc · ‎07-13-2006

Hi,

Well you can find info about this in the following link.

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5207/products_field_notice09186a0080697964.shtml

It mentions that applying crypto map in both tunnel and physical interface isn't necessary (after 12.2(3T) versions ) but furthermore can cause fragmentation problems.

Anyway, i would like to thank you all for your replies.

Wilson Samuel · ‎07-13-2006

Hi Loc,

Have you been able to sort out the issue yet?

Regards,

Wilson Samuel

loc · ‎07-14-2006

Hi,

As i wrote in a previous post the issue solved when i applyied the crypto map to the external intfs of the routers.

Before i was trying to establish the IPsec/GRE tunnel using the ips of internal interfaces.

Now everything works fine!

But still i wonder (just curiosity) why is not possible to setup the tunnel using internal, but global routable of course, ip addresses.

Thanx

Richard Burts · ‎07-14-2006

I believe that it is possible. It sounds to me like you are assuming that the address of the interface where the crypto map goes is the peering address. While that is the default action, it is possible to configure it differently.

As you have discovered the crypto map needs to be on the physical outbound interface. If you want the peering address to be something other than the address of the outbound physical inteface then you can add this command to your crypto map:

crypto map local-address

so if you put loopback0 as the interface_ID then it would use loopback0 as the peering address even though the crypto map may be assigned on serial0/0 or some other physical interface.

HTH

Rick

HTH

Rick

Wilson Samuel · ‎07-14-2006

Hey, that was a real cool idea, with this we can even make Fail-Over Crypto Maps which will not be dependent upon any physical interfaces.

Thanks

Problem on establishing a GRE/IPsec tunnel between 2 cisco routers