07-04-2006 05:13 AM - edited 02-21-2020 02:30 PM
Hi everyone,
I'm trying to establish a GRE IPsec tunnel between two cisco routers ( 2620XM and a 836).
I've created a the tunnel interfaces on both routers as follows,
2620XM
interface Tunnel0
ip address 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
ip address 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and the isakmp/ipsec configuration as follows,
2620XM
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key {key} address y.y.y.y no-xauth
!
!
crypto ipsec transform-set to_melissia esp-des esp-md5-hmac
!
crypto map myvpn 9 ipsec-isakmp
set peer y.y.y.y
set transform-set to_melissia
match address 101
2620XM-Router#sh ip access-lists 101
Extended IP access list 101
10 permit gre host x.x.x.x host y.y.y.y
836
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key {key} address x.x.x.x no-xauth
!
!
crypto ipsec transform-set to_metamorfosi esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer x.x.x.x
set transform-set to_metamorfosi
match address 101
836-Router#sh access-lists 101
Extended IP access list 101
10 permit gre host y.y.y.y host x.x.x.x
unfortunately i got no isakmp security associations at all and when in debugging i get this output.
CRYPTO: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created -.
Any ideas why i get this result? Any assistance will be of great help
ThanKs!!!
Solved! Go to Solution.
07-14-2006 01:55 AM
I believe that it is possible. It sounds to me like you are assuming that the address of the interface where the crypto map goes is the peering address. While that is the default action, it is possible to configure it differently.
As you have discovered the crypto map needs to be on the physical outbound interface. If you want the peering address to be something other than the address of the outbound physical inteface then you can add this command to your crypto map:
crypto map
so if you put loopback0 as the interface_ID then it would use loopback0 as the peering address even though the crypto map may be assigned on serial0/0 or some other physical interface.
HTH
Rick
07-07-2006 11:39 AM
This snippet of config looks good. Can you paste entire config (sanitized)? Even better would be if you could include the following debug output:
debug cry isa
debug cry ipsec
Hope this helps!
07-11-2006 06:59 AM
Thanx for your reply,
Well i've attached the sanitized config files of both routers.
On the other hand i got no debugging output when in term mon and have turned on debug crypto isakmp, debug crypto ipsec and debug crypto engine.
As you will see in the configuration files the crypto map is applied to the FastEthernet 0/0.2 and Ethernet 0 to 2620 and 836 router accordingly. So the only debbuging i get is when i remove the crypto map from the interfaces and re-apply it. Then i get the following debbuging output:
IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created.
Do i miss something? Any ideas?
Thanx a lot
07-11-2006 07:22 AM
Can you post the following two commands?
sh crypto isakmp sa
sh crypto ipsec sa
07-11-2006 01:32 PM
Hello,
Here is the output.
2620XM#sh crypto isakmp sa
dst src state conn-id slot
2620XM#sh crypto ipsec sa
interface: FastEthernet0/0.2
Crypto map tag: myvpn, local addr. x.x.x.x
protected vrf:
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/47/0)
current_peer: y.y.y.y:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.2
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and...
836-Router#sh crypto isakmp sa
dst src state conn-id slot status
Melissia-Router#sh crypto ipsec sa
interface: Ethernet0
Crypto map tag: myvpn, local addr y.y.y.y
protected vrf: (none)
local ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
07-11-2006 08:10 PM
You are not getting an IPSec tunnel to establish. It doesn't even look like there is any negotiation.
You wrote that you got this message on one side when attempting to build a IPSec tunnel "CRYPTO: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet dropped because cryptomap is currently being created". What happens if you try to initiate the IPSec connection from the other side? At the very least some debug output needs to appear.
btw, if you remove the crypto map and permit gre traffic in yor network, can you ping the remote tunnel address on each side? That is to say, from 836-Router can you ping 10.1.5.2, and vice versa?
also, i don't see any routes for traffic to the tunnel interface. how will each end node know to route traffic across the gre tunnel?
Hope this helps!
07-12-2006 05:57 AM
Hello,
I've changed the peer ip address from the two routers and it worked. To be more specific in previous configuration i used the ips of the internal interfaces (FastEthernet 0/0.2 and Ethernet0 in 2620XM and 836 accordingly) as peer ips and tunnel endpoints.In new configuration i use the ips of the external interfaces (Serial 0/0:0 and Dialer1) and it works fine.
But still i wonder isn't it possible to establish GRE/IPsec tunnels between the routers using eg loopback interfaces?
07-12-2006 06:21 AM
Hi,
Why don't you just put the crypto map entry also into the tunnel interface.
We have got many tunnels and I see that all of them are having it.
07-13-2006 06:18 PM
Whether to put the crypto map on the tunnel changes depending on the version of the IOS. In older IOS the crypto map needs to be on the tunnel (as well as the outbound interface) but in recent code it is not necessary to be on the tunnel and the TAC suggested to me to only have the crypto map on the outbound physical interface.
HTH
Rick
07-13-2006 11:21 PM
Rick,
You are correct.
Before 12.2(13)T, crypto maps are required to apply to both GRE tunnel interface and physical interface. From 12.2(13)T and later you only need to apply crypto map on physical interface OR use "tunnel protection ipsec profile" under tunnel interface.
Hope that helps! If so, please rate.
Thanks
07-13-2006 11:47 PM
Hi,
Well you can find info about this in the following link.
It mentions that applying crypto map in both tunnel and physical interface isn't necessary (after 12.2(3T) versions ) but furthermore can cause fragmentation problems.
Anyway, i would like to thank you all for your replies.
07-13-2006 11:50 PM
Hi Loc,
Have you been able to sort out the issue yet?
Regards,
Wilson Samuel
07-14-2006 12:19 AM
Hi,
As i wrote in a previous post the issue solved when i applyied the crypto map to the external intfs of the routers.
Before i was trying to establish the IPsec/GRE tunnel using the ips of internal interfaces.
Now everything works fine!
But still i wonder (just curiosity) why is not possible to setup the tunnel using internal, but global routable of course, ip addresses.
Thanx
07-14-2006 01:55 AM
I believe that it is possible. It sounds to me like you are assuming that the address of the interface where the crypto map goes is the peering address. While that is the default action, it is possible to configure it differently.
As you have discovered the crypto map needs to be on the physical outbound interface. If you want the peering address to be something other than the address of the outbound physical inteface then you can add this command to your crypto map:
crypto map
so if you put loopback0 as the interface_ID then it would use loopback0 as the peering address even though the crypto map may be assigned on serial0/0 or some other physical interface.
HTH
Rick
07-14-2006 05:28 AM
Hey, that was a real cool idea, with this we can even make Fail-Over Crypto Maps which will not be dependent upon any physical interfaces.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide