05-04-2021 07:27 AM
Hello,
I have the following scenario:
HQ (Cisco 3725)>> IPSEC Gre tunnel >> Branch (Cisco 3700)
Everything is working ok, tunnel is up, traffic is ok. I want to replace Branch router with Cisco 1111 Router.
It seems like new IOS 16 (on router 1111) does not support crypto map attached to the tunnel interface as the old router do. I have read on the internet , that you need to create a VTI profile and attached that.
Did that, applied to the branch router, the tunnel does not come up on Phase 2. I did tried to apply the same profile on HQ router , but tunnel does not go up on Phase 2. With old router , tunnel is up on phase 1 and 2.
Any advice please?
HQ:
Router 3725 , IOS version 12.4
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0
crypto ipsec transform-set RRR esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
set transform-set RRR
crypto map RRR_TEST 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RRR
match address gre_test
interface Tunnel75
ip address 172.16.75.1 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
crypto map RRR_TEST
ip route 192.168.75.0 255.255.255.0 172.16.75.2
ip access-list extended gre_test
permit gre host 2.2.2.2 host 1.1.1.1
Branch:
Router C1111, IOS Version 16.10.01b
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXX address 0.0.0.0
!
!
crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set RRR
!
!
!
crypto map RRR_TEST 10 ipsec-isakmp
set peer PUBLIC IP ON REMOTE ROUTER
set transform-set RRR
match address 101
interface Tunnel75
ip address 172.16.75.2 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile VTI
ip access-list extended NAT
deny ip 192.168.75.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.75.0 0.0.0.255 any
ip nat inside source list NAT interface GigabitEthernet0/0/1 overload
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
sh crypto ipsec sa
interface: Tunnel75
Crypto map tag: Tunnel75-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
debug crypto isakmp
*May 4 14:19:47.969: ISAKMP: (1001):set new node 0 to QM_IDLE
*May 4 14:19:47.969: ISAKMP: (1001):SA has outstanding requests (local 1.1.1.1 port 500, remote 2.2.2.2 port 500)
*May 4 14:19:47.969: ISAKMP: (1001):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 4 14:19:47.969: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of 1014678849
*May 4 14:19:47.969: ISAKMP: (1001):QM Initiator gets spi
*May 4 14:19:47.969: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
*May 4 14:19:47.969: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*May 4 14:19:47.970: ISAKMP: (1001):Node 1014678849, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 4 14:19:47.970: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 4 14:19:47.974: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
*May 4 14:19:47.975: ISAKMP: (1001):set new node 3769307440 to QM_IDLE
*May 4 14:19:47.975: ISAKMP: (1001):processing HASH payload. message ID = 3769307440
*May 4 14:19:47.975: ISAKMP: (1001):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3171687210, message ID = 3769307440, sa = 0x80007F75163C68
*May 4 14:19:47.975: ISAKMP: (1001):deleting spi 3171687210 message ID = 1014678849
*May 4 14:19:47.975: ISAKMP-ERROR: (1001):deleting node 1014678849 error TRUE reason "Delete Larval"
*May 4 14:19:47.975: ISAKMP: (1001):deleting node 3769307440 error FALSE reason "Informational (in) state 1"
*May 4 14:19:47.975: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 4 14:19:47.975: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 4 14:20:07.550: ISAKMP: (1001):purging node 581902426
*May 4 14:20:07.551: ISAKMP: (1001):purging node 351356064
*May 4 14:20:17.968: ISAKMP: (1001):set new node 0 to QM_IDLE
*May 4 14:20:17.968: ISAKMP: (1001):SA has outstanding requests (local 1.1.1.1 port 500, remote 2.2.2.2 port 500)
*May 4 14:20:17.968: ISAKMP: (1001):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 4 14:20:17.968: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of 671508365
*May 4 14:20:17.968: ISAKMP: (1001):QM Initiator gets spi
*May 4 14:20:17.968: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
*May 4 14:20:17.968: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*May 4 14:20:17.969: ISAKMP: (1001):Node 671508365, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 4 14:20:17.969: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 4 14:20:17.973: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
*May 4 14:20:17.973: ISAKMP: (1001):set new node 379062112 to QM_IDLE
*May 4 14:20:17.973: ISAKMP: (1001):processing HASH payload. message ID = 379062112
*May 4 14:20:17.974: ISAKMP: (1001):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 4195609810, message ID = 379062112, sa = 0x80007F75163C68
*May 4 14:20:17.974: ISAKMP: (1001):deleting spi 4195609810 message ID = 671508365
*May 4 14:20:17.974: ISAKMP-ERROR: (1001):deleting node 671508365 error TRUE reason "Delete Larval"
*May 4 14:20:17.974: ISAKMP: (1001):deleting node 379062112 error FALSE reason "Informational (in) state 1"
*May 4 14:20:17.974: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 4 14:20:17.974: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Solved! Go to Solution.
05-04-2021 07:35 AM
You've tunnel mode ipsec ipv4" on the C1111's tunnel interface. That command is not specified on the 3725, which probably means it is GRE, which on newer IOS is the default (no idea about the 3725 though). Change the C1111's tunnel interface tunnel mode to GRE.
05-04-2021 07:35 AM
You've tunnel mode ipsec ipv4" on the C1111's tunnel interface. That command is not specified on the 3725, which probably means it is GRE, which on newer IOS is the default (no idea about the 3725 though). Change the C1111's tunnel interface tunnel mode to GRE.
05-05-2021 03:18 AM
Hi Rob,
Thank`s for you`re answer.
I did try to change tunnel mode:
interface Tunnel75
tunnel mode gre ip
Tunnel seems different now at phase 2, but i cannot reach hosts behind remote tunnel.
show crypto ispsec sa
interface: Tunnel75
Crypto map tag: Tunnel75-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (REMOTE PUBLIC IP/255.255.255.255/47/0)
current_peer REMOTE PUBLIC IP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: REMOTE PUBLIC IP
path mtu 1440, ip mtu 1440, ip mtu idb Tunnel41
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
logs:
*May 5 09:49:04.898: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:49:04.898: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:49:04.898: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:49:04.898: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 2167152834
*May 5 09:49:04.898: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:49:04.898: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:49:04.898: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:49:04.899: ISAKMP: (1008):Node 2167152834, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:49:04.899: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:49:04.912: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:49:04.912: ISAKMP: (1008):set new node 913647997 to QM_IDLE
*May 5 09:49:04.912: ISAKMP: (1008):processing HASH payload. message ID = 913647997
*May 5 09:49:04.913: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 641227054, message ID = 913647997, sa = 0x80007F62C23078
*May 5 09:49:04.913: ISAKMP: (1008):deleting spi 641227054 message ID = 2167152834
*May 5 09:49:04.913: ISAKMP-ERROR: (1008):deleting node 2167152834 error TRUE reason "Delete Larval"
*May 5 09:49:04.913: ISAKMP: (1008):deleting node 913647997 error FALSE reason "Informational (in) state 1"
*May 5 09:49:04.913: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:49:04.913: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 5 09:49:24.911: ISAKMP: (1008):purging node 3553415976
*May 5 09:49:24.911: ISAKMP: (1008):purging node 1321503831
*May 5 09:49:35.323: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:49:35.323: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:49:35.323: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:49:35.323: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 2980219661
*May 5 09:49:35.323: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:49:35.324: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:49:35.324: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:49:35.324: ISAKMP: (1008):Node 2980219661, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:49:35.324: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:49:35.338: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:49:35.338: ISAKMP: (1008):set new node 3877245638 to QM_IDLE
*May 5 09:49:35.338: ISAKMP: (1008):processing HASH payload. message ID = 3877245638
*May 5 09:49:35.338: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1955531723, message ID = 3877245638, sa = 0x80007F62C23078
*May 5 09:49:35.338: ISAKMP: (1008):deleting spi 1955531723 message ID = 2980219661
*May 5 09:49:35.338: ISAKMP-ERROR: (1008):deleting node 2980219661 error TRUE reason "Delete Larval"
*May 5 09:49:35.338: ISAKMP: (1008):deleting node 3877245638 error FALSE reason "Informational (in) state 1"
*May 5 09:49:35.338: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:49:35.338: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 5 09:49:37.408: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000691623156268400 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 89.238.224.42, src_addr= 89.238.248.146, prot= 47
*May 5 09:49:54.915: ISAKMP: (1008):purging node 2167152834
*May 5 09:49:54.915: ISAKMP: (1008):purging node 913647997
*May 5 09:50:05.322: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:50:05.322: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:50:05.322: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:50:05.323: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 1040199238
*May 5 09:50:05.323: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:50:05.323: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:50:05.323: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:50:05.323: ISAKMP: (1008):Node 1040199238, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:50:05.323: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:50:05.337: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:50:05.337: ISAKMP: (1008):set new node 1178275058 to QM_IDLE
*May 5 09:50:05.337: ISAKMP: (1008):processing HASH payload. message ID = 1178275058
*May 5 09:50:05.337: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2858223566, message ID = 1178275058, sa = 0x80007F62C23078
*May 5 09:50:05.337: ISAKMP: (1008):deleting spi 2858223566 message ID = 1040199238
*May 5 09:50:05.338: ISAKMP-ERROR: (1008):deleting node 1040199238 error TRUE reason "Delete Larval"
*May 5 09:50:05.338: ISAKMP: (1008):deleting node 1178275058 error FALSE reason "Informational (in) state 1"
*May 5 09:50:05.338: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:50:05.338: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 5 09:51:37.411: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000691743159139880 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 89.238.224.42, src_addr= 89.238.248.146, prot= 47
*May 5 09:51:39.044: %SSH-3-NO_MATCH: No matching cipher found: client aes128-ctr,aes192-ctr,aes256-ctr server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
05-05-2021 03:30 AM
Check the tunnel mode under the transform set, ensure both are set the same "mode tunnel".
In your initial output only the C1111 router was specified to "mode tunnel", but the 3725 was blank. Not sure what the default value on an old 3725 router default would be, it could be set as default to transport.
3725
crypto ipsec transform-set RRR esp-3des esp-md5-hmac
C1111
crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel
I note you've change the algorithms to aes/sha, just double check the "mode tunnel" is specified on both transforms sets.
05-08-2021 03:44 AM
Hello
It is specified mode tunnel on 3725, just that it doesn`t show up.
This is the log that i see:
IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000338475427782000 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 2.2.2.2, src_addr= 1.1.1.1, prot= 47
05-08-2021 04:56 AM - edited 05-08-2021 05:36 AM
If the C1111 runnning 16.x code does not support Crypto map on a tunnel interface, then change the C3725 to use "GRE over IPSec with tunnel protection", to mirror the C1111 configuration.
C3725
crypto ipsec profile VTI
set transform-set RRR
interface Tunnel75
no crypto map RRR_TEST
tunnel protection ipsec profile VTI
I think you said you tried this before, but that might have been before you changed the tunnel mode under the tunnel interface to gre.
05-08-2021 06:13 AM
05-08-2021 06:22 AM
Shutdown the tunnel interfaces on both routers, turn on debugs on both routers, no shutdown the tunnel interfaces and let them attempt to establish a VPN tunnel, provide the full debugs from both routers.
Provide the output of "show crypto iksamp sa detail" and "show crypto ipsec sa" from both routers.
And provide the current full configuration of both routers.
05-04-2021 07:38 AM
processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
hope below thread help you :
https://community.cisco.com/t5/vpn/asa-ios-router-ipsec-vpn-notify-proposal-not-chosen/td-p/3035887
05-05-2021 03:11 AM
Hello,
Thank you for you`re answer, i did try to create a new transform set and apply it to HQ and branch, but no luck
HQ:
crypto ipsec transform-set RRR2 esp-aes esp-sha-hmac
crypto map RRR_TEST 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RRR2
Branch:
crypto ipsec transform-set RRR2 esp-aes esp-sha-hmac
crypto ipsec profile VTI
set transform-set RRR2
I am not sure if i need to put a specific encryption.
I have attached the logs bellow.
05-08-2021 01:51 PM
On interface tunnel, i typed tunnel mode gre ip and no keepalive. Now tunnel is up and running.
***** stars to ROB. Thank you.
09-30-2021 04:33 PM - edited 10-07-2021 11:33 AM
Some of you may have watched the consultation at Cisco’s first all-virtual Cisco Live and I hope you discovered it helpful. This is the primary in a sequence of companion blogs that will later cover in greater element the subjects mentioned in the consultation nowadays. We all know ... Read More.
10-01-2021 07:40 PM - edited 10-05-2021 06:09 PM
It isn't used very frequently even though mainly because it's no longer embedded inside conferences. Our group of workers use Webex Meetings for nearly all training and having to use a special app and publish a brand new meeting link when a take a look at is wanted in a category is difficult for college kids and occasionally teacher's as properly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide