cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
239
Views
0
Helpful
10
Replies
Calin Cristea
Beginner

Problem with ipsec tunnel between old 3725 router and new c1111 router

Hello,

I have the following scenario:

HQ (Cisco 3725)>> IPSEC Gre tunnel >> Branch (Cisco 3700)
Everything is working ok, tunnel is up, traffic is ok. I want to replace Branch router with Cisco 1111 Router.
It seems like new IOS 16 (on router 1111) does not support crypto map attached to the tunnel interface as the old router do. I have read on the internet , that you need to create a VTI profile and attached that.
Did that, applied to the branch router, the tunnel does not come up on Phase 2. I did tried to apply the same profile on HQ router , but tunnel does not go up on Phase 2. With old router , tunnel is up on phase 1 and 2.
Any advice please?

HQ:

Router 3725 , IOS version 12.4

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0


crypto ipsec transform-set RRR esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
set transform-set RRR

crypto map RRR_TEST 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RRR
match address gre_test

interface Tunnel75
ip address 172.16.75.1 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
crypto map RRR_TEST

ip route 192.168.75.0 255.255.255.0 172.16.75.2

ip access-list extended gre_test
permit gre host 2.2.2.2 host 1.1.1.1

 

 

Branch:

Router C1111, IOS Version 16.10.01b

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXX address 0.0.0.0
!
!
crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set RRR
!
!
!
crypto map RRR_TEST 10 ipsec-isakmp
set peer PUBLIC IP ON REMOTE ROUTER


set transform-set RRR
match address 101

 

interface Tunnel75
ip address 172.16.75.2 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile VTI

 

ip access-list extended NAT

deny ip 192.168.75.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.75.0 0.0.0.255 any

ip nat inside source list NAT interface GigabitEthernet0/0/1 overload

 

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

 

sh crypto ipsec sa

interface: Tunnel75
Crypto map tag: Tunnel75-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

debug crypto isakmp

*May 4 14:19:47.969: ISAKMP: (1001):set new node 0 to QM_IDLE
*May 4 14:19:47.969: ISAKMP: (1001):SA has outstanding requests (local 1.1.1.1 port 500, remote 2.2.2.2 port 500)
*May 4 14:19:47.969: ISAKMP: (1001):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 4 14:19:47.969: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of 1014678849
*May 4 14:19:47.969: ISAKMP: (1001):QM Initiator gets spi
*May 4 14:19:47.969: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
*May 4 14:19:47.969: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*May 4 14:19:47.970: ISAKMP: (1001):Node 1014678849, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 4 14:19:47.970: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 4 14:19:47.974: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
*May 4 14:19:47.975: ISAKMP: (1001):set new node 3769307440 to QM_IDLE
*May 4 14:19:47.975: ISAKMP: (1001):processing HASH payload. message ID = 3769307440
*May 4 14:19:47.975: ISAKMP: (1001):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3171687210, message ID = 3769307440, sa = 0x80007F75163C68
*May 4 14:19:47.975: ISAKMP: (1001):deleting spi 3171687210 message ID = 1014678849
*May 4 14:19:47.975: ISAKMP-ERROR: (1001):deleting node 1014678849 error TRUE reason "Delete Larval"
*May 4 14:19:47.975: ISAKMP: (1001):deleting node 3769307440 error FALSE reason "Informational (in) state 1"
*May 4 14:19:47.975: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 4 14:19:47.975: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 4 14:20:07.550: ISAKMP: (1001):purging node 581902426
*May 4 14:20:07.551: ISAKMP: (1001):purging node 351356064
*May 4 14:20:17.968: ISAKMP: (1001):set new node 0 to QM_IDLE
*May 4 14:20:17.968: ISAKMP: (1001):SA has outstanding requests (local 1.1.1.1 port 500, remote 2.2.2.2 port 500)
*May 4 14:20:17.968: ISAKMP: (1001):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 4 14:20:17.968: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of 671508365
*May 4 14:20:17.968: ISAKMP: (1001):QM Initiator gets spi
*May 4 14:20:17.968: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
*May 4 14:20:17.968: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*May 4 14:20:17.969: ISAKMP: (1001):Node 671508365, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 4 14:20:17.969: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 4 14:20:17.973: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
*May 4 14:20:17.973: ISAKMP: (1001):set new node 379062112 to QM_IDLE
*May 4 14:20:17.973: ISAKMP: (1001):processing HASH payload. message ID = 379062112
*May 4 14:20:17.974: ISAKMP: (1001):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 4195609810, message ID = 379062112, sa = 0x80007F75163C68
*May 4 14:20:17.974: ISAKMP: (1001):deleting spi 4195609810 message ID = 671508365
*May 4 14:20:17.974: ISAKMP-ERROR: (1001):deleting node 671508365 error TRUE reason "Delete Larval"
*May 4 14:20:17.974: ISAKMP: (1001):deleting node 379062112 error FALSE reason "Informational (in) state 1"
*May 4 14:20:17.974: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 4 14:20:17.974: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

@Calin Cristea 

You've tunnel mode ipsec ipv4" on the C1111's tunnel interface. That command is not specified on the 3725, which probably means it is GRE, which on newer IOS is the default (no idea about the 3725 though). Change the C1111's tunnel interface tunnel mode to GRE.

 

View solution in original post

10 REPLIES 10
Rob Ingram
VIP Mentor

@Calin Cristea 

You've tunnel mode ipsec ipv4" on the C1111's tunnel interface. That command is not specified on the 3725, which probably means it is GRE, which on newer IOS is the default (no idea about the 3725 though). Change the C1111's tunnel interface tunnel mode to GRE.

 

View solution in original post

Hi Rob,

Thank`s for you`re answer.
I did try to change tunnel mode:

interface Tunnel75
tunnel mode gre ip

Tunnel seems different now at phase 2, but i cannot reach hosts behind remote tunnel.


show crypto ispsec sa
interface: Tunnel75
Crypto map tag: Tunnel75-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (REMOTE PUBLIC IP/255.255.255.255/47/0)
current_peer REMOTE PUBLIC IP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: REMOTE PUBLIC IP
path mtu 1440, ip mtu 1440, ip mtu idb Tunnel41
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

 

logs:


*May 5 09:49:04.898: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:49:04.898: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:49:04.898: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:49:04.898: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 2167152834
*May 5 09:49:04.898: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:49:04.898: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:49:04.898: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:49:04.899: ISAKMP: (1008):Node 2167152834, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:49:04.899: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:49:04.912: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:49:04.912: ISAKMP: (1008):set new node 913647997 to QM_IDLE
*May 5 09:49:04.912: ISAKMP: (1008):processing HASH payload. message ID = 913647997
*May 5 09:49:04.913: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 641227054, message ID = 913647997, sa = 0x80007F62C23078
*May 5 09:49:04.913: ISAKMP: (1008):deleting spi 641227054 message ID = 2167152834
*May 5 09:49:04.913: ISAKMP-ERROR: (1008):deleting node 2167152834 error TRUE reason "Delete Larval"
*May 5 09:49:04.913: ISAKMP: (1008):deleting node 913647997 error FALSE reason "Informational (in) state 1"
*May 5 09:49:04.913: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:49:04.913: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 5 09:49:24.911: ISAKMP: (1008):purging node 3553415976
*May 5 09:49:24.911: ISAKMP: (1008):purging node 1321503831
*May 5 09:49:35.323: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:49:35.323: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:49:35.323: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:49:35.323: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 2980219661
*May 5 09:49:35.323: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:49:35.324: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:49:35.324: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:49:35.324: ISAKMP: (1008):Node 2980219661, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:49:35.324: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:49:35.338: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:49:35.338: ISAKMP: (1008):set new node 3877245638 to QM_IDLE
*May 5 09:49:35.338: ISAKMP: (1008):processing HASH payload. message ID = 3877245638
*May 5 09:49:35.338: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1955531723, message ID = 3877245638, sa = 0x80007F62C23078
*May 5 09:49:35.338: ISAKMP: (1008):deleting spi 1955531723 message ID = 2980219661
*May 5 09:49:35.338: ISAKMP-ERROR: (1008):deleting node 2980219661 error TRUE reason "Delete Larval"
*May 5 09:49:35.338: ISAKMP: (1008):deleting node 3877245638 error FALSE reason "Informational (in) state 1"
*May 5 09:49:35.338: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:49:35.338: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 5 09:49:37.408: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000691623156268400 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 89.238.224.42, src_addr= 89.238.248.146, prot= 47
*May 5 09:49:54.915: ISAKMP: (1008):purging node 2167152834
*May 5 09:49:54.915: ISAKMP: (1008):purging node 913647997
*May 5 09:50:05.322: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:50:05.322: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:50:05.322: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:50:05.323: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 1040199238
*May 5 09:50:05.323: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:50:05.323: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:50:05.323: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:50:05.323: ISAKMP: (1008):Node 1040199238, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:50:05.323: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:50:05.337: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:50:05.337: ISAKMP: (1008):set new node 1178275058 to QM_IDLE
*May 5 09:50:05.337: ISAKMP: (1008):processing HASH payload. message ID = 1178275058
*May 5 09:50:05.337: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2858223566, message ID = 1178275058, sa = 0x80007F62C23078
*May 5 09:50:05.337: ISAKMP: (1008):deleting spi 2858223566 message ID = 1040199238
*May 5 09:50:05.338: ISAKMP-ERROR: (1008):deleting node 1040199238 error TRUE reason "Delete Larval"
*May 5 09:50:05.338: ISAKMP: (1008):deleting node 1178275058 error FALSE reason "Informational (in) state 1"
*May 5 09:50:05.338: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:50:05.338: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 5 09:51:37.411: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000691743159139880 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 89.238.224.42, src_addr= 89.238.248.146, prot= 47
*May 5 09:51:39.044: %SSH-3-NO_MATCH: No matching cipher found: client aes128-ctr,aes192-ctr,aes256-ctr server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Check the tunnel mode under the transform set, ensure both are set the same "mode tunnel".

In your initial output only the C1111 router was specified to "mode tunnel", but the 3725 was blank. Not sure what the default value on an old 3725 router default would be, it could be set as default to transport.

 

3725

crypto ipsec transform-set RRR esp-3des esp-md5-hmac

 

C1111

crypto ipsec transform-set RRR esp-3des esp-md5-hmac

 mode tunnel

 

I note you've change the algorithms to aes/sha, just double check the "mode tunnel" is specified on both transforms sets.

Hello

It is specified mode tunnel on 3725, just that it doesn`t show up.
This is the log that i see:
IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000338475427782000 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 2.2.2.2, src_addr= 1.1.1.1, prot= 47

@Calin Cristea 

If the C1111 runnning 16.x code does not support Crypto map on a tunnel interface, then change the C3725 to use "GRE over IPSec with tunnel protection", to mirror the C1111 configuration.

 

C3725

crypto ipsec profile VTI
 set transform-set RRR

 

interface Tunnel75
 no crypto map RRR_TEST
 tunnel protection ipsec profile VTI

 

I think you said you tried this before, but that might have been before you changed the tunnel mode under the tunnel interface to gre.

Hi Rob,

Sorry for the confuse. On C3725, tunnel with old router was made through
crypto maps. New router C1111 does not support cryptomap, only tunnel
protection.
RT(config)#interface tunnel 75
RT(config-if)#crypto map CRYPTO_RRR
% NOTE: crypto map is configured on tunnel interface.
Currently only GDOI crypto map is supported on tunnel interface.

I have configured with tunnel protection on both sides:

C1111

crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set RRR


interface Tunnel75
ip address 172.16.75.2 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 1.1.1.1
tunnel mode gre ip
tunnel destination 2.2.2.2
tunnel protection ipsec profile VTI



C3725


crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel

crypto ipsec profile VTI
set transform-set RRR

interface Tunnel75
ip address 172.16.75.1 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI
tunnel mode gre ip

I have also tried on both sides with "tunnel mode ipsec ipv4" instead of
gre, same result.

Shutdown the tunnel interfaces on both routers, turn on debugs on both routers, no shutdown the tunnel interfaces and let them attempt to establish a VPN tunnel, provide the full debugs from both routers.

 

Provide the output of "show crypto iksamp sa detail" and "show crypto ipsec sa" from both routers.

 

And provide the current full configuration of both routers.

balaji.bandi
VIP Expert

Hello,

Thank you for you`re answer, i did try to create a new transform set and apply it to HQ and branch, but no luck

HQ:

crypto ipsec transform-set RRR2 esp-aes esp-sha-hmac

crypto map RRR_TEST 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RRR2

Branch:

crypto ipsec transform-set RRR2 esp-aes esp-sha-hmac

crypto ipsec profile VTI
set transform-set RRR2

I am not sure if i need to put a specific encryption.
I have attached the logs bellow.

Calin Cristea
Beginner

On interface tunnel, i typed tunnel mode gre ip and no keepalive. Now tunnel is up and running.

***** stars to ROB. Thank you.

Content for Community-Ad