Solved: Problem with ipsec tunnel between old 3725 router and new c1111 router

Calin Cristea · ‎05-04-2021

Hello,

I have the following scenario:

HQ (Cisco 3725)>> IPSEC Gre tunnel >> Branch (Cisco 3700)
Everything is working ok, tunnel is up, traffic is ok. I want to replace Branch router with Cisco 1111 Router.
It seems like new IOS 16 (on router 1111) does not support crypto map attached to the tunnel interface as the old router do. I have read on the internet , that you need to create a VTI profile and attached that.
Did that, applied to the branch router, the tunnel does not come up on Phase 2. I did tried to apply the same profile on HQ router , but tunnel does not go up on Phase 2. With old router , tunnel is up on phase 1 and 2.
Any advice please?

HQ:

Router 3725 , IOS version 12.4

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0

crypto ipsec transform-set RRR esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
set transform-set RRR

crypto map RRR_TEST 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RRR
match address gre_test

interface Tunnel75
ip address 172.16.75.1 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
crypto map RRR_TEST

ip route 192.168.75.0 255.255.255.0 172.16.75.2

ip access-list extended gre_test
permit gre host 2.2.2.2 host 1.1.1.1

Branch:

Router C1111, IOS Version 16.10.01b

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXX address 0.0.0.0
!
!
crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set RRR
!
!
!
crypto map RRR_TEST 10 ipsec-isakmp
set peer PUBLIC IP ON REMOTE ROUTER

set transform-set RRR
match address 101

interface Tunnel75
ip address 172.16.75.2 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile VTI

ip access-list extended NAT

deny ip 192.168.75.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.75.0 0.0.0.255 any

ip nat inside source list NAT interface GigabitEthernet0/0/1 overload

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
2.2.2.2 1.1.1.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

sh crypto ipsec sa

interface: Tunnel75
Crypto map tag: Tunnel75-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

debug crypto isakmp

*May 4 14:19:47.969: ISAKMP: (1001):set new node 0 to QM_IDLE
*May 4 14:19:47.969: ISAKMP: (1001):SA has outstanding requests (local 1.1.1.1 port 500, remote 2.2.2.2 port 500)
*May 4 14:19:47.969: ISAKMP: (1001):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 4 14:19:47.969: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of 1014678849
*May 4 14:19:47.969: ISAKMP: (1001):QM Initiator gets spi
*May 4 14:19:47.969: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
*May 4 14:19:47.969: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*May 4 14:19:47.970: ISAKMP: (1001):Node 1014678849, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 4 14:19:47.970: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 4 14:19:47.974: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
*May 4 14:19:47.975: ISAKMP: (1001):set new node 3769307440 to QM_IDLE
*May 4 14:19:47.975: ISAKMP: (1001):processing HASH payload. message ID = 3769307440
*May 4 14:19:47.975: ISAKMP: (1001):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3171687210, message ID = 3769307440, sa = 0x80007F75163C68
*May 4 14:19:47.975: ISAKMP: (1001):deleting spi 3171687210 message ID = 1014678849
*May 4 14:19:47.975: ISAKMP-ERROR: (1001):deleting node 1014678849 error TRUE reason "Delete Larval"
*May 4 14:19:47.975: ISAKMP: (1001):deleting node 3769307440 error FALSE reason "Informational (in) state 1"
*May 4 14:19:47.975: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 4 14:19:47.975: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 4 14:20:07.550: ISAKMP: (1001):purging node 581902426
*May 4 14:20:07.551: ISAKMP: (1001):purging node 351356064
*May 4 14:20:17.968: ISAKMP: (1001):set new node 0 to QM_IDLE
*May 4 14:20:17.968: ISAKMP: (1001):SA has outstanding requests (local 1.1.1.1 port 500, remote 2.2.2.2 port 500)
*May 4 14:20:17.968: ISAKMP: (1001):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 4 14:20:17.968: ISAKMP: (1001):beginning Quick Mode exchange, M-ID of 671508365
*May 4 14:20:17.968: ISAKMP: (1001):QM Initiator gets spi
*May 4 14:20:17.968: ISAKMP-PAK: (1001):sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) QM_IDLE
*May 4 14:20:17.968: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*May 4 14:20:17.969: ISAKMP: (1001):Node 671508365, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 4 14:20:17.969: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 4 14:20:17.973: ISAKMP-PAK: (1001):received packet from 2.2.2.2 dport 500 sport 500 Global (I) QM_IDLE
*May 4 14:20:17.973: ISAKMP: (1001):set new node 379062112 to QM_IDLE
*May 4 14:20:17.973: ISAKMP: (1001):processing HASH payload. message ID = 379062112
*May 4 14:20:17.974: ISAKMP: (1001):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 4195609810, message ID = 379062112, sa = 0x80007F75163C68
*May 4 14:20:17.974: ISAKMP: (1001):deleting spi 4195609810 message ID = 671508365
*May 4 14:20:17.974: ISAKMP-ERROR: (1001):deleting node 671508365 error TRUE reason "Delete Larval"
*May 4 14:20:17.974: ISAKMP: (1001):deleting node 379062112 error FALSE reason "Informational (in) state 1"
*May 4 14:20:17.974: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 4 14:20:17.974: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Rob Ingram · ‎05-04-2021

@Calin Cristea

You've tunnel mode ipsec ipv4" on the C1111's tunnel interface. That command is not specified on the 3725, which probably means it is GRE, which on newer IOS is the default (no idea about the 3725 though). Change the C1111's tunnel interface tunnel mode to GRE.

View solution in original post

Rob Ingram · ‎05-04-2021

@Calin Cristea

You've tunnel mode ipsec ipv4" on the C1111's tunnel interface. That command is not specified on the 3725, which probably means it is GRE, which on newer IOS is the default (no idea about the 3725 though). Change the C1111's tunnel interface tunnel mode to GRE.

Calin Cristea · ‎05-05-2021

Hi Rob,

Thank`s for you`re answer.
I did try to change tunnel mode:

interface Tunnel75
tunnel mode gre ip

Tunnel seems different now at phase 2, but i cannot reach hosts behind remote tunnel.

show crypto ispsec sa
interface: Tunnel75
Crypto map tag: Tunnel75-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (REMOTE PUBLIC IP/255.255.255.255/47/0)
current_peer REMOTE PUBLIC IP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: REMOTE PUBLIC IP
path mtu 1440, ip mtu 1440, ip mtu idb Tunnel41
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

logs:

*May 5 09:49:04.898: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:49:04.898: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:49:04.898: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:49:04.898: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 2167152834
*May 5 09:49:04.898: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:49:04.898: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:49:04.898: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:49:04.899: ISAKMP: (1008):Node 2167152834, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:49:04.899: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:49:04.912: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:49:04.912: ISAKMP: (1008):set new node 913647997 to QM_IDLE
*May 5 09:49:04.912: ISAKMP: (1008):processing HASH payload. message ID = 913647997
*May 5 09:49:04.913: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 641227054, message ID = 913647997, sa = 0x80007F62C23078
*May 5 09:49:04.913: ISAKMP: (1008):deleting spi 641227054 message ID = 2167152834
*May 5 09:49:04.913: ISAKMP-ERROR: (1008):deleting node 2167152834 error TRUE reason "Delete Larval"
*May 5 09:49:04.913: ISAKMP: (1008):deleting node 913647997 error FALSE reason "Informational (in) state 1"
*May 5 09:49:04.913: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:49:04.913: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 5 09:49:24.911: ISAKMP: (1008):purging node 3553415976
*May 5 09:49:24.911: ISAKMP: (1008):purging node 1321503831
*May 5 09:49:35.323: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:49:35.323: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:49:35.323: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:49:35.323: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 2980219661
*May 5 09:49:35.323: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:49:35.324: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:49:35.324: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:49:35.324: ISAKMP: (1008):Node 2980219661, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:49:35.324: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:49:35.338: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:49:35.338: ISAKMP: (1008):set new node 3877245638 to QM_IDLE
*May 5 09:49:35.338: ISAKMP: (1008):processing HASH payload. message ID = 3877245638
*May 5 09:49:35.338: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1955531723, message ID = 3877245638, sa = 0x80007F62C23078
*May 5 09:49:35.338: ISAKMP: (1008):deleting spi 1955531723 message ID = 2980219661
*May 5 09:49:35.338: ISAKMP-ERROR: (1008):deleting node 2980219661 error TRUE reason "Delete Larval"
*May 5 09:49:35.338: ISAKMP: (1008):deleting node 3877245638 error FALSE reason "Informational (in) state 1"
*May 5 09:49:35.338: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:49:35.338: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 5 09:49:37.408: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000691623156268400 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 89.238.224.42, src_addr= 89.238.248.146, prot= 47
*May 5 09:49:54.915: ISAKMP: (1008):purging node 2167152834
*May 5 09:49:54.915: ISAKMP: (1008):purging node 913647997
*May 5 09:50:05.322: ISAKMP: (1008):set new node 0 to QM_IDLE
*May 5 09:50:05.322: ISAKMP: (1008):SA has outstanding requests (local 89.238.224.42 port 500, remote 89.238.248.146 port 500)
*May 5 09:50:05.322: ISAKMP: (1008):sitting IDLE. Starting QM immediately (QM_IDLE )
*May 5 09:50:05.323: ISAKMP: (1008):beginning Quick Mode exchange, M-ID of 1040199238
*May 5 09:50:05.323: ISAKMP: (1008):QM Initiator gets spi
*May 5 09:50:05.323: ISAKMP-PAK: (1008):sending packet to 89.238.248.146 my_port 500 peer_port 500 (I) QM_IDLE
*May 5 09:50:05.323: ISAKMP: (1008):Sending an IKE IPv4 Packet.
*May 5 09:50:05.323: ISAKMP: (1008):Node 1040199238, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 5 09:50:05.323: ISAKMP: (1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 5 09:50:05.337: ISAKMP-PAK: (1008):received packet from 89.238.248.146 dport 500 sport 500 Global (I) QM_IDLE
*May 5 09:50:05.337: ISAKMP: (1008):set new node 1178275058 to QM_IDLE
*May 5 09:50:05.337: ISAKMP: (1008):processing HASH payload. message ID = 1178275058
*May 5 09:50:05.337: ISAKMP: (1008):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2858223566, message ID = 1178275058, sa = 0x80007F62C23078
*May 5 09:50:05.337: ISAKMP: (1008):deleting spi 2858223566 message ID = 1040199238
*May 5 09:50:05.338: ISAKMP-ERROR: (1008):deleting node 1040199238 error TRUE reason "Delete Larval"
*May 5 09:50:05.338: ISAKMP: (1008):deleting node 1178275058 error FALSE reason "Informational (in) state 1"
*May 5 09:50:05.338: ISAKMP: (1008):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 5 09:50:05.338: ISAKMP: (1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 5 09:51:37.411: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000691743159139880 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 89.238.224.42, src_addr= 89.238.248.146, prot= 47
*May 5 09:51:39.044: %SSH-3-NO_MATCH: No matching cipher found: client aes128-ctr,aes192-ctr,aes256-ctr server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Rob Ingram · ‎05-05-2021

Check the tunnel mode under the transform set, ensure both are set the same "mode tunnel".

In your initial output only the C1111 router was specified to "mode tunnel", but the 3725 was blank. Not sure what the default value on an old 3725 router default would be, it could be set as default to transport.

3725

crypto ipsec transform-set RRR esp-3des esp-md5-hmac

C1111

crypto ipsec transform-set RRR esp-3des esp-md5-hmac

mode tunnel

I note you've change the algorithms to aes/sha, just double check the "mode tunnel" is specified on both transforms sets.

Calin Cristea · ‎05-08-2021

Hello

It is specified mode tunnel on 3725, just that it doesn`t show up.
This is the log that i see:
IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000338475427782000 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 2.2.2.2, src_addr= 1.1.1.1, prot= 47

Rob Ingram · ‎05-08-2021

@Calin Cristea

If the C1111 runnning 16.x code does not support Crypto map on a tunnel interface, then change the C3725 to use "GRE over IPSec with tunnel protection", to mirror the C1111 configuration.

C3725

crypto ipsec profile VTI
set transform-set RRR

interface Tunnel75
no crypto map RRR_TEST
tunnel protection ipsec profile VTI

I think you said you tried this before, but that might have been before you changed the tunnel mode under the tunnel interface to gre.

Calin Cristea · ‎05-08-2021

Hi Rob,

Sorry for the confuse. On C3725, tunnel with old router was made through
crypto maps. New router C1111 does not support cryptomap, only tunnel
protection.
RT(config)#interface tunnel 75
RT(config-if)#crypto map CRYPTO_RRR
% NOTE: crypto map is configured on tunnel interface.
Currently only GDOI crypto map is supported on tunnel interface.

I have configured with tunnel protection on both sides:

C1111

crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set RRR

interface Tunnel75
ip address 172.16.75.2 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 1.1.1.1
tunnel mode gre ip
tunnel destination 2.2.2.2
tunnel protection ipsec profile VTI

C3725

crypto ipsec transform-set RRR esp-3des esp-md5-hmac
mode tunnel

crypto ipsec profile VTI
set transform-set RRR

interface Tunnel75
ip address 172.16.75.1 255.255.255.252
ip mtu 1440
keepalive 10 3
tunnel source 2.2.2.2
tunnel destination 1.1.1.1
tunnel protection ipsec profile VTI
tunnel mode gre ip

I have also tried on both sides with "tunnel mode ipsec ipv4" instead of
gre, same result.

Rob Ingram · ‎05-08-2021

Shutdown the tunnel interfaces on both routers, turn on debugs on both routers, no shutdown the tunnel interfaces and let them attempt to establish a VPN tunnel, provide the full debugs from both routers.

Provide the output of "show crypto iksamp sa detail" and "show crypto ipsec sa" from both routers.

And provide the current full configuration of both routers.

balaji.bandi · ‎05-04-2021

processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc21

hope below thread help you :

https://community.cisco.com/t5/vpn/asa-ios-router-ipsec-vpn-notify-proposal-not-chosen/td-p/3035887

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Calin Cristea · ‎05-05-2021

Hello,

Thank you for you`re answer, i did try to create a new transform set and apply it to HQ and branch, but no luck

HQ:

crypto ipsec transform-set RRR2 esp-aes esp-sha-hmac

crypto map RRR_TEST 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set RRR2

Branch:

crypto ipsec transform-set RRR2 esp-aes esp-sha-hmac

crypto ipsec profile VTI
set transform-set RRR2

I am not sure if i need to put a specific encryption.
I have attached the logs bellow.

Calin Cristea · ‎05-08-2021

On interface tunnel, i typed tunnel mode gre ip and no keepalive. Now tunnel is up and running.

***** stars to ROB. Thank you.

qkaram.simogut8 · ‎09-30-2021

Some of you may have watched the consultation at Cisco’s first all-virtual Cisco Live and I hope you discovered it helpful. This is the primary in a sequence of companion blogs that will later cover in greater element the subjects mentioned in the consultation nowadays. We all know ... Read More.

ruie82548 · ‎10-01-2021

It isn't used very frequently even though mainly because it's no longer embedded inside conferences. Our group of workers use Webex Meetings for nearly all training and having to use a special app and publish a brand new meeting link when a take a look at is wanted in a category is difficult for college kids and occasionally teacher's as properly.