Site to Site IPSec with GRE cannot negotiate IKEe1 Phase 1

MA Khatri · ‎09-11-2020

I am trying to create a GRE tunnel, i have configure both Cisco CSR router as per given configuration below. Both routers have single public interface for NAT as well as IPSec VPN.

If I remove ip nat outside command from "Cust-B-Site-A" IPSec negotiations is completed and, tunnel is build, ospf build neighborship and clients communicate from both ends.

When the tunnel is formed, and I reapply "ip nat outside" every thing keeps working, till I make IPSec renegotiation.

Please help me, what config I missing which is preventing isakmp negotiation when both side interface are configured with "ip nat outside" command.

-------------

Public IPs are randomly selected and this configuration is for learning purpose in my lab. Lab topology diagram is also attached.

Thank You.

!
Cust-B-Site-A#sh run | se crypto
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key SECRET_KEY address 44.1.1.2
crypto ipsec transform-set MY_TRANS_SET esp-aes esp-sha256-hmac
mode tunnel
crypto map MY_CRYPTO 20 ipsec-isakmp
set peer 44.1.1.2
set transform-set MY_TRANS_SET
match address CRYPTO_ACL
crypto map MY_CRYPTO
!
interface GigabitEthernet1
ip address 33.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map MY_CRYPTO
end
!

interface Tunnel1
ip address 172.16.1.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf 1 area 0
tunnel source GigabitEthernet1
tunnel destination 44.1.1.2
end

!

ip route 0.0.0.0 0.0.0.0 33.1.1.1

!
Extended IP access list CRYPTO_ACL
10 permit gre any any (289 matches)
Extended IP access list NAT_EXT
10 deny ip 10.11.33.0 0.0.0.255 10.22.44.0 0.0.0.255
20 permit ip any any
!
ip nat inside source list NAT_EXT interface GigabitEthernet1 overload
ip access-list extended NAT_EXT
deny ip 10.11.33.0 0.0.0.255 10.22.44.0 0.0.0.255
permit ip any any
!

===============================================
Cust-B-Site-B#sh run | se crypto
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key SECRET_KEY address 0.0.0.0
crypto ipsec transform-set MY_TRANS_SET esp-aes esp-sha256-hmac
mode tunnel
crypto dynamic-map DYN_MAP 10
set transform-set MY_TRANS_SET
match address CRYPTO_ACL
crypto map MY_CRYPTO 10 ipsec-isakmp dynamic DYN_MAP
crypto map MY_CRYPTO

!
interface GigabitEthernet1
ip address 44.1.1.2 255.255.255.252
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map MY_CRYPTO
end

!

interface Tunnel1
ip address 172.16.1.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip ospf 1 area 0
tunnel source GigabitEthernet1
tunnel destination 33.1.1.2
!

ip route 0.0.0.0 0.0.0.0 44.1.1.1
!
Extended IP access list CRYPTO_ACL
10 permit gre any any
Extended IP access list NAT_EXT
10 deny ip 10.22.44.0 0.0.0.255 10.11.33.0 0.0.0.255
20 permit ip 10.22.44.0 0.0.0.255 any
!
ip access-list extended NAT_EXT
deny ip 10.22.44.0 0.0.0.255 10.11.33.0 0.0.0.255
permit ip 10.22.44.0 0.0.0.255 any
match ip address NAT_EXT
Cust-B-Site-B#
!

Debug --- Cust-B-Site-A-----
*Sep 11 11:31:43.281: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Sep 11 11:31:49.437: ISAKMP: (0):SA request profile is (NULL)
*Sep 11 11:31:49.439: ISAKMP: (0):Created a peer struct for 44.1.1.2, peer port 500
*Sep 11 11:31:49.440: ISAKMP: (0):New peer created peer = 0x7F1C8A1D5100 peer_handle = 0x80000051
*Sep 11 11:31:49.440: ISAKMP: (0):Locking peer struct 0x7F1C8A1D5100, refcount 1 for isakmp_initiato r
*Sep 11 11:31:49.441: ISAKMP: (0):local port 500, remote port 500
*Sep 11 11:31:49.441: ISAKMP: (0):set new node 0 to QM_IDLE
*Sep 11 11:31:49.442: ISAKMP: (0):insert sa successfully sa = 7F1C8A287300
*Sep 11 11:31:49.442: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Sep 11 11:31:49.442: ISAKMP: (0):found peer pre-shared key matching 44.1.1.2
*Sep 11 11:31:49.444: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Sep 11 11:31:49.444: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Sep 11 11:31:49.445: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Sep 11 11:31:49.445: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Sep 11 11:31:49.445: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Sep 11 11:31:49.445: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Sep 11 11:31:49.446: ISAKMP: (0):beginning Main Mode exchange
*Sep 11 11:31:49.446: ISAKMP-PAK: (0):sending packet to 44.1.1.2 my_port 500 peer_port 500 (I) MM_NO _STATE
*Sep 11 11:31:49.454: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 11:31:59.458: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Sep 11 11:31:59.459: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit pha se 1
*Sep 11 11:31:59.460: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Sep 11 11:31:59.460: ISAKMP-PAK: (0):sending packet to 44.1.1.2 my_port 500 peer_port 500 (I) MM_NO _STATE
*Sep 11 11:31:59.460: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 11:32:09.482: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Sep 11 11:32:09.484: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 11 11:32:09.484: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Sep 11 11:32:09.485: ISAKMP-PAK: (0):sending packet to 44.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 11 11:32:09.485: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 11:32:19.439: ISAKMP: (0):set new node 0 to QM_IDLE
*Sep 11 11:32:19.440: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 33.1.1.2, remote 44.1.1.2)
*Sep 11 11:32:19.446: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Sep 11 11:32:19.448: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Sep 11 11:32:19.490: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Sep 11 11:32:19.490: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 11 11:32:19.490: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Sep 11 11:32:19.491: ISAKMP-PAK: (0):sending packet to 44.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 11 11:32:19.491: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 11:32:22.910: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Sep 11 11:32:29.497: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Sep 11 11:32:29.498: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 11 11:32:29.498: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Sep 11 11:32:29.498: ISAKMP-PAK: (0):sending packet to 44.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 11 11:32:29.498: ISAKMP: (0):Sending an IKE IPv4 Packet.

----Debug--- Cust-B-Site-B---------------
*Sep 11 13:58:50.918: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Sep 11 13:58:56.112: ISAKMP-PAK: (0):received packet from 33.1.1.2 dport 500 sport 512 Global (N) N EW SA
*Sep 11 13:58:56.114: ISAKMP: (0):Created a peer struct for 33.1.1.2, peer port 512
*Sep 11 13:58:56.114: ISAKMP: (0):New peer created peer = 0x7FD7E59EB9B8 peer_handle = 0x8000003A
*Sep 11 13:58:56.115: ISAKMP: (0):Locking peer struct 0x7FD7E59EB9B8, refcount 1 for crypto_isakmp_p rocess_block
*Sep 11 13:58:56.116: ISAKMP: (0):local port 500, remote port 512
*Sep 11 13:58:56.117: ISAKMP: (0):insert sa successfully sa = 7FD7E7015F68
*Sep 11 13:58:56.117: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 11 13:58:56.117: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Sep 11 13:58:56.119: ISAKMP: (0):processing SA payload. message ID = 0
*Sep 11 13:58:56.119: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.120: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Sep 11 13:58:56.120: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Sep 11 13:58:56.120: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.120: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Sep 11 13:58:56.121: ISAKMP: (0):vendor ID is NAT-T v7
*Sep 11 13:58:56.121: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.121: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Sep 11 13:58:56.121: ISAKMP: (0):vendor ID is NAT-T v3
*Sep 11 13:58:56.122: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.123: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Sep 11 13:58:56.123: ISAKMP: (0):vendor ID is NAT-T v2
*Sep 11 13:58:56.123: ISAKMP: (0):found peer pre-shared key matching 33.1.1.2
*Sep 11 13:58:56.124: ISAKMP: (0):local preshared key found
*Sep 11 13:58:56.124: ISAKMP: (0):Scanning profiles for xauth ...
*Sep 11 13:58:56.124: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
*Sep 11 13:58:56.125: ISAKMP: (0): encryption AES-CBC
*Sep 11 13:58:56.125: ISAKMP: (0): keylength of 128
*Sep 11 13:58:56.125: ISAKMP: (0): hash SHA256
*Sep 11 13:58:56.125: ISAKMP: (0): default group 14
*Sep 11 13:58:56.125: ISAKMP: (0): auth pre-share
*Sep 11 13:58:56.126: ISAKMP: (0): life type in seconds
*Sep 11 13:58:56.126: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Sep 11 13:58:56.127: ISAKMP: (0):atts are acceptable. Next payload is 0
*Sep 11 13:58:56.127: ISAKMP: (0):Acceptable atts:actual life: 86400
*Sep 11 13:58:56.128: ISAKMP: (0):Acceptable atts:life: 0
*Sep 11 13:58:56.128: ISAKMP: (0):Fill atts in sa vpi_length:4
*Sep 11 13:58:56.128: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Sep 11 13:58:56.128: ISAKMP: (0):Returning Actual lifetime: 86400
*Sep 11 13:58:56.129: ISAKMP: (0):Started lifetime timer: 86400.

*Sep 11 13:58:56.138: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.138: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Sep 11 13:58:56.138: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Sep 11 13:58:56.139: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.139: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Sep 11 13:58:56.139: ISAKMP: (0):vendor ID is NAT-T v7
*Sep 11 13:58:56.139: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.140: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Sep 11 13:58:56.140: ISAKMP: (0):vendor ID is NAT-T v3
*Sep 11 13:58:56.140: ISAKMP: (0):processing vendor id payload
*Sep 11 13:58:56.140: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Sep 11 13:58:56.140: ISAKMP: (0):vendor ID is NAT-T v2
*Sep 11 13:58:56.141: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 11 13:58:56.141: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Sep 11 13:58:56.145: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Sep 11 13:58:56.145: ISAKMP-PAK: (0):sending packet to 33.1.1.2 my_port 500 peer_port 512 (R) MM_SA _SETUP
*Sep 11 13:58:56.145: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 13:58:56.151: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 11 13:58:56.151: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Sep 11 13:59:06.131: ISAKMP-PAK: (0):received packet from 33.1.1.2 dport 500 sport 512 Global (R) M M_SA_SETUP
*Sep 11 13:59:06.136: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Sep 11 13:59:06.136: ISAKMP: (0):retransmitting due to retransmit phase 1
*Sep 11 13:59:06.637: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Sep 11 13:59:06.637: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit pha se 1
*Sep 11 13:59:06.637: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Sep 11 13:59:06.638: ISAKMP-PAK: (0):sending packet to 33.1.1.2 my_port 500 peer_port 512 (R) MM_SA _SETUP
*Sep 11 13:59:06.638: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 13:59:16.215: ISAKMP-PAK: (0):received packet from 33.1.1.2 dport 500 sport 512 Global (R) M M_SA_SETUP
*Sep 11 13:59:16.216: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Sep 11 13:59:16.217: ISAKMP: (0):retransmitting due to retransmit phase 1
*Sep 11 13:59:16.718: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Sep 11 13:59:16.718: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit pha se 1
*Sep 11 13:59:16.718: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Sep 11 13:59:16.718: ISAKMP-PAK: (0):sending packet to 33.1.1.2 my_port 500 peer_port 512 (R) MM_SA _SETUP
*Sep 11 13:59:16.720: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 13:59:26.131: ISAKMP-PAK: (0):received packet from 33.1.1.2 dport 500 sport 512 Global (R) MM_SA_SETUP
*Sep 11 13:59:26.132: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Sep 11 13:59:26.132: ISAKMP: (0):retransmitting due to retransmit phase 1
*Sep 11 13:59:26.633: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Sep 11 13:59:26.633: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 11 13:59:26.634: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Sep 11 13:59:26.640: ISAKMP-PAK: (0):sending packet to 33.1.1.2 my_port 500 peer_port 512 (R) MM_SA_SETUP
*Sep 11 13:59:26.640: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Sep 11 13:59:26.746: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Tunnel1 from FULL to DOWN, Neighbor Down: Dead timer expired
*Sep 11 13:59:36.144: ISAKMP-PAK: (0):received packet from 33.1.1.2 dport 500 sport 512 Global (R) MM_SA_SETUP
*Sep 11 13:59:36.145: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Sep 11 13:59:36.145: ISAKMP: (0):retransmitting due to retransmit phase 1
*Sep 11 13:59:36.646: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Sep 11 13:59:36.646: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 11 13:59:36.647: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Sep 11 13:59:36.647: ISAKMP-PAK: (0):sending packet to 33.1.1.2 my_port 500 peer_port 512 (R) MM_SA_SETUP
*Sep 11 13:59:36.647: ISAKMP: (0):Sending an IKE IPv4 Packet.
Cust-B-Site-B(config-if)#
Cust-B-Site-B(config-if)#
Cust-B-Site-B(config-if)#do u all
All possible debugging has been turned off
Cust-B-Site-B(config-if)#