07-21-2010 05:13 PM - edited 02-21-2020 04:44 PM
I'm trying to configure a tunnel GRE over IPSec between to sites, we are using cisco router 7613 SUP720 (IOS: s72033-advipservicesk9_wan-mz.122-18.SXF15a.bin) and router 3845 (IOS:c3845-advsecurityk9-mz.124-25c.bin), we are facing problems when we use the tunnel because the traffic is not passing through it. the configuration was working when we were using two cisco routers 3845 (IOS:c3845-advsecurityk9-mz.124-25c.bin) but for some reason it is not working anymore when I paste the configuration on the new router 7613.
Headquarter
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key T3ST001 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set IPSec_PLC esp-aes esp-sha-hmac
mode transport
!
crypto map PLC-CUM 10 ipsec-isakmp
set peer 167.134.216.89
set transform-set IPSec_PLC
match address 100
!
!
!
interface Tunnel1
bandwidth 1984
ip address 167.134.216.94 255.255.255.252
ip mtu 1476
load-interval 30
tunnel source Serial0/1/0:0
tunnel destination 167.134.216.89
interface Serial0/1/0:0
ip address 167.134.216.90 255.255.255.252
crypto map PLC-CUM
access-list 100 permit gre host 167.134.216.90 host 167.134.216.8
router eigrp 100
network 167.134.216.92 0.0.0.3
Branch
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key T3ST001 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set IPSec_PLC esp-aes esp-sha-hmac
mode transport
!
crypto map PLC-CUM 10 ipsec-isakmp
set peer 167.134.216.90
set transform-set IPSec_PLC
match address 100
interface Tunnel1
bandwidth 1984
ip address 167.134.216.93 255.255.255.252
ip mtu 1476
load-interval 30
tunnel source Serial1/0/0:1
tunnel destination 167.134.216.90
interface Serial1/0/0:1
bandwidth 1984
ip address 167.134.216.89 255.255.255.252
ip access-group 101 in
load-interval 30
no fair-queue
crypto map PLC-CUM
access-list 100 permit gre host 167.134.216.89 host 167.134.216.90
er-7600#sh crypto isakmp sa
dst src state conn-id slot
167.134.216.89 167.134.216.90 QM_IDLE 3 0
er-3845#sh crypto isakmp sa
dst src state conn-id slot status
167.134.216.89 167.134.216.90 QM_IDLE 3 0 ACTIVE
er-3845#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
3 Serial0/1/0:0 167.134.216.90 set HMAC_SHA+AES_CBC 0 0
3001 Serial0/1/0:0 167.134.216.90 set AES+SHA 0 0
3002 Serial0/1/0:0 167.134.216.90 set AES+SHA 61 0
er-7600#sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
3 Serial1/0/0:1 167.134.216.89 set HMAC_SHA+AES_CBC 0 0
2000 Serial1/0/0:1 167.134.216.89 set HMAC_SHA+AES_CBC 0 66
2001 Serial1/0/0:1 167.134.216.89 set HMAC_SHA+AES_CBC 0 0
i got this error on the er-3845: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, and this one on the er-7600 IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Please help, it is so frustrating...
Thanks in advance
Oscar
Solved! Go to Solution.
07-22-2010 12:27 PM
Here's a document from cisco , clearly mentioning to have a crypto map on both physical as well tunnel interface.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
Hope it helps
manish
07-22-2010 06:45 PM
Does your 7600 series router have IPSec SPA hardware ? as per cisco the 7600 series router do not support software based ipsec encryption and need some ipsec card on them ?
thanks
Manish
07-21-2010 05:24 PM
Try applying the crypto map on the tunnel interfaces also on both the routers.
thanks
manish
07-22-2010 02:20 PM
Hi manish
I followed your suggestion but it did not work...
Thanks
07-21-2010 08:33 PM
Oscar:
On the headquarters configuration your crypto map and tunnel destination are 167.134.216.89 (89), but your ACL says 167.134.216.8 (8).
Looks like you need to correct the ACL.
Perhaps that was just a typo. Now that I have reviewed the show command output (which I should have done before responding).
Best Regards,
Mike
07-22-2010 04:59 AM
Hi Michael, on my router is ok ( .89) when I paste the configuration, I did it wrong.
Best Regards
07-22-2010 08:54 AM
Hi Oscar ,
did you try using the crypto map statement on the tunnel interface as well on both routers. also reduce the mtu size on the tunnel interface to 1350, both sides. if still doesnt work , please port :-
1> debug crypto isakmp
2> debug crypto ipsec
3> debug crypto engine
thanks
manish
07-22-2010 10:34 AM
crypto map on tunnel interface is not advised
you will need to use tunnel protection on tunnel interface
just to clarify when you put 7200 in network you removed the 3800 out of network right?
also clear the tunnels on both routers using clear cry sa for this peer and try to establish the tunnel again
07-22-2010 12:27 PM
Here's a document from cisco , clearly mentioning to have a crypto map on both physical as well tunnel interface.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
Hope it helps
manish
07-22-2010 04:55 PM
Hi Jathaval
I removed the 3845 out the network when i put the 7600 in the network, and i also clear the tunnels on both routers using clear crypto isakmp sa,
what do you mean with use tunnel protection on the tunnel interface? could you please explain me?
Thanks
Oscar
07-22-2010 04:47 PM
Hi Manish
I set up the mtu to 1350 on both sides, for what i observed the traffic passed for a 40 seconds then it went down, i think it might be a problem with the mtu but for some reason on the 7600 router, the show crypto ipsec sa shows me a different mtu. I append the output of the commands that you asked for it.
Thanks
07-22-2010 06:45 PM
Does your 7600 series router have IPSec SPA hardware ? as per cisco the 7600 series router do not support software based ipsec encryption and need some ipsec card on them ?
thanks
Manish
07-22-2010 09:55 PM
hi
firstly as requested please attach show cry ips sa
in the debug that you have attached i see that for some reason i see 2 diff spi in the debug for outbound sa
if we look at sh cry ips sa it will be clear as to what spi it is actually using
also please note clear crypto isa sa will only clear phase 1 in routers
you will need to do clear cry sa or the best is clear cry sess
i believe this should resolve the issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide