02-06-2018 01:45 AM - edited 03-12-2019 05:00 AM
Hello,
I have two routers Cisco 2921 and 881. I want set the VPN site to site with GRE IPSEC between routers. Cisco 2921 is behind ASA 5508X in site A and ASA is connected to internet. Cisco 881 is in site B, connected to internet. I enabled on ASA NAT-T. If i configured only GRE tunnel beetwen the routers it is working. If i add the IPSEC to GRE problem is with ISAKMP, and VPN doesnt work. I dont know where is problem.
It is my configuration:
ASA:
interface GigabitEthernet1/1
duplex full
nameif outside
security-level 0
ip address 213.216.110.XXX 255.255.255.248
!
interface GigabitEthernet1/8
description Connection to C2921
speed 1000
duplex full
nameif MENet
security-level 100
ip address 10.10.3.2 255.255.255.248
!
object network VPN-Router
host 10.10.3.1
nat (MENet, Outside) static interface
crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 enable MENet
access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp
C2921 with IP 10.10.3.1 behind ASA.
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 lifetime 30000 crypto isakmp key Mi2017a address 195.150.12.XX crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile MAIN_VPN_PROFILE set security-association lifetime seconds 30000 set transform-set MI2018 ! interface GigabitEthernet0/2/0 description Connection to ASA ip address 10.10.3.1 255.255.255.248 no ip redirects no ip proxy-arp duplex full speed 1000 no cdp enable interface Tunnel10 description EX-VPN ip address 10.10.17.131 255.255.255.192 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 3 7 tunnel source GigabitEthernet0/2/0 tunnel destination 195.150.12.XX tunnel protection ipsec profile MAIN_VPN_PROFILE ! ip route 195.150.12.XX 255.255.255.248 GigabitEthernet0/2/0 10.10.3.2
On router 881 configuration:
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 lifetime 30000 crypto isakmp key Mi2017a address 213.216.110.XXX ! crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile MAIN_VPN_PROFILE set security-association lifetime seconds 30000 set transform-set MI2018 ! interface Tunnel10 bandwidth 20000 ip address 10.10.17.130 255.255.255.192 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 3 7 tunnel source FastEthernet4 tunnel destination 213.216.110.XXX tunnel protection ipsec profile MAIN_VPN_PROFILE interface FastEthernet4 ip address 195.150.12.XX 255.255.255.248 no ip proxy-arp ip virtual-reassembly in duplex auto speed auto no cdp enable !
On C881 i see:
sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 195.150.12.XX 213.216.110.XXX QM_IDLE 2111 ACTIVE 195.150.12.XX 213.216.110.XXX MM_NO_STATE 2110 ACTIVE (deleted)
On C2921 i see:
sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 195.150.12.XX 10.10.3.1 MM_KEY_EXCH 1920 ACTIVE 195.150.12.XX 10.10.3.1 MM_NO_STATE 1919 ACTIVE (deleted)
If i enabled debug ISAKMP i see:
*Feb 5 21:26:17.073: ISAKMP:(2008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Feb 5 21:26:17.073: ISAKMP (2008): ID payload next-payload : 8 type : 1 address : 195.150.12.XX protocol : 17 port : 0 length : 12 *Feb 5 21:26:17.073: ISAKMP:(2008):Total payload length: 12 *Feb 5 21:26:17.073: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH *Feb 5 21:26:17.073: ISAKMP:(2008):Sending an IKE IPv4 Packet. *Feb 5 21:26:17.077: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 5 21:26:17.077: ISAKMP:(2008):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Feb 5 21:26:17.081: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Feb 5 21:26:17.081: ISAKMP:(2008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 5 21:26:17.573: ISAKMP (2007): received packet from 213.216.110.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH *Feb 5 21:26:17.573: ISAKMP:(2007): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:26:17.573: ISAKMP:(2007): retransmitting due to retransmit phase 1 *Feb 5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH... *Feb 5 21:26:18.073: ISAKMP (2007): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Feb 5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH *Feb 5 21:26:18.073: ISAKMP:(2007): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (I) MM_KEY_EXCH *Feb 5 21:26:18.073: ISAKMP:(2007):Sending an IKE IPv4 Packet. *Feb 5 21:26:27.065: ISAKMP (2008): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:26:27.065: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:26:27.065: ISAKMP:(2008): retransmitting due to retransmit phase 1 *Feb 5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE ... *Feb 5 21:26:27.565: ISAKMP (2008): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Feb 5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE *Feb 5 21:26:27.565: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:26:27.565: ISAKMP:(2008):Sending an IKE IPv4 Packet. eb 5 21:30:17.409: ISAKMP:(2013):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Feb 5 21:30:17.409: ISAKMP (2013): ID payload next-payload : 8 type : 1 address : 195.150.12.XX protocol : 17 port : 0 length : 12 *Feb 5 21:30:17.409: ISAKMP:(2013):Total payload length: 12 *Feb 5 21:30:17.409: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH *Feb 5 21:30:17.409: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:17.409: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 5 21:30:17.409: ISAKMP:(2013):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Feb 5 21:30:17.413: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Feb 5 21:30:17.417: ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 5 21:30:27.401: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:30:27.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:30:27.401: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:27.901: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Feb 5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:27.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:27.901: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:37.397: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:30:37.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:30:37.401: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:37.901: ISAKMP (2013): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Feb 5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:37.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:37.901: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:38.013: ISAKMP: set new node 0 to QM_IDLE *Feb 5 21:30:38.013: SA has outstanding requests (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500) *Feb 5 21:30:38.013: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE ) *Feb 5 21:30:38.013: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 4112572105 *Feb 5 21:30:38.013: ISAKMP:(2013):QM Initiator gets spi *Feb 5 21:30:38.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:38.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:38.013: ISAKMP:(2013):Node 4112572105, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Feb 5 21:30:38.013: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Feb 5 21:30:47.409: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:47.909: ISAKMP (2013): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Feb 5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:47.909: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:47.909: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ... *Feb 5 21:30:48.013: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2 *Feb 5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE *Feb 5 21:30:48.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:48.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:57.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:30:57.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:30:57.405: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:57.905: ISAKMP (2013): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Feb 5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:57.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:57.905: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ... *Feb 5 21:30:58.013: ISAKMP (2013): incrementing error counter on node, attempt 2 of 5: retransmit phase 2 *Feb 5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE *Feb 5 21:30:58.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:58.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:58.021: ISAKMP:(2012):purging node -1412652012 *Feb 5 21:30:58.021: ISAKMP:(2012):purging node 665005119 *Feb 5 21:30:58.417: ISAKMP:(2011):purging node -1499783167 *Feb 5 21:31:07.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:31:07.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:31:07.405: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:31:07.905: ISAKMP (2013): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 *Feb 5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:31:07.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:31:07.905: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ... *Feb 5 21:31:08.013: ISAKMP (2013): incrementing error counter on node, attempt 3 of 5: retransmit phase 2 *Feb 5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE *Feb 5 21:31:08.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:31:08.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:31:08.021: ISAKMP:(2012):purging SA., sa=86E8CB30, delme=86E8CB30 *Feb 5 21:31:08.117: ISAKMP: set new node 0 to QM_IDLE *Feb 5 21:31:08.117: SA has outstanding requests (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500) *Feb 5 21:31:08.117: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE ) *Feb 5 21:31:08.117: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 1297611346 *Feb 5 21:31:08.117: ISAKMP:(2013):QM Initiator gets spi *Feb 5 21:31:08.117: ISAKMP:(2013):peer does not do paranoid keepalives. *Feb 5 21:31:08.117: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer 213.216.110.XXX) *Feb 5 21:31:08.117: ISAKMP:(2013):Node 1297611346, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Feb 5 21:31:08.117: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Feb 5 21:31:08.121: ISAKMP: set new node -222890906 to QM_IDLE *Feb 5 21:31:08.125: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:31:08.125: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:31:08.125: ISAKMP:(2013):purging node -222890906 *Feb 5 21:31:08.125: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Feb 5 21:31:08.125: ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA *Feb 5 21:31:08.125: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer 213.216.110.XXX) *Feb 5 21:31:08.125: ISAKMP: Unlocking peer struct 0x85D0EAE0 for isadb_mark_sa_deleted(), count 0 *Feb 5 21:31:08.125: ISAKMP: Deleting peer node by peer_reap for 213.216.110.XXX: 85D0EAE0 *Feb 5 21:31:08.125: ISAKMP:(2013):deleting node -182395191 error FALSE reason "IKE deleted" *Feb 5 21:31:08.125: ISAKMP:(2013):deleting node 1297611346 error FALSE reason "IKE deleted" *Feb 5 21:31:08.129: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 5 21:31:08.129: ISAKMP:(2013):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Please help me
02-06-2018 03:11 AM
Your setup is a bit confusing.
Are you trying to end the ipsec tunnel on the ASA or on the 2921 behind ASA ? Same question for GRE/VTI tunnel.
ASA does not support GRE, but it does support VTI, if you are trying to setup a route-based vpn between the ASA and 881 you will need to use VTI.
Do not see why nat-t is needed on the ASA, if you are trying to have a ipsec tunnel between the routers, nat-t should be enabled on the routers, not on the ASA, but you should have a static nat on the ASA.
If the tunnel should end on the ASA the ASA has a public IP and nat-t is not needed.
HTH
Bogdan
02-06-2018 03:35 AM - last edited on 02-06-2018 04:23 AM by priypawa
Hi,
The tunnel GRE/IPSEC is end on C2921. The router 2921 is in the NAT behind ASA. I dont use the ASA for VTI. ASA is only firewall for access to outside. The VPN tunnel is between C2921 and C881 throught ASA.
I used the configuration from: slideshare.net/NetworksTraining, but i want use the GRE IPSEC. GRE only its working between C2921 and C881.
02-06-2018 05:38 AM
Hi, So the 2921 is behind the ASA?
Can you please provide the configuration for the ASA - access-list, object and nat.
02-06-2018 05:56 AM
Yes, C2921 is behind ASA. Network beetween ASA and C2921 is 10.10.3.0. (ASA and C2921 is directly connected)
ASA config:
interface GigabitEthernet1/1 duplex full nameif outside security-level 0 ip address 213.216.110.XXX 255.255.255.248 ! interface GigabitEthernet1/8 description Connected to C2921 speed 1000 duplex full nameif MENet security-level 100 ip address 10.10.3.2 255.255.255.248 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network VPN-Router host 10.10.3.1 object network VPN-Router nat (MENet,outside) static interface route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1 crypto ikev1 enable outside crypto ikev1 enable MENet crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1 access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1 access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500 access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp access-list OUT-MAIN extended deny icmp any any access-list OUT-MAIN extended permit ip any any access-group OUT-MAIN in interface outside policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error inspect snmp inspect ipsec-pass-thru class global-class sfr fail-open monitor-only class class-default
02-06-2018 06:08 AM
02-06-2018 08:18 AM
Hi,
On ASA i have one tunnel to other location. I can disabled it.
Yes i am natting public IP address from outside interface.
Permit ip any any is only for the tests.
sh xlate:
NAT from MENet:10.10.3.1 to outside:213.216.110.XXX
flags s idle 0:00:00 timeout 0:00:00
MPLASA01# packet-tracer input outside udp 195.150.12.XX isakmp 10.10.3.1 isakm$ Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.10.3.1 using egress ifc MENet Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT-MAIN in interface outside access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp log Additional Information: Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: SFR Subtype: Result: ALLOW Config: class-map global-class match access-list sfr_redirect policy-map global_policy class global-class sfr fail-open monitor-only service-policy global_policy global Additional Information: Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ipsec-pass-thru _default_ipsec_passthru_map service-policy global_policy global Additional Information: Phase: 9 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: DROP Config: object network VPN-Router nat (MENet,outside) static interface Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: MENet output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: