02-06-2018 01:45 AM - edited 03-12-2019 05:00 AM
Hello,
I have two routers Cisco 2921 and 881. I want set the VPN site to site with GRE IPSEC between routers. Cisco 2921 is behind ASA 5508X in site A and ASA is connected to internet. Cisco 881 is in site B, connected to internet. I enabled on ASA NAT-T. If i configured only GRE tunnel beetwen the routers it is working. If i add the IPSEC to GRE problem is with ISAKMP, and VPN doesnt work. I dont know where is problem.
It is my configuration:
ASA:
interface GigabitEthernet1/1
duplex full
nameif outside
security-level 0
ip address 213.216.110.XXX 255.255.255.248
!
interface GigabitEthernet1/8
description Connection to C2921
speed 1000
duplex full
nameif MENet
security-level 100
ip address 10.10.3.2 255.255.255.248
!
object network VPN-Router
host 10.10.3.1
nat (MENet, Outside) static interface
crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 enable MENet
access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp
C2921 with IP 10.10.3.1 behind ASA.
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 lifetime 30000 crypto isakmp key Mi2017a address 195.150.12.XX crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile MAIN_VPN_PROFILE set security-association lifetime seconds 30000 set transform-set MI2018 ! interface GigabitEthernet0/2/0 description Connection to ASA ip address 10.10.3.1 255.255.255.248 no ip redirects no ip proxy-arp duplex full speed 1000 no cdp enable interface Tunnel10 description EX-VPN ip address 10.10.17.131 255.255.255.192 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 3 7 tunnel source GigabitEthernet0/2/0 tunnel destination 195.150.12.XX tunnel protection ipsec profile MAIN_VPN_PROFILE ! ip route 195.150.12.XX 255.255.255.248 GigabitEthernet0/2/0 10.10.3.2
On router 881 configuration:
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 lifetime 30000 crypto isakmp key Mi2017a address 213.216.110.XXX ! crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec profile MAIN_VPN_PROFILE set security-association lifetime seconds 30000 set transform-set MI2018 ! interface Tunnel10 bandwidth 20000 ip address 10.10.17.130 255.255.255.192 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 3 7 tunnel source FastEthernet4 tunnel destination 213.216.110.XXX tunnel protection ipsec profile MAIN_VPN_PROFILE interface FastEthernet4 ip address 195.150.12.XX 255.255.255.248 no ip proxy-arp ip virtual-reassembly in duplex auto speed auto no cdp enable !
On C881 i see:
sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 195.150.12.XX 213.216.110.XXX QM_IDLE 2111 ACTIVE 195.150.12.XX 213.216.110.XXX MM_NO_STATE 2110 ACTIVE (deleted)
On C2921 i see:
sh crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 195.150.12.XX 10.10.3.1 MM_KEY_EXCH 1920 ACTIVE 195.150.12.XX 10.10.3.1 MM_NO_STATE 1919 ACTIVE (deleted)
If i enabled debug ISAKMP i see:
*Feb 5 21:26:17.073: ISAKMP:(2008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Feb 5 21:26:17.073: ISAKMP (2008): ID payload next-payload : 8 type : 1 address : 195.150.12.XX protocol : 17 port : 0 length : 12 *Feb 5 21:26:17.073: ISAKMP:(2008):Total payload length: 12 *Feb 5 21:26:17.073: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH *Feb 5 21:26:17.073: ISAKMP:(2008):Sending an IKE IPv4 Packet. *Feb 5 21:26:17.077: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 5 21:26:17.077: ISAKMP:(2008):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Feb 5 21:26:17.081: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Feb 5 21:26:17.081: ISAKMP:(2008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 5 21:26:17.573: ISAKMP (2007): received packet from 213.216.110.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH *Feb 5 21:26:17.573: ISAKMP:(2007): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:26:17.573: ISAKMP:(2007): retransmitting due to retransmit phase 1 *Feb 5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH... *Feb 5 21:26:18.073: ISAKMP (2007): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Feb 5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH *Feb 5 21:26:18.073: ISAKMP:(2007): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (I) MM_KEY_EXCH *Feb 5 21:26:18.073: ISAKMP:(2007):Sending an IKE IPv4 Packet. *Feb 5 21:26:27.065: ISAKMP (2008): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:26:27.065: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:26:27.065: ISAKMP:(2008): retransmitting due to retransmit phase 1 *Feb 5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE ... *Feb 5 21:26:27.565: ISAKMP (2008): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Feb 5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE *Feb 5 21:26:27.565: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:26:27.565: ISAKMP:(2008):Sending an IKE IPv4 Packet. eb 5 21:30:17.409: ISAKMP:(2013):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR *Feb 5 21:30:17.409: ISAKMP (2013): ID payload next-payload : 8 type : 1 address : 195.150.12.XX protocol : 17 port : 0 length : 12 *Feb 5 21:30:17.409: ISAKMP:(2013):Total payload length: 12 *Feb 5 21:30:17.409: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH *Feb 5 21:30:17.409: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:17.409: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE *Feb 5 21:30:17.409: ISAKMP:(2013):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE *Feb 5 21:30:17.413: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *Feb 5 21:30:17.417: ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 5 21:30:27.401: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:30:27.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:30:27.401: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:27.901: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Feb 5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:27.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:27.901: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:37.397: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:30:37.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:30:37.401: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:37.901: ISAKMP (2013): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Feb 5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:37.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:37.901: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:38.013: ISAKMP: set new node 0 to QM_IDLE *Feb 5 21:30:38.013: SA has outstanding requests (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500) *Feb 5 21:30:38.013: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE ) *Feb 5 21:30:38.013: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 4112572105 *Feb 5 21:30:38.013: ISAKMP:(2013):QM Initiator gets spi *Feb 5 21:30:38.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:38.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:38.013: ISAKMP:(2013):Node 4112572105, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Feb 5 21:30:38.013: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Feb 5 21:30:47.409: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:47.909: ISAKMP (2013): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Feb 5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:47.909: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:47.909: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ... *Feb 5 21:30:48.013: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2 *Feb 5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE *Feb 5 21:30:48.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:48.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:57.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:30:57.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:30:57.405: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:30:57.905: ISAKMP (2013): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Feb 5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:30:57.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:57.905: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ... *Feb 5 21:30:58.013: ISAKMP (2013): incrementing error counter on node, attempt 2 of 5: retransmit phase 2 *Feb 5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE *Feb 5 21:30:58.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:30:58.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:30:58.021: ISAKMP:(2012):purging node -1412652012 *Feb 5 21:30:58.021: ISAKMP:(2012):purging node 665005119 *Feb 5 21:30:58.417: ISAKMP:(2011):purging node -1499783167 *Feb 5 21:31:07.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE *Feb 5 21:31:07.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet. *Feb 5 21:31:07.405: ISAKMP:(2013): retransmitting due to retransmit phase 1 *Feb 5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE ... *Feb 5 21:31:07.905: ISAKMP (2013): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 *Feb 5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE *Feb 5 21:31:07.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:31:07.905: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE -182395191 ... *Feb 5 21:31:08.013: ISAKMP (2013): incrementing error counter on node, attempt 3 of 5: retransmit phase 2 *Feb 5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE *Feb 5 21:31:08.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:31:08.013: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:31:08.021: ISAKMP:(2012):purging SA., sa=86E8CB30, delme=86E8CB30 *Feb 5 21:31:08.117: ISAKMP: set new node 0 to QM_IDLE *Feb 5 21:31:08.117: SA has outstanding requests (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500) *Feb 5 21:31:08.117: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE ) *Feb 5 21:31:08.117: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 1297611346 *Feb 5 21:31:08.117: ISAKMP:(2013):QM Initiator gets spi *Feb 5 21:31:08.117: ISAKMP:(2013):peer does not do paranoid keepalives. *Feb 5 21:31:08.117: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer 213.216.110.XXX) *Feb 5 21:31:08.117: ISAKMP:(2013):Node 1297611346, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *Feb 5 21:31:08.117: ISAKMP:(2013):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 *Feb 5 21:31:08.121: ISAKMP: set new node -222890906 to QM_IDLE *Feb 5 21:31:08.125: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE *Feb 5 21:31:08.125: ISAKMP:(2013):Sending an IKE IPv4 Packet. *Feb 5 21:31:08.125: ISAKMP:(2013):purging node -222890906 *Feb 5 21:31:08.125: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Feb 5 21:31:08.125: ISAKMP:(2013):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA *Feb 5 21:31:08.125: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer 213.216.110.XXX) *Feb 5 21:31:08.125: ISAKMP: Unlocking peer struct 0x85D0EAE0 for isadb_mark_sa_deleted(), count 0 *Feb 5 21:31:08.125: ISAKMP: Deleting peer node by peer_reap for 213.216.110.XXX: 85D0EAE0 *Feb 5 21:31:08.125: ISAKMP:(2013):deleting node -182395191 error FALSE reason "IKE deleted" *Feb 5 21:31:08.125: ISAKMP:(2013):deleting node 1297611346 error FALSE reason "IKE deleted" *Feb 5 21:31:08.129: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH *Feb 5 21:31:08.129: ISAKMP:(2013):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Please help me
02-06-2018 03:11 AM
Your setup is a bit confusing.
Are you trying to end the ipsec tunnel on the ASA or on the 2921 behind ASA ? Same question for GRE/VTI tunnel.
ASA does not support GRE, but it does support VTI, if you are trying to setup a route-based vpn between the ASA and 881 you will need to use VTI.
Do not see why nat-t is needed on the ASA, if you are trying to have a ipsec tunnel between the routers, nat-t should be enabled on the routers, not on the ASA, but you should have a static nat on the ASA.
If the tunnel should end on the ASA the ASA has a public IP and nat-t is not needed.
HTH
Bogdan
02-06-2018 03:35 AM - last edited on 02-06-2018 04:23 AM by priypawa
Hi,
The tunnel GRE/IPSEC is end on C2921. The router 2921 is in the NAT behind ASA. I dont use the ASA for VTI. ASA is only firewall for access to outside. The VPN tunnel is between C2921 and C881 throught ASA.
I used the configuration from: slideshare.net/NetworksTraining, but i want use the GRE IPSEC. GRE only its working between C2921 and C881.
02-06-2018 05:38 AM
Hi, So the 2921 is behind the ASA?
Can you please provide the configuration for the ASA - access-list, object and nat.
02-06-2018 05:56 AM
Yes, C2921 is behind ASA. Network beetween ASA and C2921 is 10.10.3.0. (ASA and C2921 is directly connected)
ASA config:
interface GigabitEthernet1/1 duplex full nameif outside security-level 0 ip address 213.216.110.XXX 255.255.255.248 ! interface GigabitEthernet1/8 description Connected to C2921 speed 1000 duplex full nameif MENet security-level 100 ip address 10.10.3.2 255.255.255.248 ! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network VPN-Router host 10.10.3.1 object network VPN-Router nat (MENet,outside) static interface route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1 crypto ikev1 enable outside crypto ikev1 enable MENet crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1 access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1 access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500 access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp access-list OUT-MAIN extended deny icmp any any access-list OUT-MAIN extended permit ip any any access-group OUT-MAIN in interface outside policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error inspect snmp inspect ipsec-pass-thru class global-class sfr fail-open monitor-only class class-default
02-06-2018 06:08 AM
02-06-2018 08:18 AM
Hi,
On ASA i have one tunnel to other location. I can disabled it.
Yes i am natting public IP address from outside interface.
Permit ip any any is only for the tests.
sh xlate:
NAT from MENet:10.10.3.1 to outside:213.216.110.XXX
flags s idle 0:00:00 timeout 0:00:00
MPLASA01# packet-tracer input outside udp 195.150.12.XX isakmp 10.10.3.1 isakm$ Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.10.3.1 using egress ifc MENet Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUT-MAIN in interface outside access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp log Additional Information: Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 7 Type: SFR Subtype: Result: ALLOW Config: class-map global-class match access-list sfr_redirect policy-map global_policy class global-class sfr fail-open monitor-only service-policy global_policy global Additional Information: Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect ipsec-pass-thru _default_ipsec_passthru_map service-policy global_policy global Additional Information: Phase: 9 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: DROP Config: object network VPN-Router nat (MENet,outside) static interface Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: MENet output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide