Clicky

Hi , I have to routers , one in Site A and another one in Site B. I have built a tunnel and is up and running. I see eigrp neighbors via the tunnel. When i apply encryption tunnel is down.  I am attaching the config.
Any ideas woould be appreciated.


 ========== Add in Calgary ======

 crypto map VPN.Tunnels 638 ipsec-isakmp
 description ---- Guaynabo ----
 set peer 69.79.188.58
 set transform-set AES256.Tunnels
 set pfs group5
 match address CryptoGuaynabo
 end
 
 
interface Tunnel638
description --- Puerto Rico CIM  Guaynabo & Calgary VPN
ip address 10.200.158.138 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination 69.79.188.58
tunnel key 638
tunnel checksum
 
 
 ip access-list extended CryptoGuaynabo
 permit ip host 208.51.212.83 host 69.79.188.58
 
 
 ======== Guaynabo ======
 
 crypto pki trustpoint ttraflonr2
 enrollment url http://83.244.128.16:80
 revocation-check none
 source interface GigabitEthernet0/1
!        
crypto pki trustpoint ttraflonr12
 enrollment url http://83.244.128.20:80
 revocation-check none
 source interface GigabitEthernet0/1
!        
!        
crypto pki certificate chain ttraflonr2
 


crypto isakmp policy 1
 encr aes 256
 group 5
 lifetime 3600
!
!
crypto ipsec transform-set AES256.Tunnels esp-aes 256 esp-sha-hmac
!
crypto map VPN.Tunnels 638 ipsec-isakmp
 description ---- Calgary ----
 set peer 208.51.212.83
 set transform-set AES256.Tunnels
 set pfs group5
 match address CryptoCalgary
 
 
 interface Tunnel638
 description --- tunnel Puerto Rico CIM  to  Calgary VPN ---
 ip address 10.200.158.137 255.255.255.252
 ip flow ingress
 no ip route-cache
 tunnel source GigabitEthernet0/1
 tunnel destination 208.51.212.83
 tunnel key 638
 tunnel checksum
 
 
 interface GigabitEthernet0/1
 description External Interface to vlan 99
 ip address 69.79.188.58 255.255.255.248
 ip access-group External in
 ip inspect Firewall out
 duplex auto
 speed auto
 crypto map VPN.Tunnels
 
 
 
 router eigrp 100
 network 10.200.158.0 0.0.0.255
 network 172.16.80.0 0.0.0.255
 passive-interface GigabitEthernet0/1
 
 
 
 ip access-list extended CryptoCalgary
 permit ip host 69.79.188.58 host 208.51.212.83
 
 
 ip access-list extended External
 remark ----  Tunnel Traffic from Calgary  ----
 permit gre host 208.51.212.83 host 69.79.188.58
 permit esp host 208.51.212.83 host 69.79.188.58
 permit udp host 208.51.212.83 host 69.79.188.58 eq isakmp
 

asked 12/04/2011 06:32

c_hockland's gravatar image

c_hockland ♦♦


9 Answers:
"match address CryptoGuaynabo" should be your internal networks on both sides and not hold your external ip hosts.
link

answered

CSorg's gravatar image

CSorg

CSorg is correct at that, the access lists should match source address of local private IP and have a destination address of the remote private IP.

Another thing.  Why do you have a GRE tunnel configured and then apply the crypto map to the physical interface?  you should either remove the VTI or the crypto map.  If you remove the crypto map then you can encrypt the GRE traffic by using an isakmp profile and call that profile in the VTI by issuing the command tunnel protection ipsec profile <profile name> on the VTI interface.

Depending on what route has the lower cost or if the costs are equal traffic could be loadbalanced over the GRE and IPsec tunnels.  That would mean the traffic traveling over the IPsec will  be encrypted while the traffic traveling over the GRE will be unencrypted.  I would suggest using one or the other...not both.
link

answered 2011-12-05 at 01:08:05

MAG03's gravatar image

MAG03

we always use the public ip since the connection goes via the iternet.

here is the log...

Dec  5 22:32:06.970: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec  5 22:32:13.790: ISAKMP: quick mode timer expired.
Dec  5 22:32:13.790: ISAKMP:(6778):src 69.79.188.58 dst 208.51.212.83, SA is not authenticated
Dec  5 22:32:13.790: ISAKMP:(6778):peer does not do paranoid keepalives.

Dec  5 22:32:13.790: ISAKMP:(6778):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP:(6778):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP: Unlocking peer struct 0x2B6FEBF0 for isadb_mark_sa_deleted(), count 0
Dec  5 22:32:13.790: ISAKMP: Deleting peer node by peer_reap for 208.51.212.83: 2B6FEBF0
Dec  5 22:32:13.790: ISAKMP:(6778):deleting node 1939187699 error FALSE reason "IKE deleted"
Dec  5 22:32:13.790: ISAKMP:(6778):deleting node -411153329 error FALSE reason "IKE deleted"
Dec  5 22:32:13.790: ISAKMP:(6778):deleting node -55404125 error FALSE reason "IKE deleted"
Dec  5 22:32:13.790: ISAKMP:(6778): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP:(6778): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP:(6778):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec  5 22:32:13.790: ISAKMP:(6778):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Dec  5 22:32:13.790: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec  5 22:32:14.618: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/1 (not half duplex), with tpumaguaynaboCoresw01.global.abc.com FastEthernet1/0/47 (half duplex).
link

answered 2011-12-05 at 11:36:22

c_hockland's gravatar image

c_hockland

also i think something is wrong with the cert


Dec  5 22:34:07.870: ISAKMP:(6782):Send initial contact
Dec  5 22:34:07.870: ISAKMP:(6782): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:34:07.870: ISAKMP:(6782): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:34:07.870: ISAKMP:(6782):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Dec  5 22:34:07.870: ISAKMP:(6782):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Dec  5 22:34:07.870: ISAKMP (6782): ID payload
        next-payload : 6
        type         : 1
        address      : 69.79.188.58
        protocol     : 17
        port         : 500
        length       : 12
Dec  5 22:34:07.870: ISAKMP:(6782):Total payload length: 12
Dec  5 22:34:07.870: ISAKMP:(6782): no valid cert found to return
link

answered 2011-12-05 at 14:33:32

c_hockland's gravatar image

c_hockland

---->we always use the public ip since the connection goes via the iternet.

Do you mean that the host machines at each end all have public IP addresses? or that is just the routers at each end are using public IP?

Is the Calgary site configured for PKI also? or is it when you add the PKI to Calgary that the VPN tunnel goes down?

Could you attach files with the configs of both sites please.
link

answered 2011-12-05 at 14:35:19

MAG03's gravatar image

MAG03

sure , here are the configs.
Both routers have public IP.

I will try to attach configs
link

answered 2011-12-06 at 23:16:12

c_hockland's gravatar image

c_hockland

I don't see any attachments.
link

answered 2011-12-07 at 21:17:33

MAG03's gravatar image

MAG03

i will attach them in the morning. apologies for the delay.
link

answered 2011-12-07 at 23:31:05

c_hockland's gravatar image

c_hockland

no worries :)
link

answered 2011-12-07 at 23:32:22

MAG03's gravatar image

MAG03

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 12/04/2011 06:32

Seen: 248 times

Last updated: 12/15/2011 04:04