Below you will find the Debug followed by the configurations for the routers (chopped down)
Router B Debug
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):Authentication method offered does not match policy!
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):no offers accepted!
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 10.5.4.70 remote 82.82.82.2)
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 82.82.82.2)
*Apr 21 10:02:11.617: ISAKMP (0:0): FSM action returned error: 2
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 82.82.82.2)
Router A
*Jun 3 22:53:30.237: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 84.84.84.70
RouterB Configuration
--------------------------------
-------------------------------- crypto isakmp key thekeythekey address 82.82.82.2 crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set md5-3des-set esp-3des esp-md5-hmac ! crypto map IPSecMap 10 ipsec-isakmp set peer 82.82.82.2 set transform-set md5-3des-set match address CustTunnel ! ! ! interface Tunnel0 description Tunnel to A End ip address 10.8.0.22 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/1 tunnel destination 82.82.82.2 ! interface FastEthernet0/1 description RouterB (Cust DMZ) ip address 10.5.4.70 255.255.252.0 duplex auto speed auto crypto map IPSecMap ! ip route 82.82.82.2 255.255.255.255 10.5.4.1 ! ! ip access-list extended CustTunnel permit gre host 10.5.4.70 host 82.82.82.2 permit gre host 82.82.82.2 host 10.5.4.70 !
Thing is that your GRE traffic will NOT get natted. Obviously:) (I mean obviously, once worked out) Since it is inside the crypto tunnel (sorry, but that is NOT the GRE tunnel).
So the GRE tunnel dest is 10.5.4.70 and not 84.84.84.70.
I am sure you can work out the rest. Just to clarify my own mind I worked it out anyway.
Quite a confusing one.
The Crypto ACLs on the two ends must *always* match. Not necessrily exactly but the SA that is being created must be allowed by both sides.
*Apr 21 10:02:11.617: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local 10.5.4.70 remote 82.82.82.2)
Is telling you that the ACLs do not match. The other end crypto ACL does not match "this".
As long as NAT Traversal is enabled for IPsec you should be good to go. I forget if it is on by default. Quite likely.
Remember the firewall will need to pass the crypto traffic. I think NAT-T uses port UDP 4500 for ESP - as well as UDP 500 for IKE. Without NAT-T ESP is IP protocol 50. ####################################### #######################################
Router B
crypto isakmp key thekeythekey address 82.82.82.2 crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set md5-3des-set esp-3des esp-md5-hmac ! crypto map IPSecMap 10 ipsec-isakmp set peer 82.82.82.2 set transform-set md5-3des-set match address CustTunnel ! ! ! interface Tunnel0 description Tunnel to A End ip address 10.8.0.22 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/1 tunnel destination 82.82.82.2 ! interface FastEthernet0/1 description RouterB (Cust DMZ) ip address 10.5.4.70 255.255.252.0 duplex auto speed auto crypto map IPSecMap ! ip route 82.82.82.2 255.255.255.255 10.5.4.1 ! good idea MAKES SURE that the gre traffic ! cant try to go down its own tunnel.
! ! ip access-list extended CustTunnel permit gre host 10.5.4.70 host 82.82.82.2
! permit gre host 82.82.82.2 host 10.5.4.70 ! you don't need this ! IPSEC does both directions anyway !
crypto map PeerMap 10 ipsec-isakmp set peer 84.84.84.70 set transform-set 3des-md5 match address CustTunnel ! interface Tunnel1 description Vale Of Glamorgan GRE ip address 10.8.0.21 255.255.255.252 traffic-shape group 110 10000 1024 1024 1000 tunnel source FastEthernet0/0 tunnel destination 10.5.4.70 ! *CHANGE* ! interface FastEthernet0/0 description Internet ip address 82.82.82.2 255.255.255.224 duplex auto speed auto crypto map PeerMap ! ip access-list extended CustTunnel permit gre host 82.82.82.2 host 10.5.4.70
! Add a specific route for the GRE trsaffic here too ! Makes sure that GRE traffic never tries to go over ! the tunnel. ip route 10.5.4.70 255.255.255.255 internet.next.hop
Changed the destination end point for the GRE Tunnel to 10.5.4.70, how will routerA know to tunnel this down it's IPSec connection to RouterB? when the ip extended CustTunnel is set for
permit gre host 82.82.82.2 host 84.84.84.70
- This Router has many IPSec connection, but this is the first to a router behind a NAT Firewall...
?
Anyhow i spose this first issuse is to get the IPSec up and running :)
Router A:
=3D=3D=3D=3D=3D=3D=3D=3D
RouterA#show crypto isakmp sa
dst src state conn-id slot
82.82.82.2 84.84.84.70 MM_KEY_EXCH 1023 0
Router B:
=3D=3D=3D=3D=3D=3D=3D=3D
RouterB#show crypto isakmp sa
dst src state conn-id slot status
82.82.82.2 10.5.4.70 MM_KEY_EXCH 1 0 ACTIVE
RouterB# debug crypto isakmp error
*Apr 22 11:27:18.231: ISAKMP:(0:3:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)
*Apr 22 11:27:18.231: ISAKMP:(0:3:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)
*Apr 22 11:27:48.231: ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 82.82.82.2)
*Apr 22 11:27:48.231: ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.82.82.2)
*Apr 22 13:08:21.514: ISAKMP: auth pre-share
*Apr 22 13:08:21.514: ISAKMP: life type in seconds
*Apr 22 13:08:21.514: ISAKMP: life duration (basic) of 28800
*Apr 22 13:08:21.514: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 22 13:08:21.550: ISAKMP (0:134217732): vendor ID is NAT-T v7
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v3
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): processing vendor id payload
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v2
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1):Input =3D IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 22 13:08:21.550: ISAKMP:(0:4:SW:1):Old State =3D IKE_R_MM1 New State =3D IKE_R_MM1
As already mentioned bod43 post, change Tunnel1 destination to 10.5.4.70
Add route to 10.5.4.70/32 via upstream router
ip access-list extended CustTunnel permit gre host 82.82.82.2 host 10.5.4.70
On RouterB -
ip access-list extended CustTunnel permit gre host 10.5.4.70 host 82.82.82.2
Key points -
ACL for crypto map should match traffic we want to encrypt (so only sent traffic matters) and both side should be a mirror copy.
IPSec tunnel is being established between public IP addresses and NAT'ed on RouterB side to 10.5.4.70. GRE tunnel doesn't get NAT processing on account of being encrypted. So source and destination should be IP addresses before NAT.
I believe that the solution that I proposed is completely and exactly correct.
If you wish me to troubleshoot further please state whether you have followed the proposal exactly and state what symptoms you are seeing.
I think that it is your responsibility to explain to me any divergence from my proposal and to explain in the terms of that proposal exactly what is not working. I perhaps spent an hour working on my previous response. I feel that it is discourteous that you have responded with such an inadequate and limited message.
Well, i rushed the reply an i'm truly sorry for this, but just thought i would add it quickly before i left work. I believe i made all of the changes, however I still needed to confirm that all of the correct ports are open on the customers firewall. I will be writing again, with all of the information after checking the configurations on Monday. If the configurations differ to your example i will amend the changes, if they don't and it fails to work i will attempt troubleshoot the problem further and give you appropriate feedback so that you can assist me further. I'm very grateful for your input.... :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.