cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


198
Views
15
Helpful
10
Replies
Highlighted
Beginner

VTI and IPSEC (tunnel mode ipsec is not working )

Dear all,

I try to vti in my lab. I got the some issue.

i cannot turn on "tunnel mode ipsec ipv4" in tunnel.

If i active that command my traffic cannot reach end to end (host to host)

I remove this command,i can reach host to host.

it is VTI restriction or my configuration error ? When i change ipsec mode to GRE ,it is also working. IPSec mode is not working.

 

hostname R1
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.2
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.1.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.1 255.255.255.0
!
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
end

hostname R2
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 192.168.12.1
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface g1/0
ip address 192.168.2.254 255.255.255.0
!
interface g0/0
ip address 192.168.12.2 255.255.255.0
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
end

Everyone's tags (1)
10 REPLIES
VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello,

 

config looks good actually. Which routers are you using, and is this a simulator or live equipment ?

 

What if you change:

 

crypto isakmp key MY_PASSWORD address 192.168.12.1

 

to

 

crypto isakmp key MY_PASSWORD address 0.0.0.0 0.0.0.0

 

on both ends ?

VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello

what are you testing this on, I am asking because as far as i can see your config looks okay



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
Beginner

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hi ,

I already tried above solution that you proposed.

But still cannot . I don't know why .

I thougth i VPC is error so i change VPC to routers and test . but still got error.

please see the ping test and trace route. 

if i remove  IPsec tunnel mode.i can reach each other.

VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello

It sounds like your simulation software, try gns3 and test again



kind regards
Paul

Please don't forget to rate any posts that have been helpful.
VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello,

 

this looks like GNS3, which images are you using ?

 

Post the full configs of all 4 routers so we can lab this...

Beginner

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hi,
i am using c7200-advipservicesk9-mz.152-4.S5.image . if it is GNS3 error ,i am happy.i worry it cannot be work in production. Please config of all 4 router.
R1#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!

!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
interface Tunnel0
ip address 12.12.12.1 255.255.255.0
tunnel source 192.168.12.1
tunnel mode ipsec ipv4
tunnel destination 192.168.12.2
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R1#

 

R2#sh run
Building configuration...

Current configuration : 1583 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key MY_PASSWORD address 0.0.0.0
!
!
crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set MY_TRANSFORM_SET
!
!
!
!
!
!
!
interface Tunnel0
ip address 12.12.12.2 255.255.255.0
tunnel source 192.168.12.2
tunnel mode ipsec ipv4
tunnel destination 192.168.12.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#

R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#T{R}X
R3#}p
R3#
R3#termi
R3#terminal len
R3#terminal length 0
R3#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#

R4#sh run
Building configuration...

Current configuration : 1095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
media-type gbic
speed 1000
duplex full
negotiation auto
!
interface GigabitEthernet1/0
ip address 192.168.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet3/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R4#

 

 

VIP Advisor

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hello,

 

I just recreated your exact setup in GNS3, with IOSv 15.6(2)T, and it works perfectly. So I am pretty sure it is a version problem, there is nothing wrong wiith the configs.

Beginner

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hi ,

Thank you for your help. I already with real device and VTI with pre share key is working.

Let me know below are i am confused.

  1. Can i create IPSec tunnel Static VTI with CA ( without using pre-share key ) ?
  2. Can i setup both Static VTI tunnel and DMVPN tunnel in one router of branches ? ( i want to connet to DC1 by using IPsec with VTI and Traffice to DC2 by using DMVPN ) because DC 1 using non-cisco devices and DC2 using cisco device. branches are using cisco routers.
Rising star

Re: VTI and IPSEC (tunnel mode ipsec is not working )

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1046681

Restrictions for IPsec Virtual Tunnel Interface
IPsec Transform Set
The IPsec transform set must be configured in tunnel mode only.

P.S.
good tool https://cway.cisco.com/tools/ipsec-overhead-calc/
Beginner

Re: VTI and IPSEC (tunnel mode ipsec is not working )

Hi,
Do you mean I can not configure VTI with IPsec? Should I use gre over
IPsec.I can use tunnel mode only.Because I have to create two tunnel with
certificate.
CreatePlease to create content
Ask the Expert- Endpoint Security