Problema con tunnel GRE e VRF

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
Rizio
Messianic Network master
Messaggi: 1158
Iscritto il: ven 12 ott , 2007 2:48 pm
Contatta:
Contatta Rizio

Ciao,
ho un tunnel GRE che da quando uno dei 2 1801 è stato migrato in vrf non va più up, qualcuno ha qualche hint da darmi?
Il problema che mi segnala uno dei due router è questo:

Codice: Seleziona tutto

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at x.x.x.x
Ho verificato i profili ipsec e sono identici!

Codice: Seleziona tutto

VPN-ROUTER-01#sh crypto ipsec profile 
IPSEC profile ITALY
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={ 
                myset:  { esp-aes esp-md5-hmac  } , 
        }

Codice: Seleziona tutto

VPN-ROUTER-02#sh crypto ipsec profile 
IPSEC profile TUNNEL-PROFILE
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={ 
                myset:  { esp-aes esp-md5-hmac  } , 
        }
Il debug di ipsec su uno dei 2 nodi mi dice questo:

Codice: Seleziona tutto

.Feb  5 16:26:47.190: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.X, remote= Y.Y.Y.Y,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
.Feb  5 16:26:47.190: IPSEC(key_engine): got a queue event with 1 KMI message(s)
e i due tunnel sono perfettamente identici:

Codice: Seleziona tutto

VPN-ROUTER-01#sh int tu 3
Tunnel3 is up, line protocol is down 
  Hardware is Tunnel
  Internet address is 192.168.255.1/30
  MTU 17940 bytes, BW 1024 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source Y.Y.Y.Y (Vlan201), destination X.X.X.X
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "TUNNEL-PROFILE")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Codice: Seleziona tutto

VPN-ROUTER-02#sh int tu 3
Tunnel3 is up, line protocol is down 
  Hardware is Tunnel
  Internet address is 192.168.255.2/30
  MTU 17940 bytes, BW 1024 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source X.X.X.X, destination Y.Y.Y.Y
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ITALY")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
Le preshared key sono corrette e le policy isakmp sono uguali tra loro

Codice: Seleziona tutto

VPN-ROUTER-01#sh crypto isakmp policy 
Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Qualcuno ha qualche idea da suggerirmi?
Grazie in anticipo.
Rizio
Si vis pacem para bellum
Top
Rizio
Messianic Network master
Messaggi: 1158
Iscritto il: ven 12 ott , 2007 2:48 pm
Contatta:
Contatta Rizio

La risposta era nelle crypto map. Qui il link per la soluzione:
http://www.cisco.com/en/US/docs/ios/sec ... ipsec.html


Rizio
Si vis pacem para bellum
Top
Rispondi

Torna a “Configurazioni”