GRE over IPSec | Transport Mode

Hi Guys,

I am someone can help me with this small issue,  I am trying to lab up a basic IPSec config...GRE over IPSec,   the problem I am having is it always neg in "tunnel mode",  even though I have expliciitly configred it for "transport mode".

I am not sure if its my config, or combation of the config,  a bug, or something else...but I do know this is driving be bonkers!

Thanks.

 

Basic Topology

R1 --VLAN1012-- R2 --VLAN1024-- R4

 


****
****R1
****
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 24.0.0.4
!
!
crypto ipsec transform-set TRANS1 esp-des esp-md5-hmac
 mode transport
!

crypto map MAP100 10 ipsec-isakmp
 set peer 24.0.0.4
 set transform-set TRANS1
 match address 130
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip ospf 100 area 0
!
interface Tunnel100
 ip address 14.0.0.1 255.255.255.0
 ip hello-interval eigrp 100 30
 ip hold-time eigrp 100 60
 tunnel source Loopback0
 tunnel destination 4.4.4.4
!
!
!
interface GigabitEthernet1.113
 encapsulation dot1Q 113
 ip address 100.1.3.1 255.255.255.0
!
interface GigabitEthernet1.1012
 encapsulation dot1Q 1012
 ip address 12.0.0.1 255.255.255.0
 ip ospf 100 area 0
 crypto map MAP100
!
!
router eigrp 100
 network 14.0.0.0
 network 100.0.0.0
!
router ospf 100
!
access-list 130 permit gre host 1.1.1.1 host 4.4.4.4
!

 

****
****R4
****

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key PASSWORD address 12.0.0.1
!
!
crypto ipsec transform-set TRANS1 esp-des esp-md5-hmac
 mode transport
!
crypto map MAP100 10 ipsec-isakmp
 set peer 12.0.0.1
 set transform-set TRANS1
 match address 130
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip ospf 100 area 0
!
interface Tunnel100
 ip address 14.0.0.4 255.255.255.0
 ip hello-interval eigrp 100 30
 ip hold-time eigrp 100 60
 tunnel source Loopback0
 tunnel destination 1.1.1.1
!
!
!
interface GigabitEthernet1.406
 encapsulation dot1Q 406
 ip address 100.4.6.4 255.255.255.0
!
interface GigabitEthernet1.1024
 encapsulation dot1Q 1024
 ip address 24.0.0.4 255.255.255.0
 ip ospf 100 area 0
 crypto map MAP100
!
!
router eigrp 100
 network 14.0.0.0
 network 100.0.0.0
!
router ospf 100
!
access-list 130 permit gre host 4.4.4.4 host 1.1.1.1
!

/////////////////////////////////
/////////////////////////////////

CSR_R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
24.0.0.4        12.0.0.1        QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA


/////////////////////////////////
/////////////////////////////////


CSR_R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  }
   will negotiate = { Transport,  },

Transform set TRANS1: { esp-des esp-md5-hmac  }
   will negotiate = { Transport,  },


/////////////////////////////////
/////////////////////////////////

 


CSR_R1#show crypto ipsec sa

interface: GigabitEthernet1.1012
    Crypto map tag: MAP100, local addr 12.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   current_peer 24.0.0.4 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 139, #pkts encrypt: 139, #pkts digest: 139
    #pkts decaps: 142, #pkts decrypt: 142, #pkts verify: 142
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 24.0.0.4
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.1012
     current outbound spi: 0xA9FB1737(2851804983)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8FF2B52E(2415047982)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2005, flow_id: CSR:5, sibling_flags FFFFFFFF80004048, crypto map: MAP100
        sa timing: remaining key lifetime (k/sec): (4608000/371)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x852602C9(2233860809)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80004048, crypto map: MAP100
        sa timing: remaining key lifetime (k/sec): (4607988/371)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xDFFD1D95(3757907349)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2006, flow_id: CSR:6, sibling_flags FFFFFFFF80004048, crypto map: MAP100
        sa timing: remaining key lifetime (k/sec): (4608000/371)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xA9FB1737(2851804983)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80004048, crypto map: MAP100
        sa timing: remaining key lifetime (k/sec): (4607988/371)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
CSR_R1#

 


CSR_R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
24.0.0.4        12.0.0.1        QM_IDLE           1009 ACTIVE
24.0.0.4        12.0.0.1        MM_NO_STATE       1008 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

 

This is a debug from R4 side:

 

CSR_R4#
*Sep 14 15:49:04.191: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
*Sep 14 15:49:04.357: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 14 15:49:04.376: IPSEC(validate_proposal_request): proposal part #1
*Sep 14 15:49:04.376: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 24.0.0.4:0, remote= 12.0.0.1:0,
    local_proxy= 4.4.4.4/255.255.255.255/47/0,
    remote_proxy= 1.1.1.1/255.255.255.255/47/0,
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Sep 14 15:49:04.376: Crypto mapdb : proxy_match
        src addr     : 4.4.4.4
        dst addr     : 1.1.1.1
        protocol     : 47
        src port     : 0
        dst port     : 0
*Sep 14 15:49:04.376: (ipsec_process_proposal)Map Accepted: MAP100, 10
*Sep 14 15:49:04.376: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 14 15:49:04.376: Crypto mapdb : proxy_match
        src addr     : 4.4.4.4
        dst addr     : 1.1.1.1
        protocol     : 47
        src port     : 0
        dst port     : 0
*Sep 14 15:49:04.376: IPSEC(crypto_ipsec_create_ipsec_sas): Map found MAP100, 10
*Sep 14 15:49:04.376: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 12.0.0.1
*Sep 14 15:49:04.376: IPSEC(create_sa): sa created,
  (sa) sa_dest= 24.0.0.4, sa_proto= 50,
    sa_spi= 0x69D0A7DD(1775282141),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2025
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 24.0.0.4:0, remote= 12.0.0.1:0,
    local_proxy= 4.4.4.4/255.255.255.255/47/0,
    remote_proxy= 1.1.1.1/255.255.255.255/47/0
*Sep 14 15:49:04.377: IPSEC(create_sa): sa created,
  (sa) sa_dest= 12.0.0.1, sa_proto= 50,
    sa_spi= 0x71F0B4B5(1911600309),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2026
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 24.0.0.4:0, remote= 12.0.0.1:0
CSR_R4#,
    local_proxy= 4.4.4.4/255.255.255.255/47/0,
    remote_proxy= 1.1.1.1/255.255.255.255/47/0
*Sep 14 15:49:04.601: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 14 15:49:04.601: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
CSR_R4#
CSR_R4#
CSR_R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
24.0.0.4        12.0.0.1        QM_IDLE           1009 ACTIVE
24.0.0.4        12.0.0.1        MM_NO_STATE       1008 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

CSR_R4#show cry
CSR_R4#show crypto ips
CSR_R4#show crypto ipsec sa
*Sep 14 15:49:19.604: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 14.0.0.1 (Tunnel100) is up: new adjacency
CSR_R4#show crypto ipsec sa

interface: GigabitEthernet1.1024
    Crypto map tag: MAP100, local addr 24.0.0.4

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (4.4.4.4/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
   current_peer 12.0.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 24.0.0.4, remote crypto endpt.: 12.0.0.1
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1.1024
     current outbound spi: 0x71F0B4B5(1911600309)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x69D0A7DD(1775282141)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2025, flow_id: CSR:25, sibling_flags FFFFFFFF80000048, crypto map: MAP100
        sa timing: remaining key lifetime (k/sec): (4607999/3583)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x71F0B4B5(1911600309)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2026, flow_id: CSR:26, sibling_flags FFFFFFFF80000048, crypto map: MAP100
        sa timing: remaining key lifetime (k/sec): (4607999/3583)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
CSR_R4#
*Sep 14 15:49:20.939: IPSEC(sibling_update_flow_stats): IPSEC: MIB Stats Ptr 0x7FCDD3835DD0

*Sep 14 15:49:20.939: IPSEC(sibling_update_flow_stats): IPSEC: MIB Stats Ptr 0x7FCDD3835DD0

*Sep 14 15:49:20.939: IPSEC(sibling_update_flow_stats): IPSEC: Flow ID : 0x24000019, Flow Stats Ptr 0x7FCE2ECCAB10

*Sep 14 15:49:20.939: IPSEC(sibling_update_flow_stats): IPSEC: MIB Stats Ptr 0x7FCDD3835DD0

CSR_R4#

Comments

  • Hi 1000base-T

    this situation occurs because actually the traffic of the crypto acl that is triggering the ipsec tunnel negotiation does not coincide with the actual ipsec tunnel endpoint peer.

    As you can see you are sourcing your GRE from loopbacks but your crypto map policies are applied to physical interfaces, that's why your output shows always tunnel mode being applied.

     

    HTH

  • Thank you pgallo....That was it.

    inbound esp sas:
          spi: 0x2BA21487(732042375)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Transport, }

  • Thank you pgallo....That was it.

    inbound esp sas:
          spi: 0x2BA21487(732042375)
            transform: esp-des esp-md5-hmac ,
            in use settings ={Transport, }

    I'm glad i was able to help you :)

     

  • "Transport mode" was designed to be used ONLY when the two VPN tunnel endpoints are one and the same with the clear-text traffic you send over the VPN tunnel, like when you would buidl an IPsec tunnel between two hosts. This is why if you run IPsec without GRE, you can never ever use transport mode, because if you have GRE with IPsec, the encrypted traffic endpoints are the two routers (source/destination of the IPsec tunnel) and also the decrypted traffic endpoints are the two routers (source/destination of the GRE tunnel); which further means that trasnport mode can be used only if you protect GRE traffic and ony if the GRE tunnel endpoints are the same as the IPsec tunnel endpoints.

    Also something else you can understand from that example, is that when you configure "mode transport" that is NOT a hard/must statement as is the case with most of the other commands; the way you should read that command is i want to negotiate transport mode if the IPsec method i'm using it allows for that and if the configuration is correct, othersise fallback to tunnel mode. 

     

  • Thanks Cristian....that makes sense...now that you point it out :-)

     

Sign In or Register to comment.