Ipsec over GRE : Tunnel protocol is down : Tunnel with Vlan interface
I have an IPSec over GRE tunnel between two routers (ofcourse :) )
I had some physical interface limitation so I could not assign an IP address to it. It is a L2 interface. So I have created a vlan and assigned an Ip address to vlan and then called the vlan under interface.
Here is my configuration : After I have configured this I see tunnel protocol status is DOWN
crypto map mymap local-address FastEthernet0/0/0
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 110
interface Tunnel40
bandwidth 2000
ip address 10.10.10.10 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1380
keepalive 10 3
tunnel source FastEthernet0/0/0
tunnel destination 2.2.2.2
tunnel path-mtu-discovery
end
interface fa0/0/0
switchport access vlan1
crypto map mymap
Here are the debugs:
Nov 18 15:52:48.276: IPSEC(validate_transform_proposal): invalid local address 213.163.150.250
Nov 18 15:52:48.276: ISAKMP:(0:196:HW:2): IPSec policy invalidated proposal
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2): phase 2 SA policy not acceptable! (local 213.163.150.250 remote 80.169.157.115)
Nov 18 15:52:48.280: ISAKMP: set new node -1071324651 to QM_IDLE
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1698541472, message ID = -1071324651
Solution:
=============
Here is the solution that fixed the issue:
Removed this crypto map mymap local-address FastEthernet0/0/0
interface Tunnel40
no keepalive 10 3
no tunnel source FastEthernet0/0/0
tunnel source vlan1
I had some physical interface limitation so I could not assign an IP address to it. It is a L2 interface. So I have created a vlan and assigned an Ip address to vlan and then called the vlan under interface.
Here is my configuration : After I have configured this I see tunnel protocol status is DOWN
crypto map mymap local-address FastEthernet0/0/0
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 110
interface Tunnel40
bandwidth 2000
ip address 10.10.10.10 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1380
keepalive 10 3
tunnel source FastEthernet0/0/0
tunnel destination 2.2.2.2
tunnel path-mtu-discovery
end
interface fa0/0/0
switchport access vlan1
crypto map mymap
Here are the debugs:
Nov 18 15:52:48.276: IPSEC(validate_transform_proposal): invalid local address 213.163.150.250
Nov 18 15:52:48.276: ISAKMP:(0:196:HW:2): IPSec policy invalidated proposal
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2): phase 2 SA policy not acceptable! (local 213.163.150.250 remote 80.169.157.115)
Nov 18 15:52:48.280: ISAKMP: set new node -1071324651 to QM_IDLE
Nov 18 15:52:48.280: ISAKMP:(0:196:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1698541472, message ID = -1071324651
Solution:
=============
Here is the solution that fixed the issue:
Removed this crypto map mymap local-address FastEthernet0/0/0
interface Tunnel40
no keepalive 10 3
no tunnel source FastEthernet0/0/0
tunnel source vlan1
0 comments:
Post a Comment