Ok, I am having an issue... Both routers 5009 and 5012 both will not connect if I apply the ipsec tunnel to the gre tunnel, the GRE will work with the ipsec...
I keep getting the "Cannot find SA" and it will drop all packets. This happens on both sides..
Here are my configs...
(This is in a LAB and I have a 3036 routing the traffic between the 2 50XX routers...
Brief overview of network...
5009
Int 10.10.10.1 /24
ext 206.13.30.12 /29
gw 206.13.30.13
tun1 192.168.168.1 /24
5012
int 11.11.11.1 /24
ext 207.178.157.122 /29
gw 207.178.157.123
tun1 192.168.168.2 /24
3036
int 1/0 207.178.157.123 /29
int 2/0 206.13.30.13 /29
On the 5012...
#
#3Com Router Software Extended_V3.12p01
#
sysname 5012_Site_B
#
configure-user count 2
#
cpu-usage cycle 1min
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user admin
password simple password
service-type telnet terminal
level 3
service-type ftp
#
ike peer 206.13.30.12
pre-shared-key 1234567890
remote-address 206.13.30.12
local-address 207.178.157.122
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy ipsectunnel 10 isakmp
security acl 3003
ike-peer 206.13.30.12
proposal tran1
#
acl number 2000
rule 0 permit source 11.11.11.0 0.0.0.255
#
acl number 3001
rule 0 permit tcp
rule 1 permit icmp
rule 2 permit udp
rule 3 permit ospf
rule 4 permit ip
acl number 3003
rule 2 permit icmp destination 10.10.10.0 0.0.0.255
rule 3 permit gre destination 10.10.10.0 0.0.0.255
rule 4 permit igmp destination 10.10.10.0 0.0.0.255
rule 5 permit ip destination 10.10.10.0 0.0.0.255
rule 6 permit tcp destination 10.10.10.0 0.0.0.255
rule 7 permit udp destination 10.10.10.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 11.11.11.1 255.255.255.0
#
interface Ethernet2/0
ip address 207.178.157.122 255.255.255.248
nat outbound 2000
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
ip address dhcp-alloc
#
interface Tunnel1
ip address 192.168.168.2 255.255.255.0
source 207.178.157.122
destination 206.13.30.12
ipsec policy ipsectunnel
#
interface NULL0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 207.178.157.123 preference 60
ip route-static 10.10.10.0 255.255.255.0 Tunnel 1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
on the 5009
3Com Router Software Extended_V1.40
local-user admin service-type ftp administrator password simple password
sysname 5009_Site_A
firewall disable
aaa-enable
aaa accounting-scheme optional
undo vrrp ping-enable
ftp-server enable
undo idle-timeout
ipsec sa dynamic-detect
!
ike pre-shared-key 1234567890 remote 207.178.157.122
!
acl 2000 match-order auto
rule normal permit source 10.10.10.0 0.0.0.255
!
acl 3000 match-order auto
!
acl 3001 match-order auto
rule normal permit tcp source any destination any
rule normal permit icmp source any destination any
rule normal permit udp source any destination any
rule normal permit ospf source any destination any
rule normal permit ip source any destination any
!
acl 3003 match-order auto
rule normal permit icmp source any destination 11.11.11.0 0.0.0.255
rule normal permit igmp source any destination 11.11.11.0 0.0.0.255
rule normal permit tcp source any destination 11.11.11.0 0.0.0.255
rule normal permit udp source any destination 11.11.11.0 0.0.0.255
rule normal permit gre source any destination 11.11.11.0 0.0.0.255
rule normal permit ip source any destination 11.11.11.0 0.0.0.255
!
ipsec proposal tran1
esp-new authentication-algorithm sha1-hmac-96
esp-new encryption-algorithm 3des
!
ipsec policy ipsectunnel 10 isakmp
security acl 3003
proposal tran1
tunnel local 206.13.30.12
tunnel remote 207.178.157.122
sa duration traffic-based 1843200
sa duration time-based 3600
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1
ip address 206.13.30.12 255.255.255.248
nat outbound 2000 interface
!
interface Serial0
link-protocol ppp
!
interface Tunnel1
link-protocol tunnel
ip address 192.168.168.1 255.255.255.0
ipsec policy ipsectunnel
source 206.13.30.12
destination 207.178.157.122
!
quit
ip route-static 0.0.0.0 0.0.0.0 206.13.30.13 preference 60
ip route-static 11.11.11.0 255.255.255.0 Tunnel 1 preference 60
!
return
Here is the output...
<5012_Site_B>disp ipsec stat all
the security packet statistics:
input/output security packets: 0/0
input/output security bytes: 0/0
input/output dropped security packets: 0/28
input/output dropped security bytes: 0/1924
dropped security packet detail:
no enough memory: 0
can't find SA: 28
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
wrong SA: 0
dealed by encrytcard:
input/output security packets: 0/0
input/output security bytes: 0/0
replay packet: 0
<5012_Site_B>
I keep getting the "Cannot find SA" and it will drop all packets. This happens on both sides..
Here are my configs...
(This is in a LAB and I have a 3036 routing the traffic between the 2 50XX routers...
Brief overview of network...
5009
Int 10.10.10.1 /24
ext 206.13.30.12 /29
gw 206.13.30.13
tun1 192.168.168.1 /24
5012
int 11.11.11.1 /24
ext 207.178.157.122 /29
gw 207.178.157.123
tun1 192.168.168.2 /24
3036
int 1/0 207.178.157.123 /29
int 2/0 206.13.30.13 /29
On the 5012...
#
#3Com Router Software Extended_V3.12p01
#
sysname 5012_Site_B
#
configure-user count 2
#
cpu-usage cycle 1min
#
web set-package force flash:/http.zip
#
radius scheme system
#
domain system
#
local-user admin
password simple password
service-type telnet terminal
level 3
service-type ftp
#
ike peer 206.13.30.12
pre-shared-key 1234567890
remote-address 206.13.30.12
local-address 207.178.157.122
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy ipsectunnel 10 isakmp
security acl 3003
ike-peer 206.13.30.12
proposal tran1
#
acl number 2000
rule 0 permit source 11.11.11.0 0.0.0.255
#
acl number 3001
rule 0 permit tcp
rule 1 permit icmp
rule 2 permit udp
rule 3 permit ospf
rule 4 permit ip
acl number 3003
rule 2 permit icmp destination 10.10.10.0 0.0.0.255
rule 3 permit gre destination 10.10.10.0 0.0.0.255
rule 4 permit igmp destination 10.10.10.0 0.0.0.255
rule 5 permit ip destination 10.10.10.0 0.0.0.255
rule 6 permit tcp destination 10.10.10.0 0.0.0.255
rule 7 permit udp destination 10.10.10.0 0.0.0.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 11.11.11.1 255.255.255.0
#
interface Ethernet2/0
ip address 207.178.157.122 255.255.255.248
nat outbound 2000
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
ip address dhcp-alloc
#
interface Tunnel1
ip address 192.168.168.2 255.255.255.0
source 207.178.157.122
destination 206.13.30.12
ipsec policy ipsectunnel
#
interface NULL0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 207.178.157.123 preference 60
ip route-static 10.10.10.0 255.255.255.0 Tunnel 1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
on the 5009
3Com Router Software Extended_V1.40
local-user admin service-type ftp administrator password simple password
sysname 5009_Site_A
firewall disable
aaa-enable
aaa accounting-scheme optional
undo vrrp ping-enable
ftp-server enable
undo idle-timeout
ipsec sa dynamic-detect
!
ike pre-shared-key 1234567890 remote 207.178.157.122
!
acl 2000 match-order auto
rule normal permit source 10.10.10.0 0.0.0.255
!
acl 3000 match-order auto
!
acl 3001 match-order auto
rule normal permit tcp source any destination any
rule normal permit icmp source any destination any
rule normal permit udp source any destination any
rule normal permit ospf source any destination any
rule normal permit ip source any destination any
!
acl 3003 match-order auto
rule normal permit icmp source any destination 11.11.11.0 0.0.0.255
rule normal permit igmp source any destination 11.11.11.0 0.0.0.255
rule normal permit tcp source any destination 11.11.11.0 0.0.0.255
rule normal permit udp source any destination 11.11.11.0 0.0.0.255
rule normal permit gre source any destination 11.11.11.0 0.0.0.255
rule normal permit ip source any destination 11.11.11.0 0.0.0.255
!
ipsec proposal tran1
esp-new authentication-algorithm sha1-hmac-96
esp-new encryption-algorithm 3des
!
ipsec policy ipsectunnel 10 isakmp
security acl 3003
proposal tran1
tunnel local 206.13.30.12
tunnel remote 207.178.157.122
sa duration traffic-based 1843200
sa duration time-based 3600
!
interface Aux0
async mode flow
link-protocol ppp
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1
ip address 206.13.30.12 255.255.255.248
nat outbound 2000 interface
!
interface Serial0
link-protocol ppp
!
interface Tunnel1
link-protocol tunnel
ip address 192.168.168.1 255.255.255.0
ipsec policy ipsectunnel
source 206.13.30.12
destination 207.178.157.122
!
quit
ip route-static 0.0.0.0 0.0.0.0 206.13.30.13 preference 60
ip route-static 11.11.11.0 255.255.255.0 Tunnel 1 preference 60
!
return
Here is the output...
<5012_Site_B>disp ipsec stat all
the security packet statistics:
input/output security packets: 0/0
input/output security bytes: 0/0
input/output dropped security packets: 0/28
input/output dropped security bytes: 0/1924
dropped security packet detail:
no enough memory: 0
can't find SA: 28
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
wrong SA: 0
dealed by encrytcard:
input/output security packets: 0/0
input/output security bytes: 0/0
replay packet: 0
<5012_Site_B>