GRE-IPsec Tunnel – Setup Between Cisco Router and Linux Router

ciscogreipseclinux

I am trying to create a GRE/IPsec tunnel between Cisco router and a Linux Router. The tunnel is UP and active, but when I do a "show crypto session" on the Cisco router the Active SA's keep on increasing and reach a limit of 2800 and then restarts again. The IPsec SPI is rekey and keeps on increasing on both the sides. The Phase1(86400 sec) and Phase2(3600 sec) lifetimes, policies are also the same on both the sides. Is there any rekeying parameter I am missing in terms of configuration. What am I missing ? Seems like a small parameter change to me ? Please find below the configurations on Cisco & Linux router:

Cisco 2901

crypto isakmp policy 20  
 encr aes 256  
 authentication pre-share  
 group 2  
crypto isakmp key PASS address 192.168.12.192  
crypto isakmp invalid-spi-recovery  
crypto isakmp keepalive 10 4 periodic  
!  
!  
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac  
 mode transport  
!  
!
!  
crypto map remote-sites 20 ipsec-isakmp  
 set peer 192.168.12.192  
 set transform-set AES  
 match address 100  
!  
!
!
!
!  
interface Loopback120  
 ip address 12.12.12.12 255.255.255.0  
!  
interface Tunnel0  
 ip address 10.10.10.1 255.255.255.252  
 tunnel source 192.168.12.10  
 tunnel destination 192.168.12.192  
!  
interface Embedded-Service-Engine0/0  
 no ip address  
!  
interface GigabitEthernet0/0  
 ip address 192.168.12.10 255.255.255.0  
 duplex auto  
 speed auto  
 crypto map remote-sites  
!  
!
!  
ip forward-protocol nd  
!  
!  
ip route 0.0.0.0 0.0.0.0 192.168.12.1  
!  
access-list 100 permit gre host 192.168.12.10 host 192.168.12.192

Linux Router

en01  
ipaddress 192.168.12.192/24  
interface up  

gre12  
ipaddress 10.10.10.2 peer 10.10.10.1  
tunnel 192.168.12.192 192.168.12.10  
key disable  
checksum disable  
interface up  
exit  

loopback12  
ipaddress 14.14.14.14/24  

sec  
ipsec enable  
psk 192.168.12.10 PASS  
vpn-template VZN 1 main aes256 sha1 24 hour 2 pre-shared-key address aes256 hmac-sha1 1 hour none  
vpn TESTVPN VZN 192.168.12.192 192.168.12.10  
ipsec-rule TESTVPN-rule 192.168.12.192 192.168.12.10 47 esp transport TESTVPN

Please let me know if I have missed to share something important.

Best Answer

We had to change the lifetime durations for IKE Phase1 & Phase 2 on the Linux Box to get the result. It was more of a bug/tweaking required on the Linux Router. Thank you for all your help!!!

Related Topic