question in tunnel encryption Cisco

Hi , I have to routers , one in Site A and another one in Site B. I have built a tunnel and is up and running. I see eigrp neighbors via the tunnel. When i apply encryption tunnel is down.  I am attaching the config.
Any ideas woould be appreciated.


 ========== Add in Calgary ======

 crypto map VPN.Tunnels 638 ipsec-isakmp
 description ---- Guaynabo ----
 set peer 69.79.188.58
 set transform-set AES256.Tunnels
 set pfs group5
 match address CryptoGuaynabo
 end
 
 
interface Tunnel638
description --- Puerto Rico CIM  Guaynabo & Calgary VPN
ip address 10.200.158.138 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination 69.79.188.58
tunnel key 638
tunnel checksum
 
 
 ip access-list extended CryptoGuaynabo
 permit ip host 208.51.212.83 host 69.79.188.58
 
 
 ======== Guaynabo ======
 
 crypto pki trustpoint ttraflonr2
 enrollment url http://83.244.128.16:80
 revocation-check none
 source interface GigabitEthernet0/1
!        
crypto pki trustpoint ttraflonr12
 enrollment url http://83.244.128.20:80
 revocation-check none
 source interface GigabitEthernet0/1
!        
!        
crypto pki certificate chain ttraflonr2
 


crypto isakmp policy 1
 encr aes 256
 group 5
 lifetime 3600
!
!
crypto ipsec transform-set AES256.Tunnels esp-aes 256 esp-sha-hmac
!
crypto map VPN.Tunnels 638 ipsec-isakmp
 description ---- Calgary ----
 set peer 208.51.212.83
 set transform-set AES256.Tunnels
 set pfs group5
 match address CryptoCalgary
 
 
 interface Tunnel638
 description --- tunnel Puerto Rico CIM  to  Calgary VPN ---
 ip address 10.200.158.137 255.255.255.252
 ip flow ingress
 no ip route-cache
 tunnel source GigabitEthernet0/1
 tunnel destination 208.51.212.83
 tunnel key 638
 tunnel checksum
 
 
 interface GigabitEthernet0/1
 description External Interface to vlan 99
 ip address 69.79.188.58 255.255.255.248
 ip access-group External in
 ip inspect Firewall out
 duplex auto
 speed auto
 crypto map VPN.Tunnels
 
 
 
 router eigrp 100
 network 10.200.158.0 0.0.0.255
 network 172.16.80.0 0.0.0.255
 passive-interface GigabitEthernet0/1
 
 
 
 ip access-list extended CryptoCalgary
 permit ip host 69.79.188.58 host 208.51.212.83
 
 
 ip access-list extended External
 remark ----  Tunnel Traffic from Calgary  ----
 permit gre host 208.51.212.83 host 69.79.188.58
 permit esp host 208.51.212.83 host 69.79.188.58
 permit udp host 208.51.212.83 host 69.79.188.58 eq isakmp
 
c_hocklandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CSorgCommented:
"match address CryptoGuaynabo" should be your internal networks on both sides and not hold your external ip hosts.
0
Marius GunnerudSenior Systems EngineerCommented:
CSorg is correct at that, the access lists should match source address of local private IP and have a destination address of the remote private IP.

Another thing.  Why do you have a GRE tunnel configured and then apply the crypto map to the physical interface?  you should either remove the VTI or the crypto map.  If you remove the crypto map then you can encrypt the GRE traffic by using an isakmp profile and call that profile in the VTI by issuing the command tunnel protection ipsec profile <profile name> on the VTI interface.

Depending on what route has the lower cost or if the costs are equal traffic could be loadbalanced over the GRE and IPsec tunnels.  That would mean the traffic traveling over the IPsec will  be encrypted while the traffic traveling over the GRE will be unencrypted.  I would suggest using one or the other...not both.
0
c_hocklandAuthor Commented:
we always use the public ip since the connection goes via the iternet.

here is the log...

Dec  5 22:32:06.970: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec  5 22:32:13.790: ISAKMP: quick mode timer expired.
Dec  5 22:32:13.790: ISAKMP:(6778):src 69.79.188.58 dst 208.51.212.83, SA is not authenticated
Dec  5 22:32:13.790: ISAKMP:(6778):peer does not do paranoid keepalives.

Dec  5 22:32:13.790: ISAKMP:(6778):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP:(6778):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP: Unlocking peer struct 0x2B6FEBF0 for isadb_mark_sa_deleted(), count 0
Dec  5 22:32:13.790: ISAKMP: Deleting peer node by peer_reap for 208.51.212.83: 2B6FEBF0
Dec  5 22:32:13.790: ISAKMP:(6778):deleting node 1939187699 error FALSE reason "IKE deleted"
Dec  5 22:32:13.790: ISAKMP:(6778):deleting node -411153329 error FALSE reason "IKE deleted"
Dec  5 22:32:13.790: ISAKMP:(6778):deleting node -55404125 error FALSE reason "IKE deleted"
Dec  5 22:32:13.790: ISAKMP:(6778): IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP:(6778): PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 208.51.212.83)
Dec  5 22:32:13.790: ISAKMP:(6778):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec  5 22:32:13.790: ISAKMP:(6778):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Dec  5 22:32:13.790: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec  5 22:32:14.618: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/1 (not half duplex), with tpumaguaynaboCoresw01.global.abc.com FastEthernet1/0/47 (half duplex).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

c_hocklandAuthor Commented:
also i think something is wrong with the cert


Dec  5 22:34:07.870: ISAKMP:(6782):Send initial contact
Dec  5 22:34:07.870: ISAKMP:(6782): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:34:07.870: ISAKMP:(6782): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 208.51.212.83)
Dec  5 22:34:07.870: ISAKMP:(6782):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Dec  5 22:34:07.870: ISAKMP:(6782):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Dec  5 22:34:07.870: ISAKMP (6782): ID payload
        next-payload : 6
        type         : 1
        address      : 69.79.188.58
        protocol     : 17
        port         : 500
        length       : 12
Dec  5 22:34:07.870: ISAKMP:(6782):Total payload length: 12
Dec  5 22:34:07.870: ISAKMP:(6782): no valid cert found to return
0
Marius GunnerudSenior Systems EngineerCommented:
---->we always use the public ip since the connection goes via the iternet.

Do you mean that the host machines at each end all have public IP addresses? or that is just the routers at each end are using public IP?

Is the Calgary site configured for PKI also? or is it when you add the PKI to Calgary that the VPN tunnel goes down?

Could you attach files with the configs of both sites please.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
c_hocklandAuthor Commented:
sure , here are the configs.
Both routers have public IP.

I will try to attach configs
0
Marius GunnerudSenior Systems EngineerCommented:
I don't see any attachments.
0
c_hocklandAuthor Commented:
i will attach them in the morning. apologies for the delay.
0
Marius GunnerudSenior Systems EngineerCommented:
no worries :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.