I'm trying to configure an IPSec tunnel between a Cisco router (ISR) and AWS (Customer Gateway). The connection to the ISP here is a PPPoE connection with a static private IP (e.g. 10.100.1.1) which is mapped to from a public IP, (e.g. 160.1.1.1 ). There is no filtering on the public IP, all traffic is translated to the private.
I am now trying to configure the IPSec tunnel, but am not able to get it up. The recommended configuration provided to configure a tunnel if I had a public IP is as follows:
crypto keyring preshared-key-public local-address 160.1.1.1 pre-shared-key address 54.1.1.1 key XXX ! AWS IP crypto isakmp profile isakmp-vpn-public keyring preshared-key-public match identity address 54.1.1.1 255.255.255.255 local-address 160.1.1.1 interface Tunnel1 ip address 169.1.1.1 255.255.255.252 tunnel source 160.1.1.1 tunnel destination 54.1.1.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile pfs-group2-sometransform This is the config I am using:
crypto keyring preshared-key-private local-address 10.100.1.1 pre-shared-key address 54.1.1.1 key XXX crypto isakmp profile isakmp-vpn-private keyring preshared-key-private match identity address 54.1.1.1 255.255.255.255 local-address 10.100.1.1 interface Tunnel1 tunnel source 10.100.1.1 ! everything else is the same So I have modified the 3 occurrences of public IPs with the private IP (based on http://blog.brianbeach.com/2015/05/configuring-aws-customer-gateway-behind.html), but the tunnel does not come up:
*Dec 8 : ISAKMP: Error: payload length of VENDOR 0 < 4 *Dec 8 : %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 54.1.1.1 failed its sanity check or is malformed *Dec 8 : ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: PAYLOAD_MALFORMED *Dec 8 : ISAKMP:(0:0:N/A:0): sending packet to 54.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE I initially thought that the 0 < 4 error might be related to this bug: https://tools.cisco.com/quickview/bug/CSCee74283 but firmware is a fixed version:
Cisco IOS Software, 2801 Software, Version 12.4(25c), RELEASE SOFTWARE (fc2) ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) I can confirm that the preshared secret is configured correctly, I downloaded the configuration from AWS and copied it into the Cisco config. Is the setup correct? Any ideas as to what might be wrong? I am not sure if I am meant to be using the private IP in all 3 locations (keyring, isakmp profile and interface), or should 1 of them reference the public IP (I've tried using it in keyring and isakmp profile but it didn't work either.
Before providing a public / NAT / private setup, the ISP used to provide an L2TP tunnel where the public static IP was on the router, and that worked fine. However the L2TP tunnel is no longer available (but this router / software worked with AWS in that environment)
