Re: Ipsec site to site vpn

tanmoymm91 · ‎05-28-2023

I have configured one site to site vpn.

Both phase 1 and Phase 2 seems to be up but I am unable to ping peer ip.

What may be the issue?

Is there any chance other side may be blocking esp packet over protocol 50 ?

PS DEBUG IS not allowed as per guidelines

Flavio Miranda · ‎05-28-2023

Hi

show crytop ipsec sa

Does this command shows hit count on packets being encrpted and or decrypted?

tanmoymm91 · ‎05-29-2023

Hi Flavio,

On my side encrypted packets I can see.

There is no decrypt packets.

I have no control on another side.

Flavio Miranda · ‎05-29-2023

This problem can be related tto traffic mismatch You need to make sure your ACL and the other side ALC is matching the same thing.

tanmoymm91 · ‎05-29-2023

Hi Flavio ,

if ACL having issue then Phase2 will not be up as due to mismatch of proxy id or interesting traffic .

MHM Cisco World · ‎05-29-2023

one side encrypt and there is no decrypt check if the IPSec traffic hit NAT overload, you need to exclude the traffic from NATing

tanmoymm91 · ‎05-29-2023

NAT for Public ips ?

tanmoymm91 · ‎05-30-2023

HI ,

can we give any proofs to them to clarify that i have no issue from my side without sharing any full config ?

also what about ESP packet if other side firewall is blocking ESP packet on protocol number 50 ?

MHM Cisco World · ‎05-30-2023

You config NATing overload to interface connect to ISP?

Sheraz.Salim · ‎05-29-2023

No decryt packets means issue is on the remote as as encap which means your router/fw is passing the traffic from crypto engine and sending it to remote side where as no decrypt your router/fw is not receiving the traffic from remote end.

please do not forget to rate.

tanmoymm91 · ‎05-29-2023

Hi Salim ,

is there a chance that may be other sided some filtering is applied which is blocking the ICMP traffic .

Sheraz.Salim · ‎05-29-2023

If ICMP is block (lets assume) you can send different traffic to test like ssh/443/telnet etc. do you manage the remote side too? why dont you reach out remote side and ask them to check their end configuration.

I beleive you running Ikev2?

could you show your configuration and if possible remote side configuration too.

please do not forget to rate.

tanmoymm91 · ‎05-30-2023

Hi @Sheraz.Salim ,

i am using ikev1 . i dont have any control on remote side .

i got a call from engineer from remote side , he is denying any issue on either side .

can we give any proofs to them to clarify that i have no issue from my side without sharing any full config ?

also what about ESP packet if other side firewall is blocking ESP packet on protocol number 50 ?

Sheraz.Salim · ‎05-30-2023

what is the output of the "show crypto isakmp sa detail", "show crypto ipsec sa peer x.x.x.x". ask the other end to show you the output of these command.

as its ikev1 more likely your acl and remote acl are matching otherwise you never have ikev1 up with phase 1 and phase2.

it could be the remote-side have configured vpn-tunnel properly but might the remote side missing the route interally. as far as it goes you can encap which mean you are sending the traffic but no decap the issue on the remote end. Some time its difficult third party/remote side never take the responsilbilty as in your case.

you need to convicne the third party the issue is at his end.

can we give any proofs to them to clarify that i have no issue from my side without sharing any full config ?

you can show the output of "show crypto isakmp details" and show crypto ipsec sa peer x.x.x.x" that the tunnel is up and running you are sending the traffic but the remote side not respoinding you have proof of no-decap.

also what about ESP packet if other side firewall is blocking ESP packet on protocol number 50

unless there is a device sitting in middle between firewall and Internet but its very unlikely.

please do not forget to rate.