cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12554
Views
50
Helpful
23
Replies

Cisco 9300, IPSEC

Hi,

i read with attention, problems with IP CEF.

I've got a trouble, and do not know how to solve it.

Platform :

Cisco IOS XE Software, Version 16.12.01
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Tue 30-Jul-19 19:26 by mcpre

 

Licence network advantage

crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 5
lifetime 7800
crypto isakmp key toto address XX.16.YY.250
!
!
crypto ipsec transform-set LSI esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map IPSEC 1 ipsec-isakmp

set peer XX.16.YY.250
set transform-set LSI
set pfs group5
match address trafic_xx
reverse-route static

ip access-list extended trafic_xx
50 permit ip any 192.168.242.0 0.0.0.255

interface vlan 800
ip address XX.16.YY.200







sh crypto ipsec sa

remote ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
current_peer 172.16.19.250 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XX.16.YY.200, remote crypto endpt.: XX.16.YY.250
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan800
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


 

I try to connect a Mikrotik with IPSEC. Trafic is encapsulated from the mikrotik (xxx.16.yy.250) trought the Cisco, and deliver to the network.

 

But no trafic from PCs connected to my entire network, can generate trafic, passing trhu IPSEC VPN.

 

sh crypto route

Routes created in table GLOBAL DEFAULT
192.168.242.0/255.255.255.0 [1/0] via XX.16.YY.250 tag 0 count 1 rtid 115
on Vlan800 RRI S




sh ip cef ...

next hop is not the same as tunnel endpoint.

 

What's wrong ?

2 Accepted Solutions

Accepted Solutions

Hello reseau.dtsi@gouv.nc ,

it is unlikely that a Catalyst switch can support IPSEC encryption for user traffic

You should use a router instead.

The Cat 9300 is missing dedicated hardware for  IPSEC encryption / decryption and it might support IPSec just for management traffic ( traffic originated or destinated to the switch CPU ) that is what you have seen up to now.

 

Hope to help

Giuseppe

 

View solution in original post

I agree. I could not find a single configuration example of site to site VPN support on the Catalyst 9K. There was only mention of SSH for management.

 

I guess the confusing thing is that the IOS takes all the commands, but there is no support. Maybe Cisco should somehow include warnings when you type a command that is not actually supported...

View solution in original post

23 Replies 23

Hello,

 

on which interface did you apply the crypto map ? Post the full running config of your 9300...

Hi,

 

crypto map is attache to Inverface Vlan 900.

I try the sdame configuration on a Cisco 9200, with an interface Gig 1/0/48 in "no switchport". the same behaviour occurs.

Packet from Mikrotik router are decrypt, traceroute from mikrotik to Cisco 9300 Lan works until packet have to take path back, and be crypted.

 


Type escape sequence to abort.
Tracing the route to 10.10.10.55
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.242.240 0 msec 0 msec 0 msec
2 172.16.19.254 25 msec 16 msec 17 msec
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *




Cisco 9300 : show crypto ipsec sa

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
current_peer 172.16.19.250 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.16.19.254, remote crypto endpt.: 172.16.19.250
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1/0/48
current outbound spi: 0x9F47C7F(167017599)
PFS (Y/N): Y, DH group: group5


!
! Last configuration change at 09:15:50 Magadan Sun Nov 8 2020 by merlin
! NVRAM config last updated at 11:39:29 Magadan Sun Nov 8 2020 by merlin
!
version 16.12
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
service call-home
no platform punt-keepalive disable-kernel-core
!
hostname ROUTEUR-PAYS
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 64000
logging console critical
logging monitor critical
enable secret 9 xxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
!
aaa session-id common
clock timezone Magadan 11 0
switch 1 provision c9300-24s
switch 2 provision c9300-24s
!
!
!
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
ip routing
!
!
!
!
!
no ip domain lookup
ip domain name gnc


ip dhcp excluded-address 10.10.182.252
ip dhcp excluded-address 10.10.182.252 10.10.182.254
!
ip dhcp pool vlan749
network 10.48.49.16 255.255.255.248
dns-server 10.10.210.6 192.168.101.1
default-router 10.48.49.22
lease 7
!
!
!
!
login on-success log
!
!
!
!
!
!
!
no device-tracking logging theft
!
fspanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-24,26-4094 priority 0
spanning-tree vlan 25 priority 4096
!
errdisable recovery cause udld
errdisable recovery cause link-flap
errdisable recovery cause loopback
errdisable recovery interval 30

username oooooo privilege 15 secret 9 XXXXXXXXXXXXXXq2J.
!
redundancy
mode sso
!
!
!
!
!
transceiver type all
monitoring
lldp run
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any test
description traffic_Test
match dscp default
match dscp cs1
match dscp cs1 cs2
match dscp cs1 cs2 cs3 cs4 cs5 cs6 cs7
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any ToIP
description bandwidth pour la ToIP
match cos 5
match dscp ef
match ip dscp ef
match cos 5 6 7
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any ADMIN
description bandwidth pour admin reseau
match dscp ef
class-map match-any Best_Effort
description traffic_GNC
match cos 0
match cos 0 1 2 3 4
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map QoS_GNC
description QoS_GNC_Test
class ToIP
priority level 1 50000
class class-default
bandwidth percent 95
random-detect cos-based
set dscp default
policy-map traffic_PRA
description mark ADMInTrafic for PRA
policy-map Trust-Dscp-Input-Policy
description Dscp-input-Ok
class class-default
set dscp dscp table Dscp-Trust-Table
policy-map system-cpp-policy
!
!
!
!
crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 5
lifetime 7800
crypto isakmp key cisco address 172.16.19.250
!
!
crypto ipsec transform-set LSI esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map PAYS-RECIF-IPSEC 1 ipsec-isakmp
set peer 172.16.19.250
set transform-set LSI
set pfs group5
match address trafic_spb
reverse-route static
!
!
!
!
!
interface Tunnel0
no ip address
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan25
description MGMT LASER-SWITCHES-GNC
ip address 10.0.0.253 255.255.255.128
standby 0 priority 20
standby 0 preempt
!
interface Vlan26
ip address 10.0.0.43 255.255.255.128
!
interface Vlan101
description TITI
ip flow monitor nfsen_input input
ip flow monitor nfsen_output output
ip address 172.16.16.25 255.255.255.252
!
!
interface Vlan900
description POINT IPSEC
ip address 172.16.19.254 255.255.255.252
crypto map PAYS-RECIF-IPSEC
!
!
router eigrp 1
distribute-list 13 out
network 10.0.0.0
network 172.16.0.0
network 192.168.0.0
redistribute connected
redistribute static
passive-interface default
xxxxxxxxxxxxxx
!
ip forward-protocol nd
ip tcp synwait-time 10
no ip http server
ip http authentication local
no ip http secure-server
ip nat log translations syslog
ip route 172.16.19.248 255.255.255.252 172.16.19.253

ip access-list extended trafic_spb
10 permit ip any 10.10.244.0 0.0.0.255
20 permit ip any 10.10.250.0 0.0.0.15
30 permit ip any 10.240.242.0 0.0.0.255
40 permit ip any 172.16.2.120 0.0.0.7
50 permit ip any 192.168.242.0 0.0.0.255
!
logging facility local6
logging source-interface Vlan101
logging host XXXXXXXXXXXXXXq2J


ip access-list extended 2660
5 permit ip host 10.10.10.55 any log-input
30 permit icmp any any log-input
40 permit ip 172.16.19.0 0.0.0.255 172.16.19.0 0.0.0.255
50 permit ip any any
!
!
!
control-plane
service-policy input system-cpp-policy
!
privilege exec level 5 show configuration
privilege exec level 5 show
ntp server 192.168.101.21

Hello,

 

based on your output, there seems to be no local ident on the Cisco side, which means the router does not know which traffic to encrypr.

 

Try to change the access list and replace the

any

with the real local networks'. Also make sure the Mikrotik side matches that access list

 

ip access-list extended trafic_spb
10 permit ip any 10.10.244.0 0.0.0.255
20 permit ip any 10.10.250.0 0.0.0.15
30 permit ip any 10.240.242.0 0.0.0.255
40 permit ip any 172.16.2.120 0.0.0.7
50 permit ip any 192.168.242.0 0.0.0.255

 

Change that to:

 

ip access-list extended trafic_spb
10 permit ip 10.0.0.0 0.0.0.255 10.10.244.0 0.0.0.255
20 permit ip 10.0.0.0 0.0.0.255 10.10.250.0 0.0.0.15
30 permit ip 10.0.0.0 0.0.0.255 10.240.242.0 0.0.0.255
40 permit ip 10.0.0.0 0.0.0.255 172.16.2.120 0.0.0.7
50 permit ip 10.0.0.0 0.0.0.255 192.168.242.0 0.0.0.255

 

Hello

I all ready try what you suggest to me.


The network is like that :

Many routers, manys places, and each place can communicate each other. So
the simplest way is to define access-list like


permit 50 ip any 192.168.242.0 0.0.0.255



I try an access-list, with one policy


access-list extended phares
permit ip 10.10.10.0 0.0.0.255 192.168.242.240 0.0.0.255


the result was the same.

It seems tha cisco 9300 router do not match traffic and try to send it
directly from Interface Vlan 900. I have done same configuration on a Cisco
9200, same result, same behaviour.

Below , sh tech-crypto ipsec

------------------ show crypto tech-support ------------------


------------------ show crypto isakmp sa count ------------------


Active ISAKMP SA's: 1
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

------------------ show crypto ipsec sa count ------------------

IPsec SA total: 20, active: 10, rekeying: 0, unused: 10, invalid: 0


------------------ show crypto isakmp sa detail ------------------




Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.

1048 172.16.19.254 172.16.19.250 ACTIVE aes sha256 psk 5
02:04:48
Engine-id:Conn-id = SW:48

IPv6 Crypto ISAKMP SA


------------------ show crypto ipsec sa detail ------------------



interface: GigabitEthernet1/0/48
Crypto map tag: IEKAWE-RECIF-IPSEC, local addr 172.16.19.254

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
current_peer 172.16.19.250 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 172.16.19.254, remote crypto endpt.: 172.16.19.250
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet1/0/48
current outbound spi: 0x1365EC5(20340421)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0x4FED2599(1340941721)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 751, flow_id: SW:751, sibling_flags FFFFFFFF80000040,
crypto map: IEKAWE-RECIF-IPSEC
sa timing: remaining key lifetime (k/sec): (4608000/3163)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0xFD4B4B02(4249570050)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 761, flow_id: SW:761, sibling_flags FFFFFFFF80000040,
crypto map: IEKAWE-RECIF-IPSEC
sa timing: remaining key lifetime (k/sec): (4199782/3289)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x5F0DA2D(99670573)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 752, flow_id: SW:752, sibling_flags FFFFFFFF80000040,
crypto map: IEKAWE-RECIF-IPSEC
sa timing: remaining key lifetime (k/sec): (4608000/3163)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x1365EC5(20340421)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 762, flow_id: SW:762, sibling_flags FFFFFFFF80000040,
crypto map: IEKAWE-RECIF-IPSEC
sa timing: remaining key lifetime (k/sec): (4199782/3289)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

------------------ show crypto session summary ------------------



------------------ show crypto session detail ------------------

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: GigabitEthernet1/0/48
Uptime: 00:07:17
Session status: UP-ACTIVE
Peer: 172.16.19.250 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.16.19.250
Desc: (none)
Session ID: 0
IKEv1 SA: local 172.16.19.254/500 remote 172.16.19.250/500 Active
Capabilities:(none) connid:1048 lifetime:02:04:48
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.240.242.0/255.255.255.0
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4292695/3288
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4292695/3288
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 192.168.242.0/255.255.255.0
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 3 drop 0 life (KB/Sec) 4199782/3289
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4199782/3289
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 172.16.2.120/255.255.255.248
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 6 drop 0 life (KB/Sec) 4311843/3288
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4311843/3288
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.10.244.0/255.255.255.0
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4352894/3288
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4352894/3288
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.10.250.0/255.255.255.240
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4151081/3288
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4151081/3288


------------------ show crypto isakmp peers ------------------


Peer: 172.16.19.250 Port: 500 Local: 172.16.19.254
Phase1 id: 172.16.19.250

------------------ show crypto ruleset detail ------------------

Mtree:
199 VRF 0 11 172.16.19.254/500 ANY Forward, Forward
299 VRF 0 11 172.16.19.254/4500 ANY Forward, Forward
100000000000101 VRF 0 IP ANY 10.10.244.0/24 Discard/notify, Encrypt
100000000000199 VRF 0 IP ANY 10.10.244.0/24 Discard, Discard/notify
100000000000201 VRF 0 IP ANY 10.10.250.0/28 Discard/notify, Encrypt
100000000000299 VRF 0 IP ANY 10.10.250.0/28 Discard, Discard/notify
100000000000301 VRF 0 IP ANY 10.240.242.0/24 Discard/notify, Encrypt
100000000000399 VRF 0 IP ANY 10.240.242.0/24 Discard, Discard/notify
100000000000401 VRF 0 IP ANY 172.16.2.120/29 Discard/notify, Encrypt
100000000000499 VRF 0 IP ANY 172.16.2.120/29 Discard, Discard/notify
100000000000501 VRF 0 IP ANY 192.168.242.0/24 Discard/notify, Encrypt
100000000000599 VRF 0 IP ANY 192.168.242.0/24 Discard, Discard/notify


------------------ show processes memory 314 ------------------


Tracekey : 1#5b363d65bb8ed2bb310ba7f1ced23eee
Process ID: 314
Process Name: Crypto IKMP
Total Memory Held: 247712 bytes

Processor memory Holding = 247712 bytes
size = 65632, count = 1, pc = :400000+4E44D4
size = 52192, count = 1, pc = :400000+12BE3FC
size = 32864, count = 1, pc = :400000+2A595C
size = 32864, count = 1, pc = :400000+4E0CCC
size = 18320, count = 1, pc = :400000+4E4AEC
size = 16680, count = 1, pc = :400000+4E45A8
size = 8560, count = 1, pc = :400000+4E522C
size = 5048, count = 1, pc = :400000+219F018
size = 3496, count = 1, pc = :400000+2837C0
size = 2032, count = 1, pc = :400000+219F044
size = 1520, count = 6, pc = :400000+4A3B490
size = 1472, count = 2, pc = :400000+2747A8
size = 1408, count = 1, pc = :400000+4728D48
size = 704, count = 1, pc = :400000+4AD8324
size = 576, count = 1, pc = :400000+24D0C8
size = 480, count = 2, pc = :400000+4F09B0
size = 448, count = 1, pc = :400000+471FF5C
size = 432, count = 1, pc = :400000+5D7A27C
size = 408, count = 1, pc = :400000+2A72F8
size = 392, count = 1, pc = :400000+4AD4F14
size = 392, count = 1, pc = :400000+2A7268
size = 296, count = 2, pc = :400000+46DBD78
size = 288, count = 1, pc = :400000+4E551C
size = 216, count = 1, pc = :400000+268B9C
size = 208, count = 1, pc = :400000+25C460
size = 176, count = 1, pc = :400000+467FF30
size = 160, count = 1, pc = :400000+4A33C04
size = 152, count = 1, pc = :400000+214280
size = 152, count = 1, pc = :400000+21429C
size = 144, count = 1, pc = :400000+268C10

lsmpi_io memory Holding = 0 bytes


------------------ show processes 314 ------------------

Process ID 314 [Crypto IKMP], TTY 0
Memory usage [in bytes]
Holding: 247712, Maximum: 327184, Allocated: 191384600, Freed: 190302944
Getbufs: 0, Retbufs: 0, Stack: 37296/48000
CPU usage
PC: 68FAB8, Invoked: 8104, Giveups: 953, uSec: 1372
5Sec: 0.00%, 1Min: 0.00%, 5Min: 0.02%, Average: 0.00%
Age: 6154267728 msec, Runtime: 11120 msec
State: Waiting for Event, Priority: Normal


------------------ show crypto eli all ------------------


Hardware Encryption : INACTIVE
Number of crypto engines = 2

CryptoEngine Software Crypto Engine details: state = Active
Capability : IPPCP, DES, 3DES, AES, SEAL, GCM, GMAC, RSA, IPv6, GDOI,
FAILCLOSE, HA

IKE-Session : 1 active, 100 max, 0 failed
IKEv2-Session : 0 active, 100 max, 0 failed
DH : 8 active, 50 max, 0 failed
IPSec-Session : 20 active, 1000 max, 0 failed
SSL support : Yes
SSL versions : SSLv3.0, TLSv1.0, DTLSv1.0, DTLS-pre-rfc,
TLSv1.1, TLSv1.2
Max SSL connec: 1000
SSL namespace : 1

SSLv3.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.0 suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
DTLSv1.0 suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

CryptoEngine act2 details: state = Active
Capability : RSA




------------------ show cry engine accelerator statistic ------------------



------------------ show cry isakmp diagnose error ------------------

Exit Path Table - status: enable, current entry 11, deleted 0, max allow 50

Error(381): DH delete failed.
[conn id 1048, local 172.16.19.254:500 remote 172.16.19.250:500]


-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+285FBC :400000+28F698 :400000+2426A38

Error(381): DH delete failed.
[conn id 1048, local 172.16.19.254:500 remote 172.16.19.250:500]


-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+285F64 :400000+28F698 :400000+2426A38

Error(20): Failed to find peer record.
peer 0x80007F6BE83B38 or already in tree

-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+24D900 :400000+219C04 :400000+21F6B0 :400000+21F594
:400000+298B10 :400000+28E924 :400000+2426A38

Error(20): Found existing peer record.
peer 172.16.19.250 port 500

-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+24D3F4 :400000+29A664 :400000+28F960 :400000+2426A38

Error(27): Failed to access account record.


-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+22A1A0 :400000+24E078 :400000+24DFAC :400000+253674
:400000+282B90 :400000+21F020 :400000+5CCD7C8 :400000+21F6B0 :400000+21F594
:400000+298B10 :400000+28E924 :400000+2426A38

Error(35): Retransmission skipped.
[conn id 1045, local 172.16.19.254:500 remote 172.16.19.250:500]


-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+29DA54 :400000+29A944 :400000+28F960 :400000+2426A38

Error(35): Failed to create negotiation context.
[conn id 1045, local 172.16.19.254:500 remote 172.16.19.250:500]
message id 392

-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+28538C :400000+29A8B4 :400000+28F960 :400000+2426A38

Error(19): QM FSM invalide state transitions.


-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+221A48 :400000+221AFC :400000+29B2A4 :400000+28F960
:400000+2426A38

Error(76): IPSEC validate proposal failed.
[conn id 1045, local 172.16.19.254:500 remote 172.16.19.250:500]
error 256

-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+25DC78 :400000+27545C :400000+2204FC :400000+5CCD7C8
:400000+221A2C :400000+221AFC :400000+29B2A4 :400000+28F960 :400000+2426A38

Error(1): Invalid parameter.
filter 0x80007F67E86BE4, remote 0x0

-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+24BF14 :400000+24FB88 :400000+3573884
:400000+3570C28 :400000+1FC3860 :400000+358ACC4 :400000+4B86450
:400000+2426A38

Error(1): Packet drop, SA is already marked dead.
[conn id 1003, local 172.16.19.254:500 remote 172.16.19.250:500]


-Traceback= 1#5b363d65bb8ed2bb310ba7f1ced23eee :400000+2A5F84
:400000+2A64F0 :400000+299678 :400000+28F960 :400000+2426A38



------------------ show cry isakmp diagnose error count ------------------

Exit Trace counters
27 - Failed to access account record.
762 - DH delete failed.
1 - Failed to create IDB.
1 - Packet drop, SA is already marked dead.
1 - Invalid parameter.
76 - IPSEC validate proposal failed.
35 - Failed to create negotiation context.
20 - Found existing peer record.
20 - Failed to find peer record.
8 - Failed to delete policy.
19 - QM FSM invalide state transitions.
35 - Retransmission skipped.


------------------ show crypto call admission statistics ------------------

---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 1 active: 1 negotiating: 0
Incoming IKE Requests: 48 accepted: 48 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0

Max IPSEC SAs: 0
Total IPSEC SA Count: 10 active: 10 negotiating: 0
Incoming IPSEC Requests: 435 accepted: 435 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0

Phase1.5 SAs under negotiation: 0


------------------ show crypto ikev2 stats ------------------

--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in
nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0
negotiating: 0
Total outgoing IKEv2 SA Count: 0 active: 0
negotiating: 0
Incoming IKEv2 Requests: 0 accepted: 0 rejected: 0
Outgoing IKEv2 Requests: 0 accepted: 0 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0


------------------ show crypto ikev2 stats exchange detailed
------------------


--------------------------------------------------------------------------
EXCHANGE/NOTIFY TX(REQ) TX(RES) RX(REQ) RX(RES)

EXCHANGES

IKE_SA_INIT 0 0 0 0
IKE_AUTH 0 0 0 0
CREATE_CHILD_SA 0 0 0 0
CREATE_CHILD_SA_IPSEC 0 0 0 0
CREATE_CHILD_SA_IPSEC_REKEY 0 0 0 0
CREATE_CHILD_SA_IKE_REKEY 0 0 0 0
GSA_AUTH 0 0 0 0
GSA_REGISTRATION 0 0 0 0
GSA_REKEY 0 0 0 0
GSA_REKEY_ACK 0 0 0 0
INFORMATIONAL 0 0 0 0

ERROR NOTIFY

UNSUPPORTED_CRITICAL_PAYLOAD 0 0 0 0
INVALID_IKE_SPI 0 0 0 0
INVALID_MAJOR_VERSION 0 0 0 0
INVALID_SYNTAX 0 0 0 0
INVALID_MESSAGE_ID 0 0 0 0
INVALID_SPI 0 0 0 0
NO_PROPOSAL_CHOSEN 0 0 0 0
INVALID_KE_PAYLOAD 0 0 0 0
AUTHENTICATION_FAILED 0 0 0 0
SINGLE_PAIR_REQUIRED 0 0 0 0
NO_ADDITIONAL_SAS 0 0 0 0
INTERNAL_ADDRESS_FAILURE 0 0 0 0
FAILED_CP_REQUIRED 0 0 0 0
TS_UNACCEPTABLE 0 0 0 0
INVALID_SELECTORS 0 0 0 0

OTHER NOTIFY

INITIAL_CONTACT 0 0 0 0
SET_WINDOW_SIZE 0 0 0 0
ADDITIONAL_TS_POSSIBLE 0 0 0 0
IPCOMP_SUPPORTED 0 0 0 0
NAT_DETECTION_SOURCE_IP 0 0 0 0
NAT_DETECTION_DESTINATION_IP 0 0 0 0
COOKIE 0 0 0 0
USE_TRANSPORT_MODE 0 0 0 0
HTTP_CERT_LOOKUP_SUPPORTED 0 0 0 0
REKEY_SA 0 0 0 0
ESP_TFC_PADDING_NOT_SUPPORTED 0 0 0 0
DELETE_REASON 0 0 0 0
CUSTOM 0 0 0 0
REDIRECT_SUPPORTED 0 0 0 0
REDIRECT 0 0 0 0
REDIRECTED_FROM 0 0 0 0
DPD 0 0 0 0


CONFIG PAYLOAD TYPE TX RX

CFG_REQUEST 0 0
CFG_REPLY 0 0
CFG_SET 0 0
CFG_ACK 0 0


OTHER COUNTERS

NAT_INSIDE 0
NAT_OUTSIDE 0
NO_NAT 0
--------------------------------------------------------------------------

------------------ show crypto ikev2 stats ext-service ------------------


--------------------------------------------------------------
AAA OPERATION PASSED FAILED
--------------------------------------------------------------
RECEIVING PSKEY 0 0
AUTHENTICATION USING EAP 0 0
START ACCOUNTING 0 0
STOP ACCOUNTING 0 0
AUTHORIZATION 0 0
--------------------------------------------------------------
IPSEC OPERATION PASSED FAILED
--------------------------------------------------------------
IPSEC POLICY VERIFICATION 0 0
SA CREATION 0 0
SA DELETION 0 0
---------------------------------------------------------------
CRYPTO ENGINE OPERATION PASSED FAILED
---------------------------------------------------------------
DH PUBKEY GENERATED 0 0
DH SHARED SECKEY GENERATED 0 0
SIGNATURE SIGN 0 0
SIGNATURE VERIFY 0 0
--------------------------------------------------------------
PKI OPERATION PASSED FAILED
--------------------------------------------------------------
VERIFY CERTIFICATE 0 0
FETCHING CERTIFICATE USING HTTP 0 0
FETCHING PEER CERTIFICATE USING HTTP 0 0
GET ISSUERS 0 0
GET CERTIFICATES FROM ISSUERS 0 0
GET DN FROM CERT 0 0
--------------------------------------------------------------
GKM OPERATION PASSED FAILED
--------------------------------------------------------------
GET_POLICY 0 0
SET_POLICY 0 0

------------------ show crypto ikev2 diagnose error-count ------------------



------------------ show crypto ikev2 stats priority-queue ------------------


----------------------------------------------------
IKEV2 PRIORITY QUEUE SIZE PEAK
----------------------------------------------------
HIGHEST 0 1
HIGHER 0 0
HIGH 0 0
NORMAL 0 0
LOW 0 0
LOWER 0 0
LOWEST 0 0

------------------ show crypto ikev2 stats reconnect ------------------

Total incoming reconnect connection: 0
Success reconnect connection: 0
Failed reconnect connection: 0
Reconnect capable active session count: 0
Reconnect capable inactive session count: 0

------------------ show crypto ikev2 sa detailed ------------------



------------------ show crypto ikev2 cluster ------------------



------------------ show crypto ikev2 session detailed ------------------



------------------ show monitor event-trace crypto merged all
------------------



------------------ show crypto gdoi ------------------



------------------ show crypto gdoi rekey sa ------------------



------------------ show crypto gdoi rekey sa detail ------------------



------------------ show crypto gdoi gm ------------------



------------------ show crypto gdoi gm acl ------------------



------------------ show crypto gdoi gm pubkey ------------------



------------------ show crypto gdoi gm rekey detail ------------------



------------------ show crypto gdoi gm replay ------------------



------------------ show crypto gdoi ipsec sa ------------------



------------------ show crypto gdoi ks ------------------



------------------ show crypto gdoi ks acl ------------------



------------------ show crypto gdoi ks coop ------------------



------------------ show crypto gdoi ks coop version ------------------



------------------ show crypto gdoi ks identifier detail ------------------



------------------ show crypto gdoi ks member ------------------



------------------ show crypto gdoi ks policy ------------------



------------------ show crypto gdoi ks rekey ------------------



------------------ show crypto gdoi ks replay ------------------



------------------ show crypto gdoi diagnose events ------------------



------------------ show crypto gdoi diagnose errors recent
------------------


COMMUT1-UG-IEKAWE#sh crypto ruleset
Mtree:
11 172.16.19.254/500 ANY Forward, Forward
11 172.16.19.254/4500 ANY Forward, Forward
IP ANY 192.168.242.0/24 Discard/notify, Encrypt
IP ANY 192.168.242.0/24 Discard, Discard/notify



I'm very confused, what is going wrong. Need helps

Hello,

 

I am not sure the Catalyst 9200/9300 support IPSec Site to Site VPNs at all. I know that MPLS Layer 3 VPNs are supported, but I cannot find anything on IPSec Site to Site VPN support...

 

Do you have a router you can configure this on, just to test ?

Hello,

 

it seems to be a stange behaviour.

Local IP trafic is eable to entre ipsec tunnel, but all external trafic coming to my router is unable to entrer ipsec tunnel and trafic is directly route outside, using same interface as ipsec tunnel.

 

All trafic coming from mikrotik router ipsec tunnel is decrypt normally.

My current network topology

crypto map map-name local-address interface-id

Try this command 

I try 

crypto map IEKAWE-RECIF-IPSEC local-address GigabitEthernet1/0/48

 

Not helping. Trafic not entering Ipsec Tunnel

 

show crypto ipsec sa
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

<- this change to ip you enter ?

 

We do not have any restriction into ours LAN. 

So a alone LAN need to be access by every equipment, PCs, printer, and vice versa, so we choose to use acl like

permit ip any 192.168.242.0 0.0.0.255

for example.

 

I try with a line like that

permit ip 10.10.10.0 0.0.0.255 192.168.242.0 0.0.0.255

trafic never been crypted and transfert to destination network.

 

 

I don't get your last reply 
BUT to make filter to traffic inside IPSec we use 

set ip access-group {access-list-number | access-list-name} {in | out}.

 

so check local identity is OK
also check if
there is asymmetric routing, i.e. one peer send traffic via one path other send via other path.

I'll try


ip access-list extended tout
permit ip any any
crypto map IEKAWE-RECIF-IPSEC 1 ipsec-isakmp
set ip access-group tout in
set ip access-group tout out




I stack to new Cisco 9200, ipsec tunnel goes UP, only traffic originating
from inside routers are encrypted.
Exemple :

ping 192.168.242.240 source 10.10.10.55

for example, goes inside.

Else, i ve got errors messages



*Nov 9 01:53:08.936: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet. (ip) vrf/dest_addr= /10.10.10.55, src_addr= 192.168.242.254,
prot= 1
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: