Solved: Cisco 9300, IPSEC - Page 2

reseau.dtsi@gouv.nc · ‎11-07-2020

Hi,

i read with attention, problems with IP CEF.

I've got a trouble, and do not know how to solve it.

Platform :

Cisco IOS XE Software, Version 16.12.01
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.1, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Tue 30-Jul-19 19:26 by mcpre

Licence network advantage

crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 5
lifetime 7800
crypto isakmp key toto address XX.16.YY.250
!
!
crypto ipsec transform-set LSI esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map IPSEC 1 ipsec-isakmp

set peer XX.16.YY.250
set transform-set LSI
set pfs group5
match address trafic_xx
reverse-route static

ip access-list extended trafic_xx
50 permit ip any 192.168.242.0 0.0.0.255

interface vlan 800
ip address XX.16.YY.200







sh crypto ipsec sa

remote ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
current_peer 172.16.19.250 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XX.16.YY.200, remote crypto endpt.: XX.16.YY.250
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan800
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

I try to connect a Mikrotik with IPSEC. Trafic is encapsulated from the mikrotik (xxx.16.yy.250) trought the Cisco, and deliver to the network.

But no trafic from PCs connected to my entire network, can generate trafic, passing trhu IPSEC VPN.

sh crypto route

Routes created in table GLOBAL DEFAULT
192.168.242.0/255.255.255.0 [1/0] via XX.16.YY.250 tag 0 count 1 rtid 115
on Vlan800 RRI S




sh ip cef ...

next hop is not the same as tunnel endpoint.

What's wrong ?

reseau.dtsi@gouv.nc · ‎11-08-2020

cisco 9200 : debug ip packet

*Nov 9 03:08:07.780: FIBipv4-packet-proc: route packet from Vlan100 src 192.168.242.254 dst 10.10.10.55
*Nov 9 03:08:07.780: FIBfwd-proc: packet routed by adj to Vlan900 172.16.19.254
*Nov 9 03:08:07.780: FIBipv4-packet-proc: packet routing succeeded
*Nov 9 03:08:07.780: IP: tableid=0, s=192.168.242.254 (Vlan100), d=10.10.10.55 (Vlan900), routed via FIB
*Nov 9 03:08:07.780: FIBipv4-packet-proc: route packet from (local) src 192.168.242.240 dst 192.168.242.254
*Nov 9 03:08:07.780: FIBfwd-proc: packet routed by adj to Vlan100 192.168.242.254
*Nov 9 03:08:07.780: FIBipv4-packet-proc: packet routing succeeded
*Nov 9 03:08:07.781: IP: tableid=0, s=192.168.242.240 (local), d=192.168.242.254 (Vlan100), routed via FIB
*Nov 9 03:08:07.781: IP: s=192.168.242.240 (local), d=192.168.242.254 (Vlan100), len 56, sending

There's a mistake.

Georg Pauwen · ‎11-08-2020

Hello,

you must be missing something fundamental. In your drawing, the Mikrotik has IP address 172.16.19.50/30, and the Cisco 172.16.19.54/30 ?

Also, you posted this earlier:

Routes created in table GLOBAL DEFAULT
192.168.242.0/255.255.255.0 [1/0] via XX.16.YY.250 tag 0 count 1 rtid 115
on Vlan800 RRI S

Make sure your Mikrotik has IP address 172.16.19.53/30.

reseau.dtsi@gouv.nc · ‎11-09-2020

I'm sorry, is a typo error.
Mikrotik as 172.16.19.250/30 and Cisco 172.16.19.254

I found that external traffic is routed and not encrypted by ipsec tunnel.

Georg Pauwen · ‎11-09-2020

The Mikrotik needs to have IP address 172.16.19.253, not 250.

reseau.dtsi@gouv.nc · ‎11-09-2020

Don't worries about ip address.
Ipsec tunnel goes Up, and from routers to routers is possible to ping each
other.

It s possible from mikrotik LAN to ping cisco router Internal address or
cisco router Lan ( see with wireshark) but no replies came.

And from cisco LAN to Mikrotik, trafic is bot encrypted . It is only
routed.. ( debug ip packet).

Do i have to create a gre tunnel over iosec from cisco 9200 l3 ?

Giuseppe Larosa · ‎11-09-2020

Hello reseau.dtsi@gouv.nc ,

it is unlikely that a Catalyst switch can support IPSEC encryption for user traffic

You should use a router instead.

The Cat 9300 is missing dedicated hardware for IPSEC encryption / decryption and it might support IPSec just for management traffic ( traffic originated or destinated to the switch CPU ) that is what you have seen up to now.

Hope to help

Giuseppe

Georg Pauwen · ‎11-09-2020

I agree. I could not find a single configuration example of site to site VPN support on the Catalyst 9K. There was only mention of SSH for management.

I guess the confusing thing is that the IOS takes all the commands, but there is no support. Maybe Cisco should somehow include warnings when you type a command that is not actually supported...

Mark Sparling · ‎05-06-2022

From what it looks like with the **new** Catalyst 9300x series, not the non-x series has the hardware support for IPsec VPN - https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-9300-series-switches/nb-06-cat9300-ser-data-sheet-cte-en.html. I can't find any configuration guide besides using it with OSPF with IPsec.

ChristianQK · ‎09-14-2022

Thks for the article, Having the same issue here, it seems like the new brand 9300X support VPN IPSEC feature