Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1245
Views
0
Helpful
7
Replies

Encapsulation issue in Ipsec

gamblerajay7
Level 1
Level 1

‎01-14-2021 12:26 PM

Hi experts,

 

I have setup S2S VPN on my ISR router with peer in cloud.

Both ike and ipsec are up, in ipsec sa, I can see 0 packets getting encapsulated.

I have configured BGP with one of my loopback as neighbour on peer firewall.

And I can see the VPN ACL statement allowing loopback IP to activate bgp is getting hit.

That means router is trying to initiate bgp with neighbor on other side of VPN.

Need help in understanding why packets are not getting encapsulated.

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎01-14-2021 01:02 PM

Hello,

 

is the BGP connection up ? Post the config of your ISR (and if you have access to the cloud peer, that config as well)...

0 Helpful

gamblerajay7
Level 1
Level 1
In response to Georg Pauwen

‎01-14-2021 06:42 PM

HI Georg,

 

The BGP is not coming up as I can see none of my packets are getting encapsulated, so the BGP initiation request from my side ISR is not getting into tunnel itself to reach neighbor.

Also at peer end, we have configured tunnel monitor for another loopback of ISR. I am able to see decapsulated packets count for that Ipsec SA.

0 Helpful

MHM Cisco World
VIP
VIP

‎01-14-2021 03:50 PM

1-BGP must use loopback as update source
2- IGP for the BGP neighbor establish must pass through the interface you config IPSec with it.

0 Helpful

gamblerajay7
Level 1
Level 1
In response to MHM Cisco World

‎01-14-2021 06:48 PM

Yes, we have statement as source update loopback at both end.

The peer is Palo Alto in cloud and we do have similar configuration at that end.

But don't have access to run the packet capture there.

0 Helpful

Georg Pauwen
VIP
VIP
In response to gamblerajay7

‎01-15-2021 12:08 AM

Hello,

 

at the very least post the configuration of your Cisco router, without seeing what you have configured, it remains guesswork. Do you have anyone available on the Palo Alto side to check the settings ?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎01-15-2021 02:16 PM

The comment about ipsec tunnels not supporting routing protocols is true for protocols like EIGRP or OSPF that use multicast packets. But it does not apply to BGP which uses only unicast TCP packets.

 

I agree that it would be helpful if we saw the configuration on the Cisco side. I would also ask that the original poster give us the output of show crypto isakmp and of show crypto ipsec sa.

 

I have experienced the symptom of zero packets encapsulated for ipsec tunnel. Frequently it reflects a problem with address translation translating traffic that should not be translated, or a problem with routing logic that is not returning traffic through the tunnel.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎01-14-2021 09:30 PM

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html

All we know that the IPSec not support routing protocol because of it is not support multicast
BUT 
also and I am not 100% sure it also not support BGP.
so the solution is move to VTI, 
we config VTI on both side and protect the traffic with IPSec and it easy can config BGP with this tunnel.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card