Solved: IPSec ACTIVE but no traffic

alinazim · ‎12-20-2021

Hello Everyone!

After a lot a efforts and searches, i didn't found a solution for my problem, please any one can help ?

I have a Cisco Router 4300 Series and a Sophos XG, i wanted to connect both through IPSec, i followed some tutorials and i was able to establish an IPSec connection successfully but no traffic is passing, tried ping, trace route.....

Thanks in advance !

Here is the Cisco Config:

Building configuration...

Current configuration : 3124 bytes

!

! Last configuration change at 15:19:34 UTC Mon Dec 20 2021 by cisco

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname ROUTER_1

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!         

enable secret 5 XXX

enable password XXX

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

!

aaa session-id common

!

!

!

!

!

!

!

!

ip dhcp excluded-address 192.168.6.208

ip dhcp excluded-address 192.168.6.205

ip dhcp excluded-address 192.168.6.201

!

ip dhcp pool LAN_DHCP

 network 192.168.6.0 255.255.255.0

 default-router 192.168.6.254 

 dns-server 8.8.8.8 8.8.4.4 

!

!

!

!

!

!

!

!

!

subscriber templating

!

multilink bundle-name authenticated

!

!

!

!

redundancy

 mode none

!

!

!

!

!

vlan internal allocation policy ascending

!

!         

!

!

!

!

!

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

crypto isakmp key XXXXX address 172.105.223.23

!

!

crypto ipsec transform-set Sophos_Main esp-3des esp-md5-hmac 

 mode transport

!

crypto ipsec profile Sophos_Main

 set security-association lifetime seconds 86400

 set transform-set Sophos_Main 

crypto map VPN_To_Main 10 ipsec-isakmp 

 ! Incomplete

 set peer 172.105.223.23

 ! access-list has not been configured yet

 set transform-set Sophos_Main 

 set pfs group2

 match address 101

!

!

!

!

! 

! 

! 

! 

! 

! 

!

!

interface Tunnel10

no ip address

 tunnel source Dialer1

 tunnel mode ipsec ipv4

 tunnel destination 172.105.223.23

 tunnel protection ipsec profile Sophos_Main

!

interface GigabitEthernet0/0/0

 description " TO WAN AT "

 no ip address

 negotiation auto

 pppoe enable group global

 pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/0/1

 description " To LAN NETWORK "

 ip address 192.168.6.254 255.255.255.0

 ip nat inside

 negotiation auto

!

interface Dialer1

 ip address negotiated

 ip mtu 1460

 ip nat outside

 encapsulation ppp

 ip tcp adjust-mss 800

 dialer pool 1

 ppp authentication chap callin

 ppp chap hostname XXXXXXX

 ppp chap password 0 XXXXXXXX

 ppp ipcp dns request

 ppp ipcp route default

 crypto map VPN_To_Main

!

ip default-gateway 192.168.6.254

ip forward-protocol nd

no ip http server

no ip http secure-server

ip dns server

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.1.0 255.255.255.0 Dialer1

ip route 192.168.1.0 255.255.255.0 172.105.223.23

!

!

!

!

!

!

!

control-plane

!

!

line con 0

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

!

!

end

Georg Pauwen · ‎12-22-2021

Hello,

try the crypto map again, with the suggested changed on the Sophos: in the 'Phase 2' settings, under 'PFS Group', set that to 'Same as Phase 1', and in the 'Gateway type' settings, drop down, selecht 'Initiate the connection'..

Current configuration : 3124 bytes
!
! Last configuration change at 15:19:34 UTC Mon Dec 20 2021 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ROUTER_1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password XXX
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
!
ip dhcp excluded-address 192.168.6.208
ip dhcp excluded-address 192.168.6.205
ip dhcp excluded-address 192.168.6.201
ip dhcp excluded-address 192.168.6.254
!
ip dhcp pool LAN_DHCP
network 192.168.6.0 255.255.255.0
default-router 192.168.6.254
dns-server 8.8.8.8 8.8.4.4
!
subscriber templating
!
multilink bundle-name authenticated
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key XXXXX address 172.105.223.23
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
crypto ipsec transform-set Sophos_Main esp-3des esp-md5-hmac
mode transport
!
crypto map VPN_To_Main 10 ipsec-isakmp
set security-association lifetime seconds 86400
set peer 172.105.223.23
set transform-set Sophos_Main
set pfs group2
match address 101
!
interface GigabitEthernet0/0/0
description " TO WAN AT "
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
description " To LAN NETWORK "
ip address 192.168.6.254 255.255.255.0
ip nat inside
negotiation auto
!
interface Dialer 1
ip address negotiated
ip mtu 1460
ip nat outside
encapsulation ppp
ip tcp adjust-mss 800
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXX
ppp chap password 0 XXXXXXXX
ppp ipcp dns request
crypto map VPN_To_Main
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
ip nat inside source list 102 interface Dialer 1 overload
!
access-list 101 permit ip 192.168.6.0 0.0.0.255 ip_subnet_other_end
!
access-list 102 deny ip 192.168.6.0 0.0.0.255 ip_subnet_other_end
access-list 102 permit ip 192.168.6.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end

View solution in original post

Seb Rupik · ‎12-20-2021

Hi there,

You have specified the ACL '101' in the crypto map but have not specified what the ACL is in the running config. The ACL needs to match the traffic which you want to send via the IPSec tunnel as it egresses the Dialer1 interface. The remote VPN endpoint will need the mirror version of this ACL so that return traffic is send via the IPsec tunnel.

cheers,

Seb.

alinazim · ‎12-22-2021

Hello !

Thanks for the answer ! i will check that.

Cheers.

reanekhans · ‎12-22-2021

Did you got the good answer please mention me there or what method you use. Kindly help me out.

alinazim · ‎12-23-2021

Hello !

Used Georg Pauwen's answer and it works perfectly, i have marked the answer as solution.

Cheers.

Georg Pauwen · ‎12-20-2021

Hello,

I don't think the Sophos does VTIs, so you need to use crypto maps. The config below should work (if the other end has the same parameters). Don't use group 2, which is considered unsafe. I have replaced that with group 5. Make sure the config looks exactly like this one, line by line. When you are done, post the finished config again, so we can double check:

Current configuration : 3124 bytes
!
! Last configuration change at 15:19:34 UTC Mon Dec 20 2021 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ROUTER_1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
! 
enable secret 5 XXX
enable password XXX
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
!
ip dhcp excluded-address 192.168.6.208
ip dhcp excluded-address 192.168.6.205
ip dhcp excluded-address 192.168.6.201
ip dhcp excluded-address 192.168.6.254
!
ip dhcp pool LAN_DHCP
network 192.168.6.0 255.255.255.0
default-router 192.168.6.254 
dns-server 8.8.8.8 8.8.4.4 
!
subscriber templating
!
multilink bundle-name authenticated
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp key XXXXX address 172.105.223.23
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
crypto ipsec transform-set Sophos_Main esp-3des esp-md5-hmac 
mode transport
!
crypto map VPN_To_Main 10 ipsec-isakmp 
set security-association lifetime seconds 86400
set peer 172.105.223.23
set transform-set Sophos_Main 
set pfs group2
match address 101
!
interface GigabitEthernet0/0/0
description " TO WAN AT "
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
description " To LAN NETWORK "
ip address 192.168.6.254 255.255.255.0
ip nat inside
negotiation auto
!
interface Dialer 1
ip address negotiated
ip mtu 1460
ip nat outside
encapsulation ppp
ip tcp adjust-mss 800
dialer pool 1
ppp authentication chap callin
ppp chap hostname XXXXXXX
ppp chap password 0 XXXXXXXX
ppp ipcp dns request
crypto map VPN_To_Main
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
ip nat inside source list 102 interface Dialer 1 overload
!
access-list 101 permit ip 192.168.6.0 0.0.0.255 ip_subnet_other_end
!
access-list 102 deny ip 192.168.6.0 0.0.0.255 ip_subnet_other_end
access-list 102 permit ip 192.168.6.0 0.0.0.255 any
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end

alinazim · ‎12-21-2021

Hello !

Thanks for the answer, i tried exactly your solution but it still doesn't work, the tunnel is not connecting at all whereas with the initial config the IPSec connects but no traffic.

You didn't specify the Tunnel interface in the config you provided, was it intentional ?

Thanks in advance.

Cheers.

Georg Pauwen · ‎12-22-2021

Hello,

since there is no information on the Sophos config, it can be either crypto map or VTI. Crypto map apparently does not work, so try the config below:

Current configuration : 3124 bytes
!
! Last configuration change at 15:19:34 UTC Mon Dec 20 2021 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ROUTER_1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
! 
enable secret 5 XXX
enable password XXX
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
!
ip dhcp excluded-address 192.168.6.208
ip dhcp excluded-address 192.168.6.205
ip dhcp excluded-address 192.168.6.201
ip dhcp excluded-address 192.168.6.254
!
ip dhcp pool LAN_DHCP
network 192.168.6.0 255.255.255.0
default-router 192.168.6.254 
dns-server 8.8.8.8 8.8.4.4 
!
subscriber templating
!
multilink bundle-name authenticated
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 172.105.223.23
!
crypto ipsec transform-set Sophos_Main esp-3des esp-md5-hmac 
mode transport
!
crypto ipsec profile Sophos_Main
set security-association lifetime seconds 86400
set transform-set Sophos_Main 
!
interface Tunnel10
no ip address
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel destination 172.105.223.23
tunnel protection ipsec profile Sophos_Main
!
interface GigabitEthernet0/0/0
description " TO WAN AT "
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
description " To LAN NETWORK "
ip address 192.168.6.254 255.255.255.0
ip nat inside
negotiation auto
!
interface Dialer1
ip address negotiated
ip mtu 1460
ip nat outside
encapsulation ppp
ip tcp adjust-mss 800
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXX
ppp chap password 0 XXXXXXXX
ppp ipcp dns request
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 Tunnel10
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.6.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end

alinazim · ‎12-22-2021

Hi There !

Thanks for the answer, i tried the config, the Tunnel state turned up in both the Cisco and Sophos but when i try to ping still no traffic.

The weird thing is when i do a traceroute here is what i get:

From a host in the Sophos network (192.168.1.0/24) to a host in the Cisco network (192.168.6.0/24):

traceroute to 192.168.6.1 (192.168.6.1), 64 hops max, 52 byte packets

 1  192.168.0.1 (192.168.0.1)  15.211 ms  2.006 ms  3.662 ms

 2  192.168.1.254 (192.168.1.254)  3.156 ms  4.044 ms  2.345 ms

 3  * * *

 4  * * * 

 5 same and never ends...

From a host in the Cisco network (192.168.6.0/24) to a host in the Sophos network (192.168.1.0/24):

traceroute to 192.168.1.220 (192.168.1.220), 64 hops max, 52 byte packets

 1  192.168.6.254 (192.168.6.254)  0.661 ms  0.634 ms  0.561 ms

 2  172.105.0.23 (172.105.0.23)  20.910 ms  13.597 ms  20.649 ms

 3  10.109.36.95 (10.109.36.95)  13.050 ms  13.234 ms  13.299 ms

 4  * * *

 5  It shows other IPs....

It seems like the Sophos routes correctly packages to the Cisco and waiting for a response forever, whereas the Cisco routes packages directly to the Internet and then.... never come back.

The Sophos Config screenshots are attached below.

Thanks in advance.

Cheers.

Georg Pauwen · ‎12-22-2021

Hello,

I am still not sure the Sophos works with the VTI. Either way, on the Sophos, in the 'Phase 2' settings, under 'PFS Group', set that to 'Same as Phase 1', and in the 'Gateway type' settings, drop down, selecht 'Initiate the connection'...

alinazim · ‎12-22-2021

Hi There,

Same thing, this time the Tunnel keeps dropping connection and when it's up, no pings.

Thanks.

Cheers.

Georg Pauwen · ‎12-22-2021

Hello,

try the crypto map again, with the suggested changed on the Sophos: in the 'Phase 2' settings, under 'PFS Group', set that to 'Same as Phase 1', and in the 'Gateway type' settings, drop down, selecht 'Initiate the connection'..

Current configuration : 3124 bytes
!
! Last configuration change at 15:19:34 UTC Mon Dec 20 2021 by cisco
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ROUTER_1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXX
enable password XXX
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
!
ip dhcp excluded-address 192.168.6.208
ip dhcp excluded-address 192.168.6.205
ip dhcp excluded-address 192.168.6.201
ip dhcp excluded-address 192.168.6.254
!
ip dhcp pool LAN_DHCP
network 192.168.6.0 255.255.255.0
default-router 192.168.6.254
dns-server 8.8.8.8 8.8.4.4
!
subscriber templating
!
multilink bundle-name authenticated
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key XXXXX address 172.105.223.23
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
crypto ipsec transform-set Sophos_Main esp-3des esp-md5-hmac
mode transport
!
crypto map VPN_To_Main 10 ipsec-isakmp
set security-association lifetime seconds 86400
set peer 172.105.223.23
set transform-set Sophos_Main
set pfs group2
match address 101
!
interface GigabitEthernet0/0/0
description " TO WAN AT "
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
description " To LAN NETWORK "
ip address 192.168.6.254 255.255.255.0
ip nat inside
negotiation auto
!
interface Dialer 1
ip address negotiated
ip mtu 1460
ip nat outside
encapsulation ppp
ip tcp adjust-mss 800
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXX
ppp chap password 0 XXXXXXXX
ppp ipcp dns request
crypto map VPN_To_Main
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 Dialer 1
!
ip nat inside source list 102 interface Dialer 1 overload
!
access-list 101 permit ip 192.168.6.0 0.0.0.255 ip_subnet_other_end
!
access-list 102 deny ip 192.168.6.0 0.0.0.255 ip_subnet_other_end
access-list 102 permit ip 192.168.6.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
end

Georg Pauwen · ‎12-22-2021

And if it still not works, post the output of:

debug crypto ipsec
debug crypto isakmp

alinazim · ‎12-23-2021

Hello !

It perfectly works, Thanks !

Cheers.

MHM Cisco World · ‎12-22-2021

Hi friend,
why you config two IPSec one under dialer and other under tunnel?