Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4708
Views
15
Helpful
17
Replies

IPSEC Issue

Mikey John
Level 1
Level 1

‎02-12-2019 08:35 AM

Hi,

 

I am trying to setup an IPSEC tunnel between a Cisco ISR4431 router and a checkpoint firewall. I ran into multiple issues, and needed help to validate the configs and logs on the cisco router. Attached is the router config for your reference.

 

Source - 192.168.1.0/24
Destination - 10.10.10.1/32

Tunnel Source is Router LAN interface (2.2.2.3).

 

Traffic path
============

Host machine (192.168.1.x) --> Switch (192.168.1.x/24) --> FW Inside (192.168.1.10) --> FW outside (2.2.2.2) --> Router (LAN Interface 2.2.2.3) --> Router WAN Interface--> Towards Internet


Problem 1
=========

When I initiate traffic (continuos pings) from source 192.168.1.23/24, it does not seem to hit the crypto ACL. I could not see any hits getting incremented. But, when I added permit any any on the ACL, it started getting hits.

 

ip access-list extended vpn-ABC
permit ip 192.168.1.0 0.0.0.255 host 10.10.10.1 log --> No hits seen for this line

permit any any ---> added later

 

1) What seems to be wrong with the original ACL?


Problem 2
=========

When I added "permit any any" on the crypto ACL, the ACL was getting hits, and I could see Tunnel Phase 1 and Phase 2 Up. But, there was no Web traffic passing through. I was getting the following errors.

 

*Jan 23 16:03:55 GMT: %IOSXE-3-PLATFORM:cpp_cp: QFP:0.0 Thread:001 TS:00002146448051374595 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 10.10.10.1, src_addr= 192.168.1.23, prot= 1
*Jan 23 16:04:55 GMT: %IOSXE-3-PLATFORM:cpp_cp: QFP:0.0 Thread:001 TS:00002146509123448118 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 10.10.10.1, src_addr= 192.168.1.23, prot= 1

 

Is it because of a routing issue? I did not have enough time to troubleshoot, but I figured later that there was no return route from router back into 192.168.1.0 LAN segment.

 

ip route 192.168.1.0 255.255.255.0 2.2.2.2 --> This was missing

 

Am I right in my assumption?

 

Appreciate your feedback.


Cheers
Mikey

 

 

Labels:
Preview file
3 KB
0 Helpful
17 Replies 17

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Mikey John

‎02-22-2019 11:46 PM

Hi,

Here, I want to point out some miss configuration or changes in the current router configuration:

 

1. IP access List configuration:

ip access-list extended vpn-ABC
 permit ip 192.168.1.0 0.0.0.255 host 10.10.10.1 log

Above is your configuration and added "LOG" keyword end of the ACL which is not supported. So you must remove the "LOG" keyword.

 

2.  Crypto-MAP Configuration:

crypto map VPN 10 ipsec-isakmp 
 set peer 100.100.100.100
 set transform-set esp-aes-128 
 set isakmp-profile ABC
 match address vpn-ABC

Above is the Crypto-MAP configuration but it is not applied on any interface. This crypto-map must be applied to the exiting interface means WAN interface as below:

 

interface GigabitEthernet0/0/0
description "ISP Ckt"
crypto-map VPN

 

3. Routing for VPN traffic:

Hence, You are using BGP so I am assuming that you are getting Default route from the ISP end (From Neighbour 1.1.1.2). If not then you have to check the two routes:

A. Routing for the Remote Peer 100.100.100.100. If not available in the routing then must define a static route toward the WAN interface or neighbor device.

IP route 100.100.100.100 255.255.255.255 GigabitEthernet0/0/0

B. If you are not learning default route then must define a static route for the VPN traffic also as below:

 

IP route 10.10.10.1 255.255.255.255 GigabitEthernet0/0/0

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Mikey John
Level 1
Level 1
In response to Deepak Kumar

‎02-25-2019 03:51 AM

Hi Deepak,

 

Thanks for your inputs. Crypto map was applied on the Gig0/0/2 interface during the change. I removed it while reverting the change.

 

There is default route being received from my upstream ISP, so I believe static routes for the VPN traffic would not be needed.

 

 

Thanks

Mikey

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Mikey John

‎02-25-2019 04:53 AM

Hi,
What is IOS version? I am not sure that it will work for you or not but recently I faced the same issue that traffic was not hitting to the ACL. I were disabled the CEF and enabled back and it was seems working. This may not apply for you, Please share the IOS version, I will check in the lab.

Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents