IPsec Tunnel is showing decrypt packets counter but "0" encryption packets:#pkts encaps: 0, #pkts en...

Maverick111 · ‎03-01-2018

I have just configured the IPSEC tunnel between my router and the Access point.I could see that the Tunnel has came up and Active in both sides.

However,When I checked the "Show cyrpto ipsec sa" ,I Could see that decaps packet counters are getting incremented but the encaps packets are always showed as 0.

I think the router is able to decrypt the packets in it's ingress path but it is not encrypting the outbound packets or the packets are not getting routed through the tunnel.

Can someone guide me to fix this?

Router#show crypto ipsec sa

interface: FastEthernet4
    Crypto map tag: SG_LAB_MAP, local addr 10.140.134.50

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.140.134.50/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.10/255.255.255.255/0/0)
   current_peer 192.168.1.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 177, #pkts decrypt: 177, #pkts verify: 177
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.140.134.50, remote crypto endpt.: 192.168.1.10
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x290F(10511)

     inbound esp sas:
      spi: 0x2527(9511)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 3, flow_id: Motorola SEC 1.0:3, crypto map: SG_LAB_MAP
        no sa timing
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x290F(10511)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 4, flow_id: Motorola SEC 1.0:4, crypto map: SG_LAB_MAP
        no sa timing
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Router Config

Router#sh run
Building configuration...

Current configuration : 3333 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 <Intentionally Trimmed>
enable password <Intentionally Trimmed>
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool test
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   lease 0 1 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
ipv6 unicast-routing
no ipv6 cef
multilink bundle-name authenticated
!
!
!
username <Intentionally Trimmed> privilege 15 secret 5 <Intentionally Trimmed>
!
!
!
crypto ipsec transform-set MANUAL_TRANSFORM_SET01 esp-aes esp-sha-hmac
 mode transport
!
crypto map SG_LAB_MAP 100 ipsec-manual
 description "<Intentionally Trimmed> (APREL) MAC <Intentionally Trimmed>"
 set peer 192.168.1.10 default
 set session-key inbound esp 9511 cipher <Intentionally Trimmed> authenticator <Intentionally Trimmed>
 set session-key outbound esp 10511 cipher <Intentionally Trimmed> authenticator <Intentionally Trimmed>
 set transform-set MANUAL_TRANSFORM_SET01
 match address <Intentionally Trimmed>
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel100
 description "<Intentionally Trimmed>"
 no ip address
 ipv6 address FDC9:CCBE:10C0:A6:BF22:7825:C8F6:7257/64
 ipv6 enable
 tunnel source 10.140.134.50
 tunnel destination 192.168.1.10
 tunnel mode ipv6ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 speed auto
 full-duplex
 crypto map SG_LAB_MAP
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip tcp adjust-mss 1452
 ipv6 enable
!
ip forward-protocol nd
ip route 10.140.134.0 255.255.255.0 10.140.134.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
ip access-list extended AP_001350FFFE11B666_ACL
 permit ip host 10.140.134.50 host 192.168.1.10
 permit ip host 10.140.134.50 host 192.168.1.1
!
no cdp run

ipv6 route FDC9:CCBE:1DC7:A6::/64 Tunnel100
!
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password <Intentionally Trimmed>
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Router#

Georg Pauwen · ‎03-01-2018

Hello,

the tunnel destination is 192.168.1.10, is this address statically assigned to the access point ? You need at the very least exclude it from the DHCP scope:

ip dhcp excluded-address 192.168.1.10

What devices are involved here ? The router looks like an 800 router, what is the access point ?

Maverick111 · ‎03-01-2018

Thanks.

Indeed,The AP is assigned with a Static IP 192.168.1.10.I will add the DHCP excluded address in the configuration.

The AP is our embedded device with support for IPsec.I have made it work earlier with the same HW and SW but in a different configuration.However,this is the first time I'm encountering a encaps packet counter issue.

Georg Pauwen · ‎03-02-2018

Hello,

it is unclear what your IP addressing looks like.

Your interface FastEthernet4 is set to DHCP, which IP address is it getting ? You have a static route:

ip route 10.140.134.0 255.255.255.0 10.140.134.1

10.140.134.1 is the IP address of the server ? Post the output of:

show ip int brief

Richard Burts · ‎03-02-2018

The issue here appears to be one way traffic. The router is receiving and decrypting traffic but is not encrypting and sending any traffic. In my experience with site to site VPN one way traffic is most often related to issues with address translation or with routing (traffic not being sent through the interface where the tunnel is). Since I do not see address translation in the config I assume that it may be an issue about routing.

It is a bit difficult to know what is going on because of decisions to hide sensitive information such as this

match address <Intentionally Trimmed>

since we do not know what is being matched it is difficult to see exactly what should be going through the tunnel but is not.

I do note that the tunnel is set up with IPv4 source and destination addresses but the tunnel is configured to carry only IPv6 traffic. There is a single route statement for IPv6

ipv6 route FDC9:CCBE:1DC7:A6::/64 Tunnel100

so my question is whether that IPv6 address is on the remote peer?

HTH

Rick

HTH

Rick

IPsec Tunnel is showing decrypt packets counter but "0" encryption packets:#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0