cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1120
Views
0
Helpful
10
Replies

Lose Connectivity when IPSEC tunnel comes up

Normally I'd have a rough idea of where to start, but I'm not sure if this is a NAT/ZBF or IPSEC issue at this stage.

Without the crypto map map1 assigned to the outside interface, everything works fine. Internal hosts can access the internet, I can ping the router externally. So the ZBF is allowing the required traffic.

As soon as I assign crypto map map1 to GigabitEthernet0 (WAN), the inside hosts can no longer access the internet. They can however ping/access hosts across the VPN tunnel. So basically, as soon as the tunnel comes up, access to anything outside that cryptomap ceases to function.

As far as I can tell everything is correct, so I'm a bit baffled. Hoping someone can take a look over the config.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.11 15:38:47 =~=~=~=~=~=~=~=~=~=~=~=

sh run

Building configuration...

Current configuration : 7711 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname RTR1

!

boot-start-marker

boot system flash c890-universalk9-mz.151-4.M2.bin

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

logging console critical

!

aaa new-model

!

!

aaa authentication login NetworkAdmins group radius local

aaa authorization console

!

!

!

!

!

aaa session-id common

!

crypto pki token default removal timeout 0

!

!

no ip source-route

!

!

!

ip dhcp excluded-address 10.4.1.1 10.4.1.99

ip dhcp excluded-address 10.4.1.201 10.4.1.254

ip dhcp excluded-address 10.4.2.1 10.4.2.99

ip dhcp excluded-address 10.4.2.201 10.4.2.254

!

ip dhcp pool lv-data

network 10.4.1.0 255.255.255.0

domain-name XXXXX.com

dns-server 10.1.10.1 8.8.8.8

default-router 10.4.1.254

lease 7

!

ip dhcp pool lv-voice

network 10.4.2.0 255.255.255.0

domain-name XXXXX.com

default-router 10.4.2.254

dns-server 10.1.10.1

lease 7

!

!

ip cef

no ip bootp server

ip domain name XXXX.com

ip name-server 10.1.10.1

ip name-server 8.8.8.8

no ipv6 cef

!

!

!

!

multilink bundle-name authenticated

!

!

object-group network locationB-networks

10.4.1.0 255.255.255.0

10.4.2.0 255.255.255.0

!

object-group network locationA-networks

10.1.10.0 255.255.255.0

10.1.11.0 255.255.255.0

10.1.12.0 255.255.255.0

10.1.13.0 255.255.255.0

!

username admin privilege 15 secret

crypto ikev2 proposal ESP-AES-SHA

encryption aes-cbc-128

integrity sha1

group 2

!

crypto ikev2 policy policy1

proposal ESP-AES-SHA

!

crypto ikev2 keyring keyring1

peer locationA

  address 209.XX.XX.130

  pre-shared-key XXXXXXX

!

!

!

crypto ikev2 profile locationA

match identity remote address 209.XX.XX.130 255.255.255.255

authentication local pre-share

authentication remote pre-share

keyring keyring1

!

!

!

ip tcp synwait-time 10

ip ssh time-out 60

!

class-map type inspect match-all management

match access-group name manage-ports

match access-group name manage-hosts

match protocol tcp

class-map type inspect match-all icmp

match protocol icmp

class-map type inspect match-all vpn-traffic

match access-group name vpn-protocols

class-map type inspect match-any all-protocols

match protocol tcp

match protocol udp

match protocol icmp

!

!

policy-map type inspect inside-to-inside

class class-default

  pass

policy-map type inspect inside-to-self

class class-default

   pass

policy-map type inspect self-to-any

class class-default

  pass

policy-map type inspect inside-to-outside

class type inspect all-protocols

  inspect

class class-default

  drop

policy-map type inspect outside-to-self

class class-default

  pass

!

zone security inside

zone security outside

zone-pair security inside-to-inside source inside destination inside

service-policy type inspect inside-to-inside

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect inside-to-outside

zone-pair security inside-to-self source inside destination self

service-policy type inspect inside-to-self

zone-pair security outside-to-self source outside destination self

service-policy type inspect outside-to-self

!

!

!

!

crypto map map1 10 ipsec-isakmp

set peer 209.XX.XX.130

set ikev2-profile locationA

match address locationA-cryptomap

!

!

!

!

!

interface FastEthernet0

switchport voice vlan 6

no ip address

!

interface FastEthernet1

switchport voice vlan 6

no ip address

!

interface FastEthernet2

  switchport voice vlan 6

no ip address

!

interface FastEthernet3

switchport voice vlan 6

no ip address

!

interface FastEthernet4

switchport voice vlan 6

no ip address

!

interface FastEthernet5

switchport voice vlan 6

no ip address

!

interface FastEthernet6

switchport voice vlan 6

no ip address

!

interface FastEthernet7

switchport voice vlan 6

no ip address

!

interface FastEthernet8

  no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0

description $FW_OUTSIDE$$ETH-WAN$

ip address 24.120.XXX.10X 255.255.255.224

no ip redirects

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

zone-member security outside

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description Data$FW_INSIDE$

ip address 10.4.1.254 255.255.255.0

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security inside

ip tcp adjust-mss 1452

!

interface Vlan6

description Voice$FW_INSIDE$

ip address 10.4.2.254 255.255.255.0

no ip redirects

no ip proxy-arp

zone-member security inside

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

  no ip proxy-arp

encapsulation slip

!

ip forward-protocol nd

!

!

ip http server

ip http authentication local

no ip http secure-server

ip nat inside source route-map nat-default interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 24.XXX.135.XX

!

ip access-list extended manage-hosts

permit ip 209.XX.XX.128 0.0.0.15 any

ip access-list extended manage-protocols

permit tcp any any eq 443

permit tcp any any eq 22

ip access-list extended nat-default

deny ip object-group locationB object-group locationA

permit ip 10.4.1.0 0.0.0.255 any

permit ip 10.4.2.0 0.0.0.255 any

ip access-list extended locationA-cryptomap

permit ip object-group locationB-networks object-group locationA-networks

ip access-list extended vpn-protocols

permit esp any any

  permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit ahp any any

ip access-list extended vty-access

permit tcp 10.4.1.0 0.0.0.255 any eq 22 log

permit tcp 10.1.10.0 0.0.0.255 any eq 22 log

permit tcp 10.1.5.0 0.0.0.255 any eq 22 log

!

logging trap debugging

no cdp run

!

!

!

!

route-map nat-default permit 10

match ip address nat-default

!

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

banner login ^C

*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************

Disconnect IMMEDIATELY if you are not an authorized user!!!

All actions are monitored and recorded.

*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************

^C

banner motd ^C

*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************

Disconnect IMMEDIATELY if you are not an authorized user!!!

All actions are monitored and recorded.

*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************

^C

!

line con 0

exec-timeout 30 0

logging synchronous

transport output telnet ssh

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet ssh

line vty 0 4

access-class vty-access in

privilege level 15

logging synchronous

login authentication NetworkAdmins

transport input ssh

transport output telnet ssh

line vty 5 15

access-class vty-access in

privilege level 15

logging synchronous

  login authentication NetworkAdmins

transport input ssh

transport output telnet ssh

!

scheduler interval 500

ntp update-calendar

ntp server 208.73.56.29 prefer source GigabitEthernet0

end


10 Replies 10

Julio Carvajal
Advisor
Advisor

hello,

I just checked the Nat configuration and its perfect as you suggested.

The crypto ACL is also fine.

I just review the ZBFW setup and it looks perfect, any logs from the time you attemtp to connect to the internet with the crypto map on?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

NAT appears to be working correctly. I took the ZBF completely out so the router was free for all. Confirmed traffic was working. Applied the crypto map again. Once again tunnel traffic worked but everything else ceased to pass.

I'm completely baffled.

debug ip nat detailed

000074: Sep 11 18:12:15.223 PDT: NAT*: s=10.4.1.124->24.XXX.XXX.104, d=10.1.6.249 [31251]

000075: Sep 11 18:12:15.595 PDT: NAT*: i: tcp (10.4.1.107, 58031) -> (10.1.6.249, 135) [10195]

000076: Sep 11 18:12:15.595 PDT: NAT*: s=10.4.1.107->24.XXX.XXX.104, d=10.1.6.249 [10195]

000077: Sep 11 18:12:15.611 PDT: NAT: expiring 24.XXX.XXX.104 (10.4.1.117) tcp 54027 (54027)

000078: Sep 11 18:12:15.611 PDT: NAT-SymDB: DB is either not enabled or not initiated.

000079: Sep 11 18:12:15.719 PDT: NAT*: i: tcp (10.4.1.107, 58030) -> (10.1.6.249, 5440) [10196]

000080: Sep 11 18:12:15.719 PDT: NAT*: s=10.4.1.107->24.XXX.XXX.104, d=10.1.6.249 [10196]

000081: Sep 11 18:12:16.567 PDT: NAT*: i: tcp (10.4.1.110, 3882) -> (50.18.50.50, 443) [6311]

000082: Sep 11 18:12:16.567 PDT: NAT*: s=10.4.1.110->24.XXX.XXX.104, d=50.18.50.50 [6311]

000083: Sep 11 18:12:17.147 PDT: NAT: expiring 24.XXX.XXX.104 (10.4.1.104) tcp 56051 (56051)


Hello,

Pretty weird issue, have not seen it before, looks like the router is not being able to route properly or to Nat properly

Can you check the IP routing table while you have the crypto map enabled please?

Also post the configuration with the crypto map applied

I will check my database to see if I found something,

I will keep you posted.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

ip access-list extended nat-default

deny ip object-group locationB object-group locationA

permit ip 10.4.1.0 0.0.0.255 any

permit ip 10.4.2.0 0.0.0.255 any

object-group network locationB-networks

10.4.1.0 255.255.255.0

10.4.2.0 255.255.255.0

!

object-group network locationA-networks

10.1.10.0 255.255.255.0

10.1.11.0 255.255.255.0

10.1.12.0 255.255.255.0

10.1.13.0 255.255.255.0

ip nat inside source route-map nat-default interface GigabitEthernet0 overload

On the ACL you are using the objects  locationB and localtionA and I do not see them on the config.

Can you change them to locationB-networks and locationA-networks

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for following up. That is just a typo on my part. The dumped config was missing that deny ACE so I typed it in manually when I posted the running-config. It is correct on the device itself.

Going to take another stab at this later today. Unfortunately it's a production router so my time windows are limited. I'm also going to upgrade to IOS 15.2 on the off chance that what I'm experiencing is a bug. This is the first time I've used IKEv2 so I'm wondering if I'm missing something on that front.

Hello,

Okey, please attached the updated configuration with the crypto map applied.

Also can you do a show crypto ipsec sa and placed it in here as well

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok update. I had to wait for some down time.

With the tunnel up I'm seeing the following. From what I can tell that indicates to is seeing packets it thinks should be going over the tunnel but aren't encrypted so it drops them, which would indicate an access-list problem.. I don't see a problem with the ACL's though.

debug ip icmp

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

sh crypto ipsec sa

interface: GigabitEthernet0

    Crypto map tag: map1, local addr 24.XXX.XXX.104

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 209.XX.XX.130 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 411, #recv errors 0

     local crypto endpt.: 24.XXX.XXX.104, remote crypto endpt.: 209.XX.XX.130

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)

   current_peer 209.XX.XX.130 port 500

     PERMIT, flags={}

    #pkts encaps: 422, #pkts encrypt: 422, #pkts digest: 422

    #pkts decaps: 389, #pkts decrypt: 389, #pkts verify: 389

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 24.XXX.XXX.104, remote crypto endpt.: 209.XX.XX.130

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

     current outbound spi: 0x4ABEC199(1254015385)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x62C01C4E(1656757326)

        transform: esp-aes esp-sha-hmac ,

    in use settings ={Tunnel, }

        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: map1

        sa timing: remaining key lifetime (k/sec): (4519480/3519)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x4ABEC199(1254015385)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: map1

        sa timing: remaining key lifetime (k/sec): (4519472/3519)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


Hello,

Here is the issue:

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

Based on this looks like all traffic is going over the VPN tunnel.

The question is why as the configuration is the right one.

Is there a way you could reboot your router?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It has been rebooted a few times now. I'm dumbfounded myself. I've gone over the config 1000+ times an I just don't see anything wrong.

Currently waiting on my service contract for entitlement to download the latest IOS. See if's a bug. Other than that I'm stumped.

Agree with you.

I run a lab just to make sure the IKEV2 setup was correct and mine work with no problem.

Please upgrade and let us know the result,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers