Solved: Unable to route traffic via IPSEC using static routing

BETTENCOURT · ‎04-06-2019

Please check my topology and configuration here: https://pastebin.com/ARRxSQ21

Unable to ping from PC1 to PC4 via the IPSec Tunnel

Able to ping from PC1 to PC4 using extended ping with source 88.88.88.1

Why does IPSec kill the packet flow?

BETTENCOURT · ‎04-08-2019

The problem was with GNS3, I hit some sort of bug as I was able to tunnel my traffic through the VPN using a real LAB.

Thank you to everyone who tried to help.

View solution in original post

Deepak Kumar · ‎04-06-2019

Hi,

I didn't find any issue with Routers configuration. Can you remove "IP default-gateway" command from all PCs and add a default as "ip route 0.0.0.0 0.0.0.0.0 X.X.X.X"?

If you will not get success then please share debug logs.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

BETTENCOURT · ‎04-06-2019

I removed default-gateway and added ip route 0.0.0.0 but there was no changes.

I then pinged 10.0.0.1, 88.88.88.1, 192.168.1.1 successfully, but if i try to ping 192.168.1.2 (other side of the ipsec tunnel) or any host on 10.0.1.0/24 it doesnt work

*Apr  7 06:32:03.822: ICMP: echo reply sent, src 10.0.0.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:03.874: ICMP: echo reply sent, src 10.0.0.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:04.058: ICMP: echo reply sent, src 10.0.0.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:04.154: ICMP: echo reply sent, src 10.0.0.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:04.250: ICMP: echo reply sent, src 10.0.0.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
LONDON#
*Apr  7 06:32:12.722: ICMP: echo reply sent, src 88.88.88.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:12.846: ICMP: echo reply sent, src 88.88.88.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:12.882: ICMP: echo reply sent, src 88.88.88.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:13.082: ICMP: echo reply sent, src 88.88.88.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:13.130: ICMP: echo reply sent, src 88.88.88.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
LONDON#
*Apr  7 06:32:20.226: ICMP: echo reply sent, src 192.168.1.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:20.414: ICMP: echo reply sent, src 192.168.1.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:20.506: ICMP: echo reply sent, src 192.168.1.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:20.642: ICMP: echo reply sent, src 192.168.1.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
*Apr  7 06:32:20.730: ICMP: echo reply sent, src 192.168.1.1, dst 10.0.0.2, topology BASE, dscp 0 topoid 0
LONDON#

I

BETTENCOURT · ‎04-06-2019

All possible debugging has been turned on
LONDON#
*Apr  7 06:39:35.606: PRST-VBL API Set (prst-dbg=0x3FF,0x0-DEFAULT)
*Apr  7 06:39:35.606: PRST-VBL DET Lock - ok
*Apr  7 06:39:35.610: PRST-VBL STD Flush condition - timer starting
*Apr  7 06:39:35.610: PRST-VBL DET Cache unlock - ok
*Apr  7 06:39:35.614: PRST-VBL API Set - ok return 14
*Apr  7 06:39:35.618: special_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.618: special_oce_mpls_change_vectors: select debug vectors
*Apr  7 06:39:35.622: fib_loadinfo_change_vectors: select debug vectors
*Apr  7 06:39:35.622: eos_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.626: qos_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.630: frr_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.630: lookup_ipv4_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.634: lookup_ipv6_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.638: lookup_mpls_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.642: push_counter_oce_change_vect
LONDON#ors: select debug vectors
*Apr  7 06:39:35.646: atom_imp_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.650: atom_disp_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.654: replicate_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.658: interface_oce_change_vectors: select debug vectors
*Apr  7 06:39:35.662: gal_check_oce_change_vectors: select debug vectorsRX:(D)0100.0ccc.cccc (S)ca06.1c54.001c (T)373 (L)387
GigabitEthernet1/0: af_classify=0x0, addr=0100.0ccc.cccc, ca06.1c54.001c size 387
RX:(D)ca06.1c54.001c (S)ca06.1c54.001c (T)0x9000 (L)60 (IP)0.0.0.0 (TL)256
GigabitEthernet1/0: af_classify=0x0, addr=ca06.1c54.001c, ca06.1c54.001c size 60

*Apr  7 06:39:35.814: ADJ-sev: request async walk @ 0 - walk [interface update] filter [IP/FastEthernet0/0/na] req [0] flags [3]
*Apr  7 06:39:35.818: ADJ-sev: request async walk @ 0 - walk [interface update] filter [IP/GigabitEthernet1/0/na] req [0] flags [3]
*Apr  7 06:39:35.822: ADJ-sev: reque
LONDON#st async walk @ 0 - walk [interface update] filter [IP/Tunnel0/na] req [0] flags [3]
*Apr  7 06:39:35.834: IPSUB: Ignore debug flags update to switching plane, common segment not present
*Apr  7 06:39:35.854: CEF-Debug: Packet from 10.0.0.2 (Fa0/0) to 192.168.1.2
*Apr  7 06:39:35.858: adj_switch_ipv4_features: IPv4 turbo features, Tunnel0
*Apr  7 06:39:35.858: adj_switch_ipv4_inline: IPv4 adj: Tunnel0 0.0.0.0 conn_id: 0 (len=100:mtu:1422)
*Apr  7 06:39:35.862: adj_oce_process: size 114/22 ds at 0x7E19A1C0: CA050CB0 0000CA01 1E280000 0800 45000064
*Apr  7 06:39:35.866: adj_oce_process: maclen 0 ns at 0x7E19A1CE: 45000064 007D0000 FE01F06F 0A000002 C0A80102
*Apr  7 06:39:35.870: adj_switch_send_pkt: size 114 ds at 0x7E19A1C0: CA050CB0 0000CA01 1E280000 0800 45000064
*Apr  7 06:39:35.870: adj_switch_send_pkt: ns at 0x7E19A1CE: 45000064 007D0000 FE01F06F 0A000002 C0A80102
*Apr  7 06:39:35.874: adj_tunnel_fixup_inline: tunnel fixup 4194304
*Apr  7 06:39:35.878: Tunnel0:
LONDON#adjacency fixup, 88.88.88.1->88.88.88.2RX:(D)ab00.0002.0000 (S)ca06.1c54.001c (T)0x6002 (L)77 (IP)0.3.0.6 (TL)1792
GigabitEthernet1/0: af_classify=0x0, addr=ab00.0002.0000, ca06.1c54.001c size 77

*Apr  7 06:39:35.938: TTY0: resume timer type 1
*Apr  7 06:39:35.950: CDP-PA: Packet received from PC2 on interface FastEthernet0/0
*Apr  7 06:39:35.954: **Entry  found in cache**
*Apr  7 06:39:35.958: DSensor: Received cdp packet from FastEthernet0/0:ca02.171c.0000In fn update_subscriber_cache
*Apr  7 06:39:35.962: AAA/ATTR (00000000): Freeing Attr List handle : hdl: 00000000
*Apr  7 06:39:35.962: AAA/ATTR (00000000): Freeing Attr List handle : hdl: 00000000
*Apr  7 06:39:35.966: ND Update CDP Notification Event for PC2 on Fa0/0
*Apr  7 06:39:35.970: CDP-PA: Packet received from AZORES on interface GigabitEthernet1/0
*Apr  7 06:39:35.974: **Entry  found in cache**
*Apr  7 06:39:35.978: DSensor: Received cdp packet from GigabitEthernet1/0:ca06.1c54.001cIn fn update_subsc
LONDON#riber_cache
*Apr  7 06:39:35.982: AAA/ATTR (00000000): Freeing Attr List handle : hdl: 00000000
*Apr  7 06:39:35.982: AAA/ATTR (00000000): Freeing Attr List handle : hdl: 00000000
*Apr  7 06:39:35.986: CDP-IP: IP TLV length (10) invalid for default route.
                      Expecting default route from hub router
*Apr  7 06:39:35.990: ND Update CDP Notification Event for AZORES on Gi1/0
*Apr  7 06:39:35.994: IC_DP: [Dir:N] IC DP debug flags updated
*Apr  7 06:39:36.002: [IDB Fa0/0 UARUYY] LSTATE_REQ: Entry
*Apr  7 06:39:36.006: [IDB Fa0/0 UARUYY] LSTATE_REQ: timers not running
*Apr  7 06:39:36.010: [IDB Fa0/0 UARUYY] LSTATE_REQ: Exit
*Apr  7 06:39:36.014: fh_fd_nd_event_match: num_matches = 0
*Apr  7 06:39:36.014: fh_fd_nd_event_match: num_matches = 0
*Apr  7 06:39:36.086: ADJ-sev: start @ 0 - walk [interface update] filter [IP/FastEthernet0/0/na] req [0] flags [3]
*Apr  7 06:39:36.090: ADJ: IP adj out of FastEthernet0/0, addr 10.0.0.2 src ARP: init/update from interface (fields upd
LONDON#ated)
*Apr  7 06:39:36.094: ADJ: IP adj out of FastEthernet0/0, addr 10.0.0.3 src ARP: init/update from interface (fields updated)
*Apr  7 06:39:36.098: ADJ-sev: end @ 0 - walk [interface update] filter [IP/FastEthernet0/0/na] req [0] flags [3] [OK]
*Apr  7 06:39:36.102: ADJ-sev: start @ 0 - walk [interface update] filter [IP/GigabitEthernet1/0/na] req [0] flags [3]
*Apr  7 06:39:36.106: ADJ: IP adj out of GigabitEthernet1/0, addr 88.88.88.2 src ARP: init/update from interface (fields updated)
*Apr  7 06:39:36.110: ADJ-sev: end @ 0 - walk [interface update] filter [IP/GigabitEthernet1/0/na] req [0] flags [3] [OK]
*Apr  7 06:39:36.110: ADJ-sev: start @ 0 - walk [interface update] filter [IP/Tunnel0/na] req [0] flags [3]
*Apr  7 06:39:36.114: ADJ: IP midchain out of Tunnel0 src P2P-ADJ: init/update from interface (fields updated)
*Apr  7 06:39:36.118: ADJ-sev: end @ 0 - walk [interface update] filter [IP/Tunnel0/na] req [0] flags [3] [OK]
*Apr  7 06:39:36.810: [IDB Fa0/0 UARUYY
LONDON#] LSTATE_REQ: Entry
*Apr  7 06:39:36.814: [IDB Fa0/0 UARUYY] LSTATE_REQ: timers not running
*Apr  7 06:39:36.814: [IDB Fa0/0 UARUYY] LSTATE_REQ: Exit
*Apr  7 06:39:37.810: [IDB Fa0/0 UARUYY] LSTATE_REQ: Entry
*Apr  7 06:39:37.814: [IDB Fa0/0 UARUYY] LSTATE_REQ: timers not running
*Apr  7 06:39:37.814: [IDB Fa0/0 UARUYY] LSTATE_REQ: Exit
*Apr  7 06:39:38.810: [IDB Fa0/0 UARUYY] LSTATE_REQ: Entry
*Apr  7 06:39:38.814: [IDB Fa0/0 UARUYY] LSTATE_REQ: timers not running
*Apr  7 06:39:38.814: [IDB Fa0/0 UARUYY] LSTATE_REQ: Exit
*Apr  7 06:39:39.682: SPOLICY: [pid=173(QoS stats process)]: 10: Start stats polling
*Apr  7 06:39:39.698: -Traceback= 61CFE78Cz 61CDA10Cz 61CDA3A4z
*Apr  7 06:39:39.698: SPOLICY: [pid=173(QoS stats process)]: Update show totals (periodic).
*Apr  7 06:39:39.722: -Traceback= 61CFE78Cz 61CD9D4Cz 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.722: PPCP_LOCK: [pid=173(QoS stats process)]: Try to get write lock
*Apr  7 06:39:39.750: -Traceback= 61CA5A60z 61CA5DF4z 61C
LONDON#D9D7Cz 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.754: PPCP_LOCK: [pid=173(QoS stats process)]: Got lock.
*Apr  7 06:39:39.782: -Traceback= 61CA5A60z 61CA5EA0z 61CD9D7Cz 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.782: SPOLICY: [pid=173(QoS stats process)]:
*Apr  7 06:39:39.786: Created new iterator, with 1 iterators in the queue
*Apr  7 06:39:39.806: -Traceback= 61CFE78Cz 61CFE974z 61CFF048z 61CD9DE0z 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.810: SPOLICY: [pid=173(QoS stats process)]: Created all-policy iterator 0x68C8F0DC with no policies.
*Apr  7 06:39:39.834: -Traceback= 61CFE78Cz 61CFF0ACz 61CD9DE0z 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.834: SPOLICY: [pid=173(QoS stats process)]: Returned end-of-list from spolicy iter 0x68C8F0DC
*Apr  7 06:39:39.858: -Traceback= 61CFE78Cz 61CFEF18z 61CD9E18z 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.862: PPCP_LOCK: [pid=173(QoS stats process)]: Released lock.
*Apr  7 06:39:39.882: -Traceback= 61CA5A60z 61CD9E28z 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.882: SP
LONDON#OLICY: [pid=173(QoS stats process)]: Freed spolicy iterator 0x68C8F0DC
*Apr  7 06:39:39.898: -Traceback= 61CFE78Cz 61CFE88Cz 61CDA09Cz 61CDA114z 61CDA3A4z
*Apr  7 06:39:39.902: SPOLICY: [pid=173(QoS stats process)]: 10: Done update show totals
*Apr  7 06:39:39.918: -Traceback= 61CFE78Cz 61CDA12Cz 61CDA3A4z
*Apr  7 06:39:39.918: SPOLICY: [pid=173(QoS stats process)]: 10: Done update platform_counters
*Apr  7 06:39:39.934: -Traceback= 61CFE78Cz 61CDA1A8z 61CDA3A4z
*Apr  7 06:39:39.934: SPOLICY: [pid=173(QoS stats process)]: 10: Done stats polling
*Apr  7 06:39:39.946: -Traceback= 61CFE78Cz 61CDA3A4z
*Apr  7 06:39:39.966: [IDB Fa0/0 UARUYY] LSTATE_REQ: Entry
*Apr  7 06:39:39.970: [IDB Fa0/0 UARUYY] LSTATE_REQ: timers not running
*Apr  7 06:39:39.970: [IDB Fa0/0 UARUYY] LSTATE_REQ: Exit
*Apr  7 06:39:40.230: SNMP: HC Timer 66E00EA0 fired
*Apr  7 06:39:40.230:  HC Polling : name = GigabitEthernet, hw_namestring = GigabitEthernet1/0
*Apr  7 06:39:40.234:  HC Polling : ifindex 2
LONDON#, rx_cumbytes 320283, inbytes 320283
*Apr  7 06:39:40.238:  HC Polling : name = Tunnel, hw_namestring = Tunnel0
*Apr  7 06:39:40.242:  HC Polling : ifindex 4, rx_cumbytes 23132, inbytes 23132
*Apr  7 06:39:40.242: SNMP: HC Timer 66E00EA0 rearmed, delay = 5000
*Apr  7 06:39:40.554: [IDB Fa0/0 UARUYY] LSTATE_REQ: Entry
*Apr  7 06:39:40.558: [IDB Fa0/0 UARUYY] LSTATE_REQ: timers not running
*Apr  7 06:39:40.558: [IDB Fa0/0 UARUYY] LSTATE_REQ: Exit
*Apr  7 06:39:40.566: SNMP: HC Timer 66DF6480 fired
*Apr  7 06:39:40.570:  HC Polling : name = FastEthernet, hw_namestring = FastEthernet0/0
*Apr  7 06:39:40.574:  HC Polling : ifindex 1, rx_cumbytes 261116, inbytes 261116
*Apr  7 06:39:40.574: SNMP: HC Timer 66DF6480 rearmed, delay = 10000
*Apr  7 06:39:40.610: PRST-VBL STD Process - flushing
*Apr  7 06:39:40.610: PRST-VBL DET Lock - ok
*Apr  7 06:39:40.614: PRST-VBL DET - Util Set - nameval=prst-fls=2 and node->nameval=prst-fls=1.
*Apr  7 06:39:40.618: PRST-VBL STD Util Set - st
LONDON#raight copy of prst-fls=2
*Apr  7 06:39:40.618: PRST-VBL MED Open Write  - opening nvram:persistent-data
*Apr  7 06:39:40.622: PRST-VBL MED Open Write - got buf of size 2048 in 0 ms
*Apr  7 06:39:40.622: PRST-VBL MDET Write - ReloadReason=12ab34Unknown reason
*Apr  7 06:39:40.626: PRST-VBL DET Write Nameval - ok put of ReloadReason=12ab34Unknown reason
*Apr  7 06:39:40.626: PRST-VBL MDET Write - prst-dbg=0x3FF
*Apr  7 06:39:40.630: PRST-VBL DET Write Nameval - ok put of prst-dbg=0x3FF
*Apr  7 06:39:40.634: PRST-VBL MDET Write - prst-fls=2
*Apr  7 06:39:40.634: PRST-VBL DET Write Nameval - ok put of prst-fls=2
*Apr  7 06:39:40.638: PRST-VBL MDET Write - prst-ver=1
*Apr  7 06:39:40.638: PRST-VBL DET Write Nameval - ok put of prst-ver=1
*Apr  7 06:39:40.642: PRST-VBL MDET Write - snmpboots=1
*Apr  7 06:39:40.642: PRST-VBL DET Write Nameval - ok put of snmpboots=1
*Apr  7 06:39:40.646: PRST-VBL DET Cache unlock - ok
*Apr  7 06:39:40.646: PRST-VBL MED Close Write
*Apr  7 06:

Dennis Mink · ‎04-06-2019

Why are you concerned about not being able to ping the .2 private addresss on the remote end of your tunnel interface? If you van ping the 10 address that is the remote lan subnet. Doesnt this mean it works? Also have you got control over the remote end config?

Please remember to rate useful posts, by clicking on the stars below.

Deepak Kumar · ‎04-07-2019

Hi,

Based on the logs change below configuration as:

PC4:

ip route 0.0.0.0 0.0.0.0 10.0.1.1

PC1:

ip route 0.0.0.0 0.0.0.0 10.0.0.1

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎04-07-2019

Hello,

on a side note, and without wanting to be redundant, what static routes did you use on PC1 and PC4 ? They need to be as below:

PC1
ip route 0.0.0.0 0.0.0.0 10.0.0.1

PC4
ip route 0.0.0.0 0.0.0.0 10.0.1.1

BETTENCOURT · ‎04-08-2019

The problem was with GNS3, I hit some sort of bug as I was able to tunnel my traffic through the VPN using a real LAB.

Thank you to everyone who tried to help.