12-15-2012 10:09 AM - edited 03-07-2019 10:37 AM
Hi Everyone,
I have 2691 Router conencted to Internet and it is doing Nat.
This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 30, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
3550A
3550SMIA# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
3550SMIA#sh cry
3550SMIA#sh crypto ipsec sa
interface: FastEthernet0/8
Crypto map tag: VPN_MAP, local addr 192.168.99.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
As seen above the packets are not encrypted between 1811w and 3550A.
I have used same ACL on both 1811W and 3550A
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
Any reasons why packets are not getting encrypt and decrypt?
Thanks
MAhesh
Solved! Go to Solution.
12-15-2012 11:22 AM
Hi Mahesh,
Please post the full configs from both devices.
terminal length 0
than
sh run
Reza
12-15-2012 02:16 PM
Hi Mahesh,
I was just going through your configs.
I see pkts digst is incrementing now.
Glad is working now.
Thanks
12-15-2012 11:22 AM
Hi Mahesh,
Please post the full configs from both devices.
terminal length 0
than
sh run
Reza
12-15-2012 01:20 PM
Hi Reza,
I have attached config from both devices to original post
Both are directly connected running ospf.
NAT is taking place on Router which is connected to 3550A
Thanks
MAhesh
12-15-2012 02:11 PM
Hi REza,
Issue is fixed now.
Both devices had same ACL.
I changed ACL on 3550A now it is working fine
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53
#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x8319FE5B(2199518811)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAE0A578B(2919913355)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4454254/1764)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8319FE5B(2199518811)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4454254/1764)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Thanks
for all the help
Regards
MAhesh
12-15-2012 02:16 PM
Hi Mahesh,
I was just going through your configs.
I see pkts digst is incrementing now.
Glad is working now.
Thanks
12-15-2012 02:18 PM
Hi Reza,
Regards For always helping me
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: