cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr
2101
Views
0
Helpful
5
Replies
Highlighted
Frequent Contributor

Packets not getting encrypt and decrypt IPSEC

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A  Switch which has connection to 1811W  Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.99.2    192.168.99.1    QM_IDLE           2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

3550A

3550SMIA#                                                                                           sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.99.2    192.168.99.1    QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

    Crypto map tag: VPN_MAP, local addr 192.168.99.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 15, #recv errors 0

     local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL  on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Expert

Re: Packets not getting encrypt and decrypt IPSEC

Hi Mahesh,

Please post the full configs from both devices.

terminal length 0

than

sh run

Reza

View solution in original post

Highlighted
Hall of Fame Expert

Packets not getting encrypt and decrypt IPSEC

Hi Mahesh,

I was just going through your configs.

I see pkts digst is incrementing now.

Glad is working now.

Thanks

View solution in original post

5 REPLIES 5
Highlighted
Hall of Fame Expert

Re: Packets not getting encrypt and decrypt IPSEC

Hi Mahesh,

Please post the full configs from both devices.

terminal length 0

than

sh run

Reza

View solution in original post

Highlighted
Frequent Contributor

Packets not getting encrypt and decrypt IPSEC

Hi Reza,

I have attached config from both devices to original post

Both are directly connected running ospf.

NAT is taking place on Router which is connected to 3550A

Thanks

MAhesh

Highlighted
Frequent Contributor

Packets not getting encrypt and decrypt IPSEC

Hi REza,

Issue is fixed now.

Both devices had same ACL.

I changed ACL  on 3550A  now it is working fine

1811w#                      sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53

    #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x8319FE5B(2199518811)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xAE0A578B(2919913355)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4454254/1764)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8319FE5B(2199518811)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4454254/1764)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Thanks

for all the help

Regards

MAhesh

Highlighted
Hall of Fame Expert

Packets not getting encrypt and decrypt IPSEC

Hi Mahesh,

I was just going through your configs.

I see pkts digst is incrementing now.

Glad is working now.

Thanks

View solution in original post

Highlighted
Frequent Contributor

Packets not getting encrypt and decrypt IPSEC

Hi Reza,

Regards For always helping me

Mahesh

CreatePlease to create content
Content for Community-Ad