Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2458
Views
0
Helpful
5
Replies

Packets not getting encrypt and decrypt IPSEC

Go to solution
mahesh18
Level 6
Level 6

‎12-15-2012 10:09 AM - edited ‎03-07-2019 10:37 AM

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A  Switch which has connection to 1811W  Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.99.2    192.168.99.1    QM_IDLE           2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

3550A

3550SMIA#                                                                                           sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.99.2    192.168.99.1    QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

    Crypto map tag: VPN_MAP, local addr 192.168.99.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 15, #recv errors 0

     local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL  on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

Labels:
139998-putty.txt.zip
139997-putty1.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎12-15-2012 11:22 AM

Hi Mahesh,

Please post the full configs from both devices.

terminal length 0

than

sh run

Reza

View solution in original post

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎12-15-2012 02:16 PM

Hi Mahesh,

I was just going through your configs.

I see pkts digst is incrementing now.

Glad is working now.

Thanks

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎12-15-2012 11:22 AM

Hi Mahesh,

Please post the full configs from both devices.

terminal length 0

than

sh run

Reza

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎12-15-2012 01:20 PM

Hi Reza,

I have attached config from both devices to original post

Both are directly connected running ospf.

NAT is taking place on Router which is connected to 3550A

Thanks

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to mahesh18

‎12-15-2012 02:11 PM

Hi REza,

Issue is fixed now.

Both devices had same ACL.

I changed ACL  on 3550A  now it is working fine

1811w#                      sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53

    #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x8319FE5B(2199518811)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xAE0A578B(2919913355)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4454254/1764)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8319FE5B(2199518811)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4454254/1764)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Thanks

for all the help

Regards

MAhesh

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎12-15-2012 02:16 PM

Hi Mahesh,

I was just going through your configs.

I see pkts digst is incrementing now.

Glad is working now.

Thanks

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎12-15-2012 02:18 PM

Hi Reza,

Regards For always helping me

Mahesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card