Solved: Re: Packets not getting encrypt and decrypt IPSEC

mahesh18 · ‎12-15-2012

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A Switch which has connection to 1811W Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

Crypto map tag: VPN_MAP, local addr 192.168.99.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 30, #recv errors 0

local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

3550A

3550SMIA# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

Crypto map tag: VPN_MAP, local addr 192.168.99.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 15, #recv errors 0

local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

Reza Sharifi · ‎12-15-2012

Hi Mahesh,

Please post the full configs from both devices.

terminal length 0

than

sh run

Reza

View solution in original post

Reza Sharifi · ‎12-15-2012

Hi Mahesh,

I was just going through your configs.

I see pkts digst is incrementing now.

Glad is working now.

Thanks

View solution in original post

Reza Sharifi · ‎12-15-2012

Hi Mahesh,

Please post the full configs from both devices.

terminal length 0

than

sh run

Reza

mahesh18 · ‎12-15-2012

Hi Reza,

I have attached config from both devices to original post

Both are directly connected running ospf.

NAT is taking place on Router which is connected to 3550A

Thanks

MAhesh

mahesh18 · ‎12-15-2012

Hi REza,

Issue is fixed now.

Both devices had same ACL.

I changed ACL on 3550A now it is working fine

1811w# sh crypto ipsec sa

interface: FastEthernet0

Crypto map tag: VPN_MAP, local addr 192.168.99.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53

#pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

current outbound spi: 0x8319FE5B(2199518811)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xAE0A578B(2919913355)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4454254/1764)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x8319FE5B(2199518811)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4454254/1764)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Thanks

for all the help

Regards

MAhesh

Reza Sharifi · ‎12-15-2012

Hi Mahesh,

I was just going through your configs.

I see pkts digst is incrementing now.

Glad is working now.

Thanks

mahesh18 · ‎12-15-2012

Hi Reza,

Regards For always helping me

Mahesh