Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
0
Helpful
2
Replies

Pix 7.2 to IOS VPN - replies not being decrypted?

foxx0171
Level 1
Level 1

‎12-02-2009 08:38 PM

I have an IOS router (12.4) that I am adding a VPN tunnel to.  There are other active tunnels on this router (both ezvpn, site-to-site and GRE).  Everything appears to be working on both sides regarding phase 1/phase 2 negotiation, but packets that are being send from the PIX to the IOS router, while being encrypted and encapsulated do not appear to be being decrypted on the IOS end.

I have spent many, many hours on trying to diagnose this and I am struggling - would appreciate any help.

Show crypto isakmp sa on the IOS shows (IPs changed for security): 

1.1.1.1 2.2.2.2 QM_IDLE              4    0 ACTIVE

Show crypto ipsec sa on the IOS shows (IPs changed for security):

local  ident (addr/mask/prot/port): (10.13.39.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
   current_peer 2.2.2.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 408, #pkts encrypt: 408, #pkts digest: 408
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 108, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xBC3A7FC9(3157950409)

     inbound esp sas:
      spi: 0x2DF17FA(48175098)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: FPGA:3, crypto map: CustVPN
        sa timing: remaining key lifetime (k/sec): (4553489/2310)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBC3A7FC9(3157950409)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: FPGA:4, crypto map: CustVPN
        sa timing: remaining key lifetime (k/sec): (4553463/2310)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I am focusing in on the decapsulation/decryption and on why it is not happening.  Everything appears to be working on the PIX end.

show crypto isakmp sa on the PIX shows (IPs changed for security):

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

show crypto ipsec sa on the PIX shows (IPs changed for security):

Crypto map tag: outside_map, seq num: 120, local addr: 2.2.2.2

      access-list outside_cryptomap_120 permit ip 172.16.50.0 255.255.255.0 10.13.39.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.13.39.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 1030, #pkts encrypt: 1030, #pkts digest: 1030
      #pkts decaps: 322, #pkts decrypt: 322, #pkts verify: 322
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1030, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 02DF17FA

    inbound esp sas:
      spi: 0xBC3A7FC9 (3157950409)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 36, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274981/1824)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x02DF17FA (48175098)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 36, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4274939/1824)
         IV size: 8 bytes
         replay detection support: Y

Everything seems ok to me but the IOS is not decrypting.  The other tunnels on the system are working fine.  Debugs do not show any errors.

Labels:
0 Helpful
2 Replies 2

foxx0171
Level 1
Level 1

‎12-04-2009 07:52 AM

Ended up putting an encrypted GRE tunnel in place with an IOS <--> IOS VPN.  Ended up with the same problem.  Was something on the ASA end that was dropping packets sent to the IOS.

0 Helpful

pprue
Level 1
Level 1

‎01-12-2010 09:30 PM

What version of IOS is on the VPN router.. I had a very similar issue

I have 2 vpn routers with slightly different revs of the IOS one will terminate a tunnel to 7.2 and pass traffic without any issue the other will terminate the tunnel but refuse to pass traffic.

Configurations are identical minus the ip addresses of course.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents