Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1437
Views
0
Helpful
2
Replies

VPN is on, but no full routing

AZaburdyayev
Level 1
Level 1

‎07-10-2011 06:38 AM

Hello folks.

I working on VPN config ont my routers. Curently VPN seems to be up, but not all traffic goes through it.

Small drowing

  Spoke |---|ADSL modem, PPOE|----|Internet | ----|Hub| ----p2p---|Catalyst| --- |networks 1,2,3|

      DHCP                                                                                     172.16.31.1    172.16.31.0/

I have hub and spoke topology. In my case spoke is Cisco 2611XM, HUB is Cisco 3745.

Spoke is behind NAT, but it has full connectivity with hub. From spoke I can ping, ssh to HUB.

sh crypto ips sa , and sh crypto isa sa shows that tunnel is up, this confirms with ping ( I am able to ping internal HUB interface). But I cannot ping other networks( wich behind HUB).

My HUB router is connected to Cisco Catalyst with p2p network, Catayst has default gateway wich is HUB router. Behind Catayst 3 network, all has default gateway catalyst.

When I am pingin not local address from spoke I see errors in sh cry ips sa, and acctually do not what does it mean.

But there is no mention about descapsulating packets to remote networks in HUB output( but exists encaps or errors in spoke output).

Can someone tells me how routing descision occurs on HUB ?

Why does not it forwards packets to remote networks (checked with tcpdump on remote pc)?

How to debug this issue ?

Labels:
102948-hubconfig.txt.zip
102935-spokeconfig.txt.zip
102934-spokeout.txt.zip
102933-hubout.txt.zip
0 Helpful
2 Replies 2

AZaburdyayev
Level 1
Level 1

‎07-10-2011 07:18 AM

After some time, I found following in debug:

079638: Jul 10 14:16:37.840: ISAKMP:(1063):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

079639: Jul 10 14:16:43.579: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

079640: Jul 10 14:16:45.575: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

079641: Jul 10 14:16:47.579: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

079642: Jul 10 14:16:49.583: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

079643: Jul 10 14:16:51.583: IPSEC(epa_des_crypt): decrypted packet failed SA identity check

079662: Jul 10 14:25:41.278: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak.

but with this messages I still able to ping local HUB interface. What does this messages mean ? Where can be configuration mistake ?

0 Helpful

AZaburdyayev
Level 1
Level 1
In response to AZaburdyayev

‎07-10-2011 08:14 AM

after changing transform set to following:

crypto ipsec transform-set ts_test esp-3des

mode transport

everything start work. Who can explain ? Why only with 3des I am able to ping remote networks, but with des I cannot( except localHUB interface)?

how I can make router to initiate vpn connection begind nat ?

0 Helpful
Customers Also Viewed These Support Documents