3rd Party VPN connection, encap but no decap

markedavis · ‎09-06-2018

I'm trying to figure out an issue with a 3rd party vpn connection. They require us to NAT our inside to a specific address for use in their network. I believe I have it all set up correctly and the tunnel is show up and NAT appears to be working. My issue is I am not seeing decaps on my end. The vendor is showing decap and encap on his end so it appears my icmp request is reaching there and the echo is being returned.

Any help would be greatly appreciated!

RTR17#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 150.175.242.71:1 10.6.113.111:1 150.175.58.10:1 150.175.58.10:1

interface Loopback100
ip address 150.175.242.71 255.255.255.255

crypto map cmap 110 ipsec-isakmp
description 3rd Primary
set peer x.x.x.x
set transform-set esp-aes-sha256
set pfs group14
match address 3rd_Party
reverse-route static

ip nat inside source list 3rd_conditional_NAT interface Loopback100 overload

ip access-list extended 3rd_Party
permit ip host 150.175.242.71 host 150.175.58.10
permit ip host 150.175.242.71 host 150.175.57.50

ip access-list extended 3rd_conditional_NAT
permit ip any host 150.175.57.50
permit ip any host 150.175.58.10

RTR17#sh cry ips sa peer x.x.x.x det

interface: GigabitEthernet0/0
Crypto map tag: cmap, local addr 204.225.178.124

protected vrf: (none)
local ident (addr/mask/prot/port): (150.175.242.71/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (150.175.58.10/255.255.255.255/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 490, #pkts encrypt: 490, #pkts digest: 490
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xAA006A4D(2852153933)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0x88D4CEF0(2295647984)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2691, flow_id: Onboard VPN:691, sibling_flags 80000040, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4271566/1848)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xAA006A4D(2852153933)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2692, flow_id: Onboard VPN:692, sibling_flags 80000040, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4271532/1848)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (150.175.242.71/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (150.175.57.50/255.255.255.255/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 82, #pkts encrypt: 82, #pkts digest: 82
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas: