I would appreciate hints and help with a VPN tunnel which is established, but not let traffic through.
Left: Cisco2811, adventerprisek9-mz.151-4.M4
Right: Linux/OpenSwan on CentOs behind GoogleCouldEngine Firewall allowing UDP500 & UDP4500
CryptoMap: CMAP
extInterface: vlan520
locInterface: vlan200 (vrf: MY_VRF, ip nat inside)
The ip nat outside command sits on a dialer interface which is connected to upstream provider. It holds a /32 public ip. MY_EXTERNAL_IP is part of MY_EXTERNAL_SUBET. MY_EXTERNAL_SUBNET is routed from provider to dialer interface and then is connected to vlan520 which holds MY_EXTERNAL_IP.
I cant manage to get traffic through and I cant see decrypt or encrypt counter raising.
I have a few ideas where the problem could be:
1.) related to NAT/SNAT, traffic does not take the tunnel path, I denied 10.10.10.0 to 10.156.0.0 in NAT ACL before permit to any
2.) related to VRF. No idea how to debug that
3.) related to vlan interface. Tried on dialer interface. Tunnel established, but no traffic passes, but at least encrypt counter raises while pinging, but decrypt counter stays 0. But in this case I have multiple tunnels come up, as dialer is a ppp multilink with many VIFs. Not sure if this raises additional problems
4.) GoogleCouldEngine blocks Cisco specific packets. When I swap Cisco (leftSide) to OpenSwan as well, all is fine. So I came from a running VPN tunnel left and right Linux and now I just try to swap left to Cisco2811.
Output of "show crypto engine connection active" & "show crypto ipsec sa peer THE_PEER_IP"
show crypto engine connection active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
125 IPsec AES256+SHA256 0 0 0 MY_EXTERNAL_IP
126 IPsec AES256+SHA256 0 0 0MY_EXTERNAL_IP
1088 IKE SHA256+AES256 0 0 0MY_EXTERNAL_IP
show crypto ipsec sa peer THE_PEER_IP
interface: Vlan520
Crypto map tag: CMAP, local addr MY_EXTERNAL_IP
protected vrf: MY_VRF
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.156.0.0/255.255.255.0/0/0)
current_peer THE_PEER_IP port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: MY_EXTERNAL_IP, remote crypto endpt.: THE_PEER_IP
path mtu 1500, ip mtu 1500, ip mtu idb Vlan520
current outbound spi: 0x57266DF4(1462136308)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x36A5526F(916804207)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 125, flow_id: SW:125, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4519754/1891)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x57266DF4(1462136308)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 126, flow_id: SW:126, sibling_flags 80000046, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4519754/1891)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
sh ip access cryptoacl
Extended IP access list cryptoacl
10 permit ip 10.10.10.0 0.0.0.255 10.156.0.0 0.0.0.255 (542 matches)
show crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
Peer = THE_PEER_IP
ISAKMP Profile: VPN_PROFILE
Extended IP access list cryptoacl
access-list cryptoacl permit ip 10.10.10.0 0.0.0.255 10.156.0.0 0.0.0.255
Current peer: THE_PEER_IP
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TS: { esp-256-aes esp-sha256-hmac } ,
}
Reverse Route Injection Enabled
Interfaces using crypto map CMAP:
Vlan520
Interfaces using crypto map cmap:
