The problem above shows that

rasilingwani · ‎11-17-2014

Hi Guys

I am playing around on a VPN lab between some Cisco routers. My problem I am experiencing is that my traffic is encrypted on the one end but it is not getting decrypted on the other end. I put below the output of my show crypto IPsec sa and my running config on the two VPN devices.

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.100.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.100.3.0/255.255.255.0/0/0)
   current_peer 192.168.3.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 35, #pkts encrypt: 35, #pkts digest: 35
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
|

protected vrf: (none)
   local ident (addr/mask/prot/port): (10.100.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.100.200.0/255.255.255.0/0/0)
   current_peer 192.168.2.1 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 219, #pkts encrypt: 219, #pkts digest: 219
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 660, #recv errors 0

R1 Running

hostname Customer
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.1
!
!
crypto ipsec transform-set Cust-VPNTRANS esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 192.168.2.1
set transform-set Cust-VPNTRANS
match address VPN_2
!
!
!
!
!
interface FastEthernet0/0
ip address 10.100.3.1 255.255.255.0
ip nat inside
duplex half
!
interface Serial1/0
ip address 192.168.3.1 255.255.255.252
ip nat outside
serial restart-delay 0
crypto map VPNMAP
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list NAT interface Serial1/0 overload
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.3.2
!
ip access-list extended NAT
deny ip 10.100.3.0 0.0.0.255 10.100.200.0 0.0.0.255 log
permit ip any any
ip access-list extended VPN_2
permit ip 10.100.3.0 0.0.0.255 10.100.200.0 0.0.0.255 log
permit ip 10.100.200.0 0.0.0.255 10.100.3.0 0.0.0.255 log
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

Customer#

R2 Running

!
hostname Third_Party
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.3.1
!
!
crypto ipsec transform-set VPNTRANS esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 192.168.3.1
set transform-set VPNTRANS
match address VPN
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex full
!
interface Ethernet1/0
ip address 10.100.200.1 255.255.255.0
ip nat inside
duplex full
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
interface Ethernet1/4
no ip address
shutdown
duplex half
!
interface Ethernet1/5
no ip address
shutdown
duplex half
!
interface Ethernet1/6
no ip address
shutdown
duplex half
!
interface Ethernet1/7
no ip address
shutdown
duplex half
!
interface Serial2/0
ip address 192.168.2.1 255.255.255.252
ip nat outside
serial restart-delay 0
crypto map VPNMAP
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list NAT interface Serial2/0 overload
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
ip access-list extended NAT
deny ip 10.100.200.0 0.0.0.255 10.100.3.0 0.0.0.255 log
permit ip any any
ip access-list extended VPN
permit ip 10.100.200.0 0.0.0.255 10.100.100.0 0.0.0.255 log
permit ip 10.100.200.0 0.0.0.255 10.100.3.0 0.0.0.255 log
permit ip 10.100.3.0 0.0.0.255 10.100.200.0 0.0.0.255 log
permit ip 10.100.100.0 0.0.0.255 10.100.200.0 0.0.0.255 log
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

Third_Party#

Deepak Chauhan · ‎12-02-2014

The problem above shows that Phase 1 of the tunnel is successfully establishing but phase 2 has problems. Specifically the firewall is encrypting packets but not decrypting them.

If an ASA or router is getting encaps but not decaps, this means it is encrypting the data and sending it but has not received anything to decrypt in return.

Verify the other end has a route outside for the interesting traffic.
Check that both VPN ACL’s are not mismatched.
Double check NAT’s to make sure the traffic is not NAT’ing correctly.
Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.

Cisco VPN Lab