11-17-2014 10:40 AM
Hi Guys
I am playing around on a VPN lab between some Cisco routers. My problem I am experiencing is that my traffic is encrypted on the one end but it is not getting decrypted on the other end. I put below the output of my show crypto IPsec sa and my running config on the two VPN devices.
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.3.0/255.255.255.0/0/0)
current_peer 192.168.3.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 35, #pkts encrypt: 35, #pkts digest: 35
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
|
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.200.0/255.255.255.0/0/0)
current_peer 192.168.2.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 219, #pkts encrypt: 219, #pkts digest: 219
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 660, #recv errors 0
R1 Running
hostname Customer
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.2.1
!
!
crypto ipsec transform-set Cust-VPNTRANS esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 192.168.2.1
set transform-set Cust-VPNTRANS
match address VPN_2
!
!
!
!
!
interface FastEthernet0/0
ip address 10.100.3.1 255.255.255.0
ip nat inside
duplex half
!
interface Serial1/0
ip address 192.168.3.1 255.255.255.252
ip nat outside
serial restart-delay 0
crypto map VPNMAP
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list NAT interface Serial1/0 overload
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.3.2
!
ip access-list extended NAT
deny ip 10.100.3.0 0.0.0.255 10.100.200.0 0.0.0.255 log
permit ip any any
ip access-list extended VPN_2
permit ip 10.100.3.0 0.0.0.255 10.100.200.0 0.0.0.255 log
permit ip 10.100.200.0 0.0.0.255 10.100.3.0 0.0.0.255 log
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end
Customer#
R2 Running
!
hostname Third_Party
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 192.168.3.1
!
!
crypto ipsec transform-set VPNTRANS esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
set peer 192.168.3.1
set transform-set VPNTRANS
match address VPN
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex full
!
interface Ethernet1/0
ip address 10.100.200.1 255.255.255.0
ip nat inside
duplex full
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
no ip address
shutdown
duplex half
!
interface Ethernet1/4
no ip address
shutdown
duplex half
!
interface Ethernet1/5
no ip address
shutdown
duplex half
!
interface Ethernet1/6
no ip address
shutdown
duplex half
!
interface Ethernet1/7
no ip address
shutdown
duplex half
!
interface Serial2/0
ip address 192.168.2.1 255.255.255.252
ip nat outside
serial restart-delay 0
crypto map VPNMAP
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip nat inside source list NAT interface Serial2/0 overload
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
ip access-list extended NAT
deny ip 10.100.200.0 0.0.0.255 10.100.3.0 0.0.0.255 log
permit ip any any
ip access-list extended VPN
permit ip 10.100.200.0 0.0.0.255 10.100.100.0 0.0.0.255 log
permit ip 10.100.200.0 0.0.0.255 10.100.3.0 0.0.0.255 log
permit ip 10.100.3.0 0.0.0.255 10.100.200.0 0.0.0.255 log
permit ip 10.100.100.0 0.0.0.255 10.100.200.0 0.0.0.255 log
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end
Third_Party#
12-02-2014 09:52 AM
The problem above shows that Phase 1 of the tunnel is successfully establishing but phase 2 has problems. Specifically the firewall is encrypting packets but not decrypting them.
If an ASA or router is getting encaps but not decaps, this means it is encrypting the data and sending it but has not received anything to decrypt in return.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide