07-18-2019 01:01 AM
We have a IPSec peer. Everything works great..IPSec established, from the router I can ping/connect to the remote hosts, but the clients are not able to connect. There is no NAT involved. When pinging any remote IP from the router using the source IP of LAN interface on which the clients are connected, it works well, but the same thing doesn't work when pinging from client. I even tried assigning different subnet and configured NAT on it to no avail. From the router everything works perfectly, but a directly connected host is not able to connect to anything. Tried different clients as well but it didn't work either. Below is some show commands the I think will be useful for anyone to understand:
B3-MD#show crypto ip sa peer REMOTEPEER
interface: GigabitEthernet0/0
Crypto map tag: b3vpn, local addr LOCALADDRESS
protected vrf: (none)
local ident (addr/mask/prot/port): (LOCALSUBNET/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (REMOTESUBNET/255.255.255.0/0/0)
current_peer REMOTEPEER port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 39, #pkts encrypt: 39, #pkts digest: 39
#pkts decaps: 39, #pkts decrypt: 39, #pkts verify: 39
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: LOCALADDRESS, remote crypto endpt.: REMOTEPEER
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x900765E(151025246)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0xB036DAEE(2956385006)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3195, flow_id: Onboard VPN:1195, sibling_flags 80000040, crypto map: b3vpn
sa timing: remaining key lifetime (k/sec): (4287563/3325)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x900765E(151025246)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3196, flow_id: Onboard VPN:1196, sibling_flags 80000040, crypto map: b3vpn
sa timing: remaining key lifetime (k/sec): (4287563/3325)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
B3-MD#show ip access-lists 149
Extended IP access list 149
10 permit ip LOCALSUBNET 0.0.0.31 REMOTESUBNET 0.0.0.255 (68 matches)
Crypto Map: crypto map b3vpn 20 ipsec-isakmp
set peer REMOTEPEER
set transform-set B3VPN
set pfs group14
match address 149
crypto map b3vpn
B3-MD#show run int gi0/0
Building configuration...
Current configuration : 122 bytes
!
interface GigabitEthernet0/0
ip address LOCALADDRESS 255.255.255.248
duplex auto
speed auto
crypto map b3vpn
end
B3-MD#show run int gi0/1
Building configuration...
Current configuration : 137 bytes
!
interface GigabitEthernet0/1
ip address (LANINTERFACE <LOCALSUBNET>) 255.255.255.224
ip pim sparse-mode
duplex auto
speed auto
no cdp enable
end
P.S It's a CISCO1921/K9 Device
Solved! Go to Solution.
07-18-2019 02:30 AM
So the problem was not in the crypto maps or the ACL, but CEF was enabled and it was causing this issue. As soon as we did a 'no ip cef', it started to work from all the clients.
07-18-2019 01:12 AM
07-18-2019 02:28 AM
07-18-2019 01:48 AM
if your phase one is up and your are able to at least send some traffic acorss the tunnel, then you should focus on IPSEC SAs, enmcryption domains/interestingb traffic and thirdly access list. this needs to be check on both ends.
9 out of times these sorts of issues are caused by config mismatches at either end.
is the other end a cisco device as well?
07-18-2019 02:30 AM
So the problem was not in the crypto maps or the ACL, but CEF was enabled and it was causing this issue. As soon as we did a 'no ip cef', it started to work from all the clients.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide