cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1059
Views
0
Helpful
3
Replies
henry0377
Beginner

Dynamic IPSec vpn established between Hub and Spoke,but cannot ping each other;

The topology as attachment.

Spoke site(a linux-based soho router) configured IPSec vpn with a full network route(Peer: 0.0.0.0/0) to Hub, and Dynamic IPSec VPN has been established between Hub and Spoke site;

At begining this topology can working properly,the IPSec can terminated at Hub,and I can ping the PC2 at Spoke from any interface at Hub;

But recently I cannot ping the host(pc2) at Spoke from the interfaces at Hub.Meanwihle,I can ping the PC2 from Loop101 at hosting,if change source interface to tun101,that's not working;

Does anyone has some experience to solved this problem,please help me to find it out. Thanks a lot!

========================================

Hub#show run (VPN)

crypto keyring 3gvpnsh
  pre-shared-key address 0.0.0.0 0.0.0.0 key tseinfo

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp keepalive 10 5

crypto isakmp nat keepalive 60

crypto ipsec transform-set 3gvpnsh esp-3des esp-sha-hmac
mode transport

crypto map 3gvpnsh 100 ipsec-isakmp dynamic 3gvpnsh

***:No Access-list configured for this dynamic VPN***

========================================

Hub#sh cry ipsec sa

  

protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.13.248.44/255.255.255.252/0/0)
   current_peer 114.81.217.74 port 500
     PERMIT, flags={}
    #pkts encaps: 942, #pkts encrypt: 942, #pkts digest: 942
    #pkts decaps: 722, #pkts decrypt: 722, #pkts verify: 722
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: ***.***.***.***, remote crypto endpt.: ###.###.###.###

     path mtu 1500, ip mtu 1500
     current outbound spi: 0x36562A88(911616648)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x684A6A6D(1749707373)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 871, flow_id: 871, sibling flags 80000040,  crypto map: 3gvpnsh
        sa timing: remaining key lifetime (k/sec): (4407128/991)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x36562A88(911616648)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 872, flow_id: 872, sibling flags 80000040,  crypto map: 3gvpnsh
        sa timing: remaining key lifetime (k/sec): (4406428/979)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

========================================================

3 REPLIES 3
c_kumar001
Beginner

hi,

what are u using for tunnel traffic and interesting traffic to flow , static or any protocol?

Hi Chandan,

Thanks for ur reply,

I want all the data pass throught the IPSec tunnel from Spoke to Hub,and before this problem appeared,that's followed all I wanted.

I just curioused why if I ping from Spoke to Hub,I can just get "packet decap" increasing,and if I ping from Hub to Spoke,I can just get "packer encap" increasing. I've been checked all the 'IP route' and ACL serval times,but nothing help..

=======================

Hub#show crypto session

Peer: x.x.x.x port 500

  IKE SA: local a.b.c.d/500 remote x.x.x.x/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.13.248.44/255.255.255.252

        Active SAs: 2, origin: dynamic crypto map

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.13.248.44/255.255.255.252

        Active SAs: 2, origin: dynamic crypto map

***********************************

Hub#show crypto ipsec sa  

Crypto map tag: 3gvpnsh, local addr a.b.c.d

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.13.248.44/255.255.255.252/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={}
    #pkts encaps: 1520, #pkts encrypt: 1520, #pkts digest: 1520
    #pkts decaps: 1168, #pkts decrypt: 1168, #pkts verify: 1168
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: a.b.c.d, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500
     current outbound spi: 0x8803A054(2281939028)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCEE95B50(3471399760)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 723, flow_id: 723, sibling flags C0000040,  crypto map: 3gvpnsh
        sa timing: remaining key lifetime (k/sec): (4509998/13)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0xF22C6C77(4062997623)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 775, flow_id: 775, sibling flags 80000040,  crypto map: 3gvpnsh

=======================

as 'show crypto session & show cry ipsec sa' above, I should can ping to '10.13.248.44/30' at Hub,Am I right?

but I can just ping the host at '10.13.248.44/30' from '10.13.0.23' only.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (50%)

Content for Community-Ad