Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
4
Replies

help with client IPSEC VPN on CSR1000v in AWS

bgarrett901
Level 1
Level 1

‎09-29-2015 10:34 PM

I'm having a hell of a time getting an IPSEC client VPN up and running on a CSR1000v that is running in AWS. The VPN connection is actually successful, but I can't seem to get any return traffic. Here is a terrible network diagram:

172.16.0.0/17--------(172.16.26.219-outside)(172.16.137.90-inside)-------172.16.128.0/17 AND connected through VPC Peering 10.2.0.0/16

I know the VPC peering works because the RADIUS server is located there and authenticates just fine, as well as all manner of other traffic sourced from the router able to reach the 10.2.0.0/16 network just fine.

According to a sh cry ip sa, packets are being decaped fine, but nothing is being encaped. In the past I've run into this and the problem was with NAT on the internal interface, but I've gone over it a billion million times and can't find a problem with my NAT. I'll post a censored sh run, as well as a sh cry ip sa. If anyone has any ideas what this could be please let me know, I will be forever grateful.

EDIT: the formatting makes me super sad, I'll try and fix it..

!
version 15.5
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname Cisco-CSR
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 CENSORED
!
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
!
!
!
!
!
!
!
!



!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3334085578
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3334085578
 revocation-check none
 rsakeypair TP-self-signed-3334085578
!
!
crypto pki certificate chain TP-self-signed-3334085578
 certificate self-signed 01
  CENSORED
        quit
license udi pid CSR1000V sn 9DLL8QPTR1S
!
username CENSORED privilege 0 password 7 CENSORED
!
redundancy
!
!
!
!
!
!
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
  username CENSORED
   key-hash ssh-rsa CENSORED CENSORED
!
!
!
!
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp client configuration group MLclient
 key CENSORED
 dns 10.2.1.6 10.2.3.164
 pool vpnclients
 acl split-tunnel
!
!
no crypto ipsec transform-set default
crypto ipsec transform-set custom-transform-set esp-aes esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map dynmap 10
 set transform-set custom-transform-set
!
!
crypto map MLmap client authentication list userauthen
crypto map MLmap isakmp authorization list groupauthor
crypto map MLmap client configuration address respond
crypto map MLmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet1
 description outside
 ip address dhcp
 ip nat outside
 negotiation auto
 crypto map MLmap
!
interface GigabitEthernet2
 description inside
 ip address dhcp
 ip nat inside
 negotiation auto
!
!
virtual-service csr_mgmt
 ip shared host-interface GigabitEthernet1
 activate
!
ip local pool vpnclients 192.168.150.5 192.168.150.250
ip nat inside source route-map nonat interface GigabitEthernet1 overload
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 10.2.0.0 255.255.0.0 172.16.128.1
!
ip access-list extended split-tunnel
 permit ip 50.112.0.0 0.0.255.255 192.168.150.0 0.0.0.255
 permit ip 54.245.0.0 0.0.255.255 192.168.150.0 0.0.0.255
 permit ip 54.244.0.0 0.0.255.255 192.168.150.0 0.0.0.255
 permit ip 54.214.0.0 0.0.255.255 192.168.150.0 0.0.0.255
 permit ip 54.212.0.0 0.0.255.255 192.168.150.0 0.0.0.255
 permit ip 54.218.0.0 0.0.255.255 192.168.150.0 0.0.0.255
 permit ip 54.200.0.0 0.1.255.255 192.168.150.0 0.0.0.255
 permit ip 54.202.0.0 0.1.255.255 192.168.150.0 0.0.0.255
 permit ip 54.184.0.0 0.7.255.255 192.168.150.0 0.0.0.255
 permit ip 54.68.0.0 0.3.255.255 192.168.150.0 0.0.0.255
 permit ip 54.148.0.0 0.1.255.255 192.168.150.0 0.0.0.255
 permit ip 52.10.0.0 0.1.255.255 192.168.150.0 0.0.0.255
 permit ip 52.12.0.0 0.1.255.255 192.168.150.0 0.0.0.255
 permit ip 52.24.0.0 0.3.255.255 192.168.150.0 0.0.0.255
 permit ip 10.2.0.0 0.0.255.255 192.168.150.0 0.0.0.255
!
access-list 101 deny   ip 172.16.128.0 0.0.127.255 192.168.150.0 0.0.0.255
access-list 101 deny   ip 10.2.0.0 0.0.255.255 192.168.150.0 0.0.0.255
access-list 101 permit ip 172.16.128.0 0.0.127.255 any
access-list 101 permit ip 10.2.0.0 0.0.255.255 any
!
route-map nonat permit 10
 match ip address 101
!
!
!
radius-server host 10.2.18.193 key 7 CENSORED
!
radius server radius
 address ipv4 10.2.18.193 auth-port 1812 acct-port 1812
 retransmit 3
 key 7 CENSORED
!
!
control-plane
!
!
line con 0
 stopbits 1
line vty 0 4
 transport input ssh
!
!
end

sh cry ip sa

interface: GigabitEthernet1
    Crypto map tag: MLmap, local addr 172.16.26.219

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.150.7/255.255.255.255/0/0)
   current_peer 12.49.215.253 port 5510
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 506, #pkts decrypt: 506, #pkts verify: 506
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 local crypto endpt.: 172.16.26.219, remote crypto endpt.: 12.49.215.253
 plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
 current outbound spi: 0x4FBAF6C1(1337652929)
 PFS (Y/N): N, DH group: none

 inbound esp sas:
  spi: 0x726D5F6(119985654)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    conn id: 2009, flow_id: CSR:9, sibling_flags FFFFFFFF80000048, crypto map: MLmap
    sa timing: remaining key lifetime (k/sec): (4607962/2339)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

 inbound ah sas:

 inbound pcp sas:

 outbound esp sas:
  spi: 0x4FBAF6C1(1337652929)
    transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel UDP-Encaps, }
    conn id: 2010, flow_id: CSR:10, sibling_flags FFFFFFFF80000048, crypto map: MLmap
    sa timing: remaining key lifetime (k/sec): (4608000/2339)
    IV size: 16 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

 outbound ah sas:

 outbound pcp sas:

Cisco-CSR#

Labels:
0 Helpful
4 Replies 4

pjain2
Cisco Employee
Cisco Employee

‎09-30-2015 09:46 AM

can you try to do apply on the gi0/2 interface to check if the traffic is going out and coming in from the internal host back

ip access-l ext test

perm ip host <internal ip> host <client pool ip> log

permit ip host <client pool ip> host <internal ip> log

permit ip any any

 

int gi2

ip access-group test in

ip access-group test out

 

also if possible, apply the wireshark captures on the internal host to check if the traffic from the vpn client is reaching it or not and is the return traffic being sent out

 

 

0 Helpful

bgarrett901
Level 1
Level 1
In response to pjain2

‎09-30-2015 10:51 AM

Cisco-CSR#show ip access-list test1
Extended IP access list test1
    10 permit ip any host 192.168.150.9 log
    20 permit ip host 192.168.150.9 any log (17 matches)
    30 permit ip any any

 

looks like packets are coming from the VPN client (192.168.150.9) but not getting back to it.

 

Doing a packet capture on the host (I'm using the RADIUS server) I do not see any packets coming from 192.168.150.9, which leads me to think that this is a routing issue of some sort.

 

I have a route pointing 10.2.0.0/16 to 172.16.128.1 (which is controlled by amazon) and that has a route pointed over a VPC peer connection, that is working because we can see that the router is able to communicate with the RADIUS server just fine.  I've verified that there are routes back on the AWS controlled routers to both 172.16.0.0/16 space as well as 192.168.150.0/24 space.

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to bgarrett901

‎09-30-2015 05:55 PM

if the traffic is not reaching your internal host, then probably it is getting dropped somewhere in the middle. you would need to check your internal network for the same

0 Helpful

Indranil.Sarkar
Level 1
Level 1

‎04-29-2020 02:20 AM

HI ,

 

I have seen this before. This seems to be mostly a routing issue. Encaps happening but decaps not happening => means that return packets are not coming back from the CSR to your VPN client system. 

 

You need to add a route on CSR going back to the vpn client Pool IP range using the CSR Interface as the next hop.  Try adding the following on CSR and see if that helps. 

 

ip route 192.168.150.0 255.255.255.0 <IP of VPN pool facing CSR interface>

 

Regards,

Indranil

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents