09-29-2015 10:34 PM
I'm having a hell of a time getting an IPSEC client VPN up and running on a CSR1000v that is running in AWS. The VPN connection is actually successful, but I can't seem to get any return traffic. Here is a terrible network diagram:
172.16.0.0/17--------(172.16.26.219-outside)(172.16.137.90-inside)-------172.16.128.0/17 AND connected through VPC Peering 10.2.0.0/16
I know the VPC peering works because the RADIUS server is located there and authenticates just fine, as well as all manner of other traffic sourced from the router able to reach the 10.2.0.0/16 network just fine.
According to a sh cry ip sa, packets are being decaped fine, but nothing is being encaped. In the past I've run into this and the problem was with NAT on the internal interface, but I've gone over it a billion million times and can't find a problem with my NAT. I'll post a censored sh run, as well as a sh cry ip sa. If anyone has any ideas what this could be please let me know, I will be forever grateful.
EDIT: the formatting makes me super sad, I'll try and fix it..
!
version 15.5
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname Cisco-CSR
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 CENSORED
!
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PDT recurring
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3334085578
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3334085578
revocation-check none
rsakeypair TP-self-signed-3334085578
!
!
crypto pki certificate chain TP-self-signed-3334085578
certificate self-signed 01
CENSORED
quit
license udi pid CSR1000V sn 9DLL8QPTR1S
!
username CENSORED privilege 0 password 7 CENSORED
!
redundancy
!
!
!
!
!
!
ip ssh rsa keypair-name ssh-key
ip ssh version 2
ip ssh pubkey-chain
username CENSORED
key-hash ssh-rsa CENSORED CENSORED
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp client configuration group MLclient
key CENSORED
dns 10.2.1.6 10.2.3.164
pool vpnclients
acl split-tunnel
!
!
no crypto ipsec transform-set default
crypto ipsec transform-set custom-transform-set esp-aes esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map dynmap 10
set transform-set custom-transform-set
!
!
crypto map MLmap client authentication list userauthen
crypto map MLmap isakmp authorization list groupauthor
crypto map MLmap client configuration address respond
crypto map MLmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet1
description outside
ip address dhcp
ip nat outside
negotiation auto
crypto map MLmap
!
interface GigabitEthernet2
description inside
ip address dhcp
ip nat inside
negotiation auto
!
!
virtual-service csr_mgmt
ip shared host-interface GigabitEthernet1
activate
!
ip local pool vpnclients 192.168.150.5 192.168.150.250
ip nat inside source route-map nonat interface GigabitEthernet1 overload
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.0.1
ip route 10.2.0.0 255.255.0.0 172.16.128.1
!
ip access-list extended split-tunnel
permit ip 50.112.0.0 0.0.255.255 192.168.150.0 0.0.0.255
permit ip 54.245.0.0 0.0.255.255 192.168.150.0 0.0.0.255
permit ip 54.244.0.0 0.0.255.255 192.168.150.0 0.0.0.255
permit ip 54.214.0.0 0.0.255.255 192.168.150.0 0.0.0.255
permit ip 54.212.0.0 0.0.255.255 192.168.150.0 0.0.0.255
permit ip 54.218.0.0 0.0.255.255 192.168.150.0 0.0.0.255
permit ip 54.200.0.0 0.1.255.255 192.168.150.0 0.0.0.255
permit ip 54.202.0.0 0.1.255.255 192.168.150.0 0.0.0.255
permit ip 54.184.0.0 0.7.255.255 192.168.150.0 0.0.0.255
permit ip 54.68.0.0 0.3.255.255 192.168.150.0 0.0.0.255
permit ip 54.148.0.0 0.1.255.255 192.168.150.0 0.0.0.255
permit ip 52.10.0.0 0.1.255.255 192.168.150.0 0.0.0.255
permit ip 52.12.0.0 0.1.255.255 192.168.150.0 0.0.0.255
permit ip 52.24.0.0 0.3.255.255 192.168.150.0 0.0.0.255
permit ip 10.2.0.0 0.0.255.255 192.168.150.0 0.0.0.255
!
access-list 101 deny ip 172.16.128.0 0.0.127.255 192.168.150.0 0.0.0.255
access-list 101 deny ip 10.2.0.0 0.0.255.255 192.168.150.0 0.0.0.255
access-list 101 permit ip 172.16.128.0 0.0.127.255 any
access-list 101 permit ip 10.2.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 101
!
!
!
radius-server host 10.2.18.193 key 7 CENSORED
!
radius server radius
address ipv4 10.2.18.193 auth-port 1812 acct-port 1812
retransmit 3
key 7 CENSORED
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
transport input ssh
!
!
end
sh cry ip sa
interface: GigabitEthernet1
Crypto map tag: MLmap, local addr 172.16.26.219
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.150.7/255.255.255.255/0/0)
current_peer 12.49.215.253 port 5510
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 506, #pkts decrypt: 506, #pkts verify: 506
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.26.219, remote crypto endpt.: 12.49.215.253
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x4FBAF6C1(1337652929)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x726D5F6(119985654)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2009, flow_id: CSR:9, sibling_flags FFFFFFFF80000048, crypto map: MLmap
sa timing: remaining key lifetime (k/sec): (4607962/2339)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4FBAF6C1(1337652929)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2010, flow_id: CSR:10, sibling_flags FFFFFFFF80000048, crypto map: MLmap
sa timing: remaining key lifetime (k/sec): (4608000/2339)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Cisco-CSR#
09-30-2015 09:46 AM
can you try to do apply on the gi0/2 interface to check if the traffic is going out and coming in from the internal host back
ip access-l ext test
perm ip host <internal ip> host <client pool ip> log
permit ip host <client pool ip> host <internal ip> log
permit ip any any
int gi2
ip access-group test in
ip access-group test out
also if possible, apply the wireshark captures on the internal host to check if the traffic from the vpn client is reaching it or not and is the return traffic being sent out
09-30-2015 10:51 AM
Cisco-CSR#show ip access-list test1
Extended IP access list test1
10 permit ip any host 192.168.150.9 log
20 permit ip host 192.168.150.9 any log (17 matches)
30 permit ip any any
looks like packets are coming from the VPN client (192.168.150.9) but not getting back to it.
Doing a packet capture on the host (I'm using the RADIUS server) I do not see any packets coming from 192.168.150.9, which leads me to think that this is a routing issue of some sort.
I have a route pointing 10.2.0.0/16 to 172.16.128.1 (which is controlled by amazon) and that has a route pointed over a VPC peer connection, that is working because we can see that the router is able to communicate with the RADIUS server just fine. I've verified that there are routes back on the AWS controlled routers to both 172.16.0.0/16 space as well as 192.168.150.0/24 space.
09-30-2015 05:55 PM
if the traffic is not reaching your internal host, then probably it is getting dropped somewhere in the middle. you would need to check your internal network for the same
04-29-2020 02:20 AM
HI ,
I have seen this before. This seems to be mostly a routing issue. Encaps happening but decaps not happening => means that return packets are not coming back from the CSR to your VPN client system.
You need to add a route on CSR going back to the vpn client Pool IP range using the CSR Interface as the next hop. Try adding the following on CSR and see if that helps.
ip route 192.168.150.0 255.255.255.0 <IP of VPN pool facing CSR interface>
Regards,
Indranil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide