09-12-2010 03:48 PM - edited 02-21-2020 04:50 PM
Dear All,
i have this scenario:
A - Main Office router
cisco 881
private network: 10.10.10.0/24
private address: 10.10.10.2
public address: xxx.xxx.xxx.xxx
B - Branch Office router
draytek vigor 2600
private network: 100.100.100.0/24
private address: 100.100.100.1
public address: yyy.yyy.yyy.yyy
C - Headquarter router
cisco 1800 series (access forbidden - not mine)
private network: 10.10.10.0/24
private address: 10.10.10.1
D - Other Subnet in HQ
private network: 10.20.20.0/24
reachable via C
There is a standard VPN ipsec from A to B due interoperability and compatibility between cisco and draytek; the vpn is up and running fine.
D is reachable from A via C:
router#ping ip 10.20.20.15 source vlan 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.15, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/64 ms
Now, i need to reach D from B.
I configured B adding the subnet 10.20.20.0/24 routing via vpn and tested the connection replacing the cisco 881 (A) with another drytek vigor 2820; adding a static route into the drytek 2820 (10.20.20.0 via 10.10.10.1) make be able B to reach D with successfully ping 10.20.20.15.
After I tried to split tunnel acl and unsuccessfully ping 10.20.20.15 from D I notice a match in acl:
router#sh ip access-lists 101
Extended IP access list 101
10 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255 (3298 matches)
20 permit ip 10.20.20.0 0.0.0.255 100.100.100.0 0.0.0.255 (14 matches)
I also tried to prevent NAT from D to B without any match in acl after unsuccessfully ping 10.20.20.15 from D.
Any suggestion is highly appreciated.
Gianluca
Solved! Go to Solution.
09-14-2010 09:05 AM
hanks for the additional info
so what is happening is the traffic is not getting encrypted, it is hitting the crypto acl but not getting encrypted
i know you would have checked it already but please just double check the nat entry once more and see if you have a deny for this traffic in the nat acl
we need to see why the tunnel is not coming up for this traffic
could you please confirm wht is crypto acl on the other end, is it exactly the mirror image(2 acl's), i am not sure how the configuration is done on the other end
give the following debug command
debug crypto condition peer ip
debug crypto ipsec sa or debug crypto sa (which ever it takes i think its the second one little confused)
also one thing u can try is if bringing down the tunnel is an option, just clear this tunnel using clear cry isa sa id
lastly, since i am not sure how the other end is configured just try this out as the crypto acl on both ends
10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255
and the reverse on the other end and now try brining the tunnel up
09-12-2010 09:53 PM
from the information you have provided it looks like u have vpn between b and d
if so please provide the show crypto ips sa on both the ends (cisco end atleast)
lets us see if the packet is encap and theother side is dropping it or we are not encrypting it in the first place
if possible provide us the path the packet takes, since i am still not clear how b reaches d is it just one site to site tunnel or through some other tunnels
09-13-2010 02:39 AM
Dear Jathaval,
thank you for you promptly response.
There is only a standard VPN ipsec between A and B; you can see the A config in the attached file.
It is very interesting for me to be able to debug the traffic when i ping D (10.20.20.15) from B and see what happen in A.
Can you suggest me how can i debug the above scenario?
Thanks again.
09-13-2010 02:52 AM
in the config 2 things that r missing and obviously you have tried adding them, they are entries for this traffic in 101 permitting d to b traffic and deny in no_nat d to b
once you have done that the same needs to b edone on the head end as well that is the site b side
if you are sure that they have it as well then paste the output of this command
show crypto ipsec sa
show crypto session
you will not see a new tunnel being negotiated but you will definetly see new phase 2 sa's for this traffic
you can issue the command debug crypto sa (or debug crypto ipsec sa, i am always confused when it comes to routers )
09-13-2010 04:11 AM
OK,
i attached the revisioned config of router A.
Below the step you suggest:
router_internet#sh crypto ipsec sa peer 88.88.88.88
interface: FastEthernet4
Crypto map tag: vpn_map, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
current_peer 88.88.88.88 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 53510, #pkts encrypt: 53510, #pkts digest: 53510
#pkts decaps: 52870, #pkts decrypt: 52870, #pkts verify: 52870
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1599, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 88.88.88.88
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x57AE5DBF(1471045055)
inbound esp sas:
spi: 0xF9A96AE(261789358)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 301, flow_id: Motorola SEC 1.0:301, crypto map: vpn_map
sa timing: remaining key lifetime (k/sec): (4404611/3581)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x57AE5DBF(1471045055)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 302, flow_id: Motorola SEC 1.0:302, crypto map: vpn_map
sa timing: remaining key lifetime (k/sec): (4404610/3581)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
current_peer 88.88.88.88 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 88.88.88.88
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
------- there are two sa with one tunnel as you mentioned --------
router_internet#sh crypto session remote 88.88.88.88
Crypto session current status
Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 88.88.88.88 port 500
IKE SA: local 192.168.1.2/500 remote 88.88.88.88/500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 100.100.100.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.20.20.0/255.255.0.0 100.100.100.0/255.255.255.0
Active SAs: 0, origin: crypto map
------ why the second ipsec flow have no Active SAs? It is correct? -------------
after some "ping 10.20.20.15" from host 100.100.100.10
the ping command was unsuccessfully completed and I can see 10 matches in acl.
router_internet#sh access-lists 101
Extended IP access list 101
10 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255 (137697 matches)
20 permit ip 10.20.20.0 0.0.0.255 100.100.100.0 0.0.0.255 (10 matches)
I can't find any command to debug sa.
09-14-2010 03:23 AM
Dear Jathaval,
if could help, while i ping 10.20.20.15 from host 100.100.100.2 in B
i issue the following debug on cisco 881 in A:
debug ip cef drop
debug ip icmp
I can see all transaction about the packets involved in ping
and i cannot see any packet from 10.20.20.15.
It is correct for you?
Another helpful thing is that if I replace the cisco 881 in A with another
draytek all work fine.
Thanks for your help...
Gianluca
09-14-2010 09:05 AM
hanks for the additional info
so what is happening is the traffic is not getting encrypted, it is hitting the crypto acl but not getting encrypted
i know you would have checked it already but please just double check the nat entry once more and see if you have a deny for this traffic in the nat acl
we need to see why the tunnel is not coming up for this traffic
could you please confirm wht is crypto acl on the other end, is it exactly the mirror image(2 acl's), i am not sure how the configuration is done on the other end
give the following debug command
debug crypto condition peer ip
debug crypto ipsec sa or debug crypto sa (which ever it takes i think its the second one little confused)
also one thing u can try is if bringing down the tunnel is an option, just clear this tunnel using clear cry isa sa id
lastly, since i am not sure how the other end is configured just try this out as the crypto acl on both ends
10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255
and the reverse on the other end and now try brining the tunnel up
09-14-2010 04:58 PM
You are the best!!!
The solution was your last...
only one crypto acl work done and so the only one I can use is: 10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255
I'm so satisfy of that! So much night spent to debug!
Thanks again...
11-30-2010 12:20 PM
Hi appologies for bumping your thread, but im hoping you might be able to help me.
I have a cisco 1841 as a hub with 7 spoke sites using draytek vigor's 2600-2800, I can route packets to the hub, but spoke to spoke is not working.
I've noticed in your first post you menton "interoperability between cisco and draytek vigor" and what you describe in your setup sounds similar to what I have been trying to do for the past day. Did you ever manage to route packets from the draytek via the cisco to another spoke?
Thanks
Mark
11-30-2010 03:34 PM
Hi Mark,
routing spoke to spoke in not an issue.
Be sure that your destination is included in the network of the draytek's vpn.
Post your config will help to get you more detailed suggestion.
Regards.
Gianluca
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide