Re: IPSEC ICMP Issue

cbkirwan1 · ‎09-21-2018

Hey guys,

I've not done anything really with IPSEC but am looking to dig into it more. I used three routers and two switches in the lab to create an IPSEC tunnel. The tunnel is up and packets are being sent and received but I cannot ping from one host to the other. Something I noticed on router A is that I cannot even ping the host from the local gateway using the gateway as the source. It does have it's MAC in the arp entry. Here's my three routers, won't post the switches because I know they work. Also my visio drawing is attached. Any advice would be appreciated.

Router-A#

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-A
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.2.1.1
!
ip dhcp pool DHCP
network 10.2.1.0 255.255.255.0
default-router 10.2.1.1
lease infinite
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
license udi pid CISCO2921/K9 sn FTX1552AJ34
license boot module c2900 technology-package securityk9
!
redundancy
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test address 10.10.1.6
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.10.1.6
set transform-set myset
match address 100
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.1.1 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.10
description Management
encapsulation dot1Q 10
ip address 10.1.1.10 255.255.255.128
!
interface GigabitEthernet0/2.30
description DHCP
encapsulation dot1Q 30
ip address 10.2.1.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat log translations syslog
ip route 0.0.0.0 0.0.0.0 10.10.1.2
ip route 10.10.1.0 255.255.255.252 10.10.1.2
!
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255

!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

_______________________________________________________________________________

Router-B#

Current configuration : 2110 bytes
!
! Last configuration change at 13:58:43 UTC Fri Sep 21 2018
! NVRAM config last updated at 18:08:00 UTC Thu Sep 20 2018
! NVRAM config last updated at 18:08:00 UTC Thu Sep 20 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-B
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.2.2.1
!
ip dhcp pool DHCP
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2921/K9 sn FTX1722AH7Y
license boot module c2900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test address 10.10.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.10.1.1
set transform-set myset
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.1.6 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.10
description Management
encapsulation dot1Q 10
ip address 10.1.1.220 255.255.255.128
!
interface GigabitEthernet0/2.40
description DHCP
encapsulation dot1Q 40
ip address 10.2.2.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.1.5
ip route 10.10.1.4 255.255.255.252 10.10.1.5
!
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Router-B#

______________________________________________________________________________

Router-C#

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-C
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
!
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2921/K9 sn FTX1541AHT0
license boot module c2900 technology-package securityk9
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.1.2 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.10.1.5 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 10.1.1.0 255.255.255.128 10.10.1.1
ip route 10.1.1.128 255.255.255.128 10.10.1.6
ip route 10.2.1.0 255.255.255.0 10.10.1.1
ip route 10.2.2.0 255.255.255.0 10.10.1.6
ip route 10.10.1.0 255.255.255.252 10.10.1.1
!
access-list 100 permit ip any any

!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

Rob Ingram · ‎09-21-2018

Hi,
When you run the ping what is the source ip address and the destination ip address? They need to be an ip address from your defined crypto map acl 100. You could be sourcing traffic from 10.1.1.x network would not be classed as interesting traffic and therefore bring up the tunnel
HTH

cbkirwan1 · ‎09-21-2018

I would ping from my PC on the other side with the source of 10.2.2.2 going to 10.2.1.3 which is the other host. Attached are the logs I pulled.

Rob Ingram · ‎09-21-2018

Ok, well the logs state "New State = IKE_QM_PHASE2_COMPLETE" which confirms the tunnel is up. If you run the command "show crypto ipsec sa" would confirm that. So assuming the tunnel is up, do the PCs have correct gateway? Could there be a local firewall enabled on the PCs? Any ACL or firewalls inline blocking traffic?

cbkirwan1 · ‎09-21-2018

I checked all that, no firewalls on the PC's blocking ping, no acl's not seen in the configs I posted, PC's are getting DHCP addresses with the correct gateways. The PC's can ping across the tunnel to the opposite side DHCP default gateway. For exp 10.2.2.2 can ping 10.2.1.1 no problem, but going a step further and pinging the the PC it doesn't make it. The trace always makes it to the opposite side router but it's like it doesn't know to send the packet down it's local gateway to the switch to the PC. It's really strange.

Rob Ingram · ‎09-21-2018

Please provide the output of "show crypto ipsec sa detail" from both routers

From a router can you ping the PC on the local network? Does it respond?

cbkirwan1 · ‎09-21-2018

So this is where it doesn't make sense to me. From Router A which is 10.2.1.1 I could not ping 10.2.1.3 (the PC). Though from 10.2.2.1 I could ping 10.2.2.2.

_______________________________________________________________________________________________

Router-A#ping 10.2.2.1 source 10.2.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Router-A#sh crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: mymap, local addr 10.10.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   current_peer 10.10.1.6 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 111, #pkts encrypt: 111, #pkts digest: 111
    #pkts decaps: 262, #pkts decrypt: 262, #pkts verify: 262
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.6
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x57197F43(1461288771)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xE4F3C728(3841181480)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4436291/3594)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x57197F43(1461288771)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4436291/3594)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

__________________________________________________________________________________________

Router-B#sh crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: mymap, local addr 10.10.1.6

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
   current_peer 10.10.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
    #pkts decaps: 111, #pkts decrypt: 111, #pkts verify: 111
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 10.10.1.6, remote crypto endpt.: 10.10.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0xE4F3C728(3841181480)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x57197F43(1461288771)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4490813/3557)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE4F3C728(3841181480)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4490813/3557)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
Router-B#

Rob Ingram · ‎09-21-2018

The VPN looks fine, we can see encaps|decaps. So the issue appears to be between on the local network. What is the configuration of the switch?

cbkirwan1 · ‎09-21-2018

I actually just figured it out. I changed the management interfaces of the switches and put them on the vlan for the IPSEC tunnel that matches the ACL. I can ping across and am seeing the ingress and egress packet count go up. Thanks for your help.