09-21-2018 08:22 AM - edited 02-21-2020 09:28 PM
Hey guys,
I've not done anything really with IPSEC but am looking to dig into it more. I used three routers and two switches in the lab to create an IPSEC tunnel. The tunnel is up and packets are being sent and received but I cannot ping from one host to the other. Something I noticed on router A is that I cannot even ping the host from the local gateway using the gateway as the source. It does have it's MAC in the arp entry. Here's my three routers, won't post the switches because I know they work. Also my visio drawing is attached. Any advice would be appreciated.
Router-A#
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-A
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.2.1.1
!
ip dhcp pool DHCP
network 10.2.1.0 255.255.255.0
default-router 10.2.1.1
lease infinite
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
license udi pid CISCO2921/K9 sn FTX1552AJ34
license boot module c2900 technology-package securityk9
!
redundancy
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test address 10.10.1.6
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.10.1.6
set transform-set myset
match address 100
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.1.1 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.10
description Management
encapsulation dot1Q 10
ip address 10.1.1.10 255.255.255.128
!
interface GigabitEthernet0/2.30
description DHCP
encapsulation dot1Q 30
ip address 10.2.1.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat log translations syslog
ip route 0.0.0.0 0.0.0.0 10.10.1.2
ip route 10.10.1.0 255.255.255.252 10.10.1.2
!
access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
_______________________________________________________________________________
Router-B#
Current configuration : 2110 bytes
!
! Last configuration change at 13:58:43 UTC Fri Sep 21 2018
! NVRAM config last updated at 18:08:00 UTC Thu Sep 20 2018
! NVRAM config last updated at 18:08:00 UTC Thu Sep 20 2018
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-B
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.2.2.1
!
ip dhcp pool DHCP
network 10.2.2.0 255.255.255.0
default-router 10.2.2.1
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2921/K9 sn FTX1722AH7Y
license boot module c2900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key test address 10.10.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer 10.10.1.1
set transform-set myset
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.1.6 255.255.255.252
duplex auto
speed auto
crypto map mymap
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2.10
description Management
encapsulation dot1Q 10
ip address 10.1.1.220 255.255.255.128
!
interface GigabitEthernet0/2.40
description DHCP
encapsulation dot1Q 40
ip address 10.2.2.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.10.1.5
ip route 10.10.1.4 255.255.255.252 10.10.1.5
!
access-list 100 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
Router-B#
______________________________________________________________________________
Router-C#
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-C
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
!
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO2921/K9 sn FTX1541AHT0
license boot module c2900 technology-package securityk9
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.1.2 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 10.10.1.5 255.255.255.252
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 10.1.1.0 255.255.255.128 10.10.1.1
ip route 10.1.1.128 255.255.255.128 10.10.1.6
ip route 10.2.1.0 255.255.255.0 10.10.1.1
ip route 10.2.2.0 255.255.255.0 10.10.1.6
ip route 10.10.1.0 255.255.255.252 10.10.1.1
!
access-list 100 permit ip any any
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end
09-21-2018 08:37 AM
09-21-2018 10:26 AM
09-21-2018 10:30 AM
09-21-2018 10:55 AM
I checked all that, no firewalls on the PC's blocking ping, no acl's not seen in the configs I posted, PC's are getting DHCP addresses with the correct gateways. The PC's can ping across the tunnel to the opposite side DHCP default gateway. For exp 10.2.2.2 can ping 10.2.1.1 no problem, but going a step further and pinging the the PC it doesn't make it. The trace always makes it to the opposite side router but it's like it doesn't know to send the packet down it's local gateway to the switch to the PC. It's really strange.
09-21-2018 11:03 AM
09-21-2018 11:20 AM
So this is where it doesn't make sense to me. From Router A which is 10.2.1.1 I could not ping 10.2.1.3 (the PC). Though from 10.2.2.1 I could ping 10.2.2.2.
_______________________________________________________________________________________________
Router-A#ping 10.2.2.1 source 10.2.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Router-A#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: mymap, local addr 10.10.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 10.10.1.6 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 111, #pkts encrypt: 111, #pkts digest: 111
#pkts decaps: 262, #pkts decrypt: 262, #pkts verify: 262
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.6
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x57197F43(1461288771)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE4F3C728(3841181480)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4436291/3594)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x57197F43(1461288771)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4436291/3594)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
__________________________________________________________________________________________
Router-B#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: mymap, local addr 10.10.1.6
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
current_peer 10.10.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
#pkts decaps: 111, #pkts decrypt: 111, #pkts verify: 111
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 10.10.1.6, remote crypto endpt.: 10.10.1.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xE4F3C728(3841181480)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x57197F43(1461288771)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4490813/3557)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE4F3C728(3841181480)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4490813/3557)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Router-B#
09-21-2018 11:43 AM
09-21-2018 12:55 PM
I actually just figured it out. I changed the management interfaces of the switches and put them on the vlan for the IPSEC tunnel that matches the ACL. I can ping across and am seeing the ingress and egress packet count go up. Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide