Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1188
Views
1
Helpful
5
Replies

IPsec IKEv2 between Cisco 4321 decrypting traffic but not encrypting.

Go to solution
emurray
Level 1
Level 1

‎04-05-2023 01:49 PM - edited ‎04-05-2023 01:52 PM

A strange thing has happened on an IPsec configuration. I have done some research with no luck. The tunnel is up, and I did a packet capture on the FortiGate of some icmp packets from the FortiGate to the Cisco and with no response found. I see packets been decrypted on the Cisco side but no encrypted. Here is the configuration on the Cisco router 

crypto ikev2 proposal TestProposal
encryption aes-cbc-256
integrity sha256
group 14

crypto ikev2 keyring Test
peer TestLab
address x.x.x.x
pre-shared-key *******

crypto ikev2 policy TestPolicy
match address local 10.10.15.1
proposal TestProposal

crypto ikev2 profile TestProfile
match identity remote address x.x.x.x x.x.x.x
identity local address x.x.x.x
authentication remote pre-share
authentication local pre-share
keyring local Test

crypto ipsec transform-set Test-set ah-sha-hmac esp-aes
mode tunnel

crypto map Test_MAP 20 ipsec-isakmp
set peer x.x.x.x
set transform-set Test-set
set pfs group14
set ikev2-profile TestProfile
match address Local-To-TestLab


ip access-list extended Local-To-TestLab
permit ip 10.10.15.0 0.0.0.255 192.168.1.0 0.0.0.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-05-2023 02:01 PM

@emurray do you have NAT configured that could be unintentionally translating traffic? If so make sure you exclude (deny) the VPN traffic as per the crypto ACL "Local-To-TestLab", to ensure this traffic is not translated.

 

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎04-05-2023 02:01 PM

@emurray do you have NAT configured that could be unintentionally translating traffic? If so make sure you exclude (deny) the VPN traffic as per the crypto ACL "Local-To-TestLab", to ensure this traffic is not translated.

 

 

0 Helpful

Go to solution
emurray
Level 1
Level 1
In response to Rob Ingram

‎04-05-2023 05:14 PM - edited ‎04-06-2023 05:19 AM

Thanks for the help. I do have a NAT overload as bellow

Extended IP access list NAT
10 deny ip 10.10.15.0 0.0.0.255 190.85.224.0 0.0.0.255
20 permit ip 10.10.15.0 0.0.0.255 any
30 deny ip any any log

 

With your suggestion, I did some research and plan to do the following changes

 

Extended IP access list NAT
10 deny ip 10.10.15.0 0.0.0.255 190.85.224.0 0.0.0.255
15 deny ip 10.10.15.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip 10.10.15.0 0.0.0.255 any
30 deny ip any any log

route-map DenyNAT permit 10
match ip address NAT


ip nat inside source route-map DenyNAT int gi0/0/1 overload

If you see anything wrong, let me know. 

 

Go to solution
MHM Cisco World
VIP
VIP
In response to emurray

‎04-05-2023 05:49 PM - edited ‎04-05-2023 06:41 PM

....

0 Helpful

Go to solution
emurray
Level 1
Level 1
In response to emurray

‎04-06-2023 05:43 AM - edited ‎04-06-2023 05:44 AM

Wit the changed I posted, I have solved the issue, thanks all for the help. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-05-2023 02:10 PM

check the routing and check the exception NAT. 

0 Helpful
Customers Also Viewed These Support Documents