Re: IPSEC lan to lan VPN

Lukasz Kacprzynski · ‎05-29-2012

Hi,

I have some problem with ipsec configuration. Here is a topology:

I want to create VPNs between LANs so i started co configure vpn from LAN1 to LAN3. The problem is that packets are encrypted only when source (and/or destination) address of ping is the addres of router interface. When i want to ping from host to one of LANs, (ex. on R1: 'ping 80.0.0.130 source 80.0.0.1') im geting a massage:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /80.0.0.1, src_addr= 80.0.0.130, prot= 1

Ping 80.0.0.129 source 80.0.0.1 works fine, and 'show crypto ipsec sa' confims that packets are encrypted, also wireshark confirms encryption.

Lan1: 80.0.0.0 /26

Lan3: 80.0.0.128/29

All three LAN interfaces, ale Windows Loopback.

Can someone help me, and tell where i made a mistake ?

Here is a configuration:

R1:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

crypto isakmp policy 110

encr 3des

hash sha

authentication pre-share

crypto isakmp key 6 cisco1234 address 80.0.0.137

!

crypto ipsec transform-set ZESTAW esp-3des esp-sha-hmac

mode transport

!

crypto map MYMAP 10 ipsec-isakmp

set peer 80.0.0.137

set transform-set ZESTAW

match address 102

!

interface FastEthernet0/0

ip address 80.0.0.129 255.255.255.248

duplex auto

speed auto

mpls ip

!

interface Serial0/0

ip address 80.0.0.166 255.255.255.252

mpls ip

clock rate 2000000

crypto map MYMAP

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 2000000

!

router ospf 1

log-adjacency-changes

network 80.0.0.128 0.0.0.7 area 0

network 80.0.0.164 0.0.0.3 area 0

!

ip forward-protocol nd

!

ip http server

no ip http secure-server

!

access-list 102 permit ip 80.0.0.128 0.0.0.7 80.0.0.0 0.0.0.63

access-list 102 permit ip 80.0.0.128 0.0.0.7 80.0.0.64 0.0.0.63

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

end

Jennifer Halim · ‎05-29-2012

The crypto ACL 102 does not mirror image on both routers.

You should only have the following configured:

R1:

access-list 102 permit ip 80.0.0.0 0.0.0.63 80.0.0.128 0.0.0.7

R8:

access-list 102 permit ip 80.0.0.128 0.0.0.7 80.0.0.0 0.0.0.63

Also make sure that routing is correct for both sides.

Lukasz Kacprzynski · ‎05-30-2012

Thank you for the reply!

Unfortunately, i've tried a lot of acl, also the one you have suggest and it still doesnt work.

I also tried acl:

R1:

access-list 102 permit ip host 80.0.0.2 host 80.0.0.130

R8:

access-list 102 permit ip host 80.0.0.130 host 80.0.0.2 (use qemu host/ loopback/ vbox host)

And its still:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /80.0.0.1, src_addr= 80.0.0.130, prot= 1

but when i use router interfaces:

R1:

access-list 102 permit ip host 80.0.0.1 host 80.0.0.129

R8:

access-list 102 permit ip host 80.0.0.129 host 80.0.0.1

Encryption and pings goes fine.

About the rouring, i use ospf on entire network and without IPSec i can ping every node form all places.

I really dont know whats going on, everything looks fine in config.

Jennifer Halim · ‎05-30-2012

Did you clear the ipsec tunnel on both end after making the changes on the acl?

clear cry sa

clear cry isa sa

Lukasz Kacprzynski · ‎05-30-2012

Thank you for the reply!

Now ive done this, but it still doesnt work. When im changing ACL, to make it faster im doing it in cfg file, and then reload the router, so i think, all SA are cleared anyway ?

Jennifer Halim · ‎05-30-2012

Yes, if you reload the router, it will clear all the SA. And I assume that you do save the config after you change it before reloading the router?

Lukasz Kacprzynski · ‎05-30-2012

Yes, im checking 'sh runn' after reload to be sure its all right.