IPSEC Not Encrypting

pcamera254 · ‎04-15-2015

I'm at a loss with this one, crypto tunnel is up and i am decrypting packs just fine. I am peered with a Juniper device. As you can see from my show commands I can hit one of the source addresses needed from the outside in. Also in my Show commands TXT you'll see my Ipsec SA with the peer in question, you can see packets being decrypted as ell as verified. ACL is also taking hits so Its making it down to the host (Across our MPLS). I'm at a loss with what else to troubleshoot from my perspective everything looks solid. I included a debug cry ipsec with as well, here's the running config sanitized of course.

Any help is greatly appreciated

Thank you

Phil

object-group network Fuel_Vendor
10.0.19.0 255.255.255.0
!
object-group network Fuel_Vendor_Secondary
10.1.19.0 255.255.255.0
!
crypto logging session
!
crypto isakmp policy 13
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key xxxxxxxxx address 209.xxx.xxx.xxx
crypto isakmp key xxxxxxxxx address 97.xxx.xxx.xxx
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set oil esp-aes 256 esp-sha-hmac
!
!
crypto map DDRtrans 11 ipsec-isakmp
set peer 209.xxx.xxx.xxx
set transform-set oil
match address 113
crypto map DDRtrans 15 ipsec-isakmp
set peer 97.xxx.xxx.xxx
set transform-set oil
match address 115
!
interface GigabitEthernet0/0
ip address 192.168.22.11 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
!
interface GigabitEthernet0/1
ip address 65.xxx.xxx.xxx secondary
ip address 207.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly in
duplex full
speed auto
no cdp enable
crypto map DDRtrans
!
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 65.xxx.xxx.xxx
ip route 0.0.0.0 0.0.0.0 207.xxx.xxx.xxx
ip route 10.0.19.0 255.255.255.0 GigabitEthernet0/1
ip route 10.1.19.0 255.255.255.0 GigabitEthernet0/1
ip route 10.90.3.0 255.255.255.0 GigabitEthernet0/1
ip route 172.16.0.0 255.255.255.0 GigabitEthernet0/1
ip route 192.168.16.0 255.255.255.0 192.168.22.1
ip route 192.168.18.0 255.255.255.0 192.168.22.1
ip route 192.168.19.0 255.255.255.0 192.168.22.1
ip route 192.168.20.0 255.255.255.0 192.168.22.1
ip route 192.168.21.0 255.255.255.0 192.168.22.1
ip route 192.168.25.0 255.255.255.0 192.168.22.1
ip route 192.168.26.0 255.255.255.0 192.168.22.1
ip route 192.168.27.0 255.255.255.0 192.168.22.1
ip route 192.168.30.0 255.255.255.0 192.168.22.1
ip route 192.168.32.0 255.255.255.0 192.168.22.1
ip route 192.168.39.0 255.255.255.0 192.168.22.1
ip route 192.168.51.0 255.255.255.0 192.168.22.1
ip route 192.168.80.0 255.255.255.0 192.168.22.1
ip route 192.168.91.0 255.255.255.0 192.168.22.1
ip route 192.168.93.0 255.255.255.0 192.168.22.1
!
access-list 113 remark site-site VPN with Oil Company
access-list 113 permit ip host 192.168.25.75 object-group Fuel_Vendor
access-list 113 permit ip host 192.168.26.90 object-group Fuel_Vendor
access-list 113 permit ip host 192.168.27.44 object-group Fuel_Vendor
access-list 113 permit ip host 192.168.30.74 object-group Fuel_Vendor
access-list 113 permit ip host 192.168.39.83 object-group Fuel_Vendor
access-list 113 permit ip host 192.168.99.100 object-group Fuel_Vendor
access-list 113 remark site-site VPN with Oil Company
access-list 115 remark site-site VPN with Oil Company
access-list 115 permit ip host 192.168.25.75 object-group Fuel_Vendor_Secondary
access-list 115 permit ip host 192.168.26.90 object-group Fuel_Vendor_Secondary
access-list 115 permit ip host 192.168.27.44 object-group Fuel_Vendor_Secondary
access-list 115 permit ip host 192.168.30.74 object-group Fuel_Vendor_Secondary
access-list 115 permit ip host 192.168.39.83 object-group Fuel_Vendor_Secondary
access-list 115 permit ip host 192.168.99.100 object-group Fuel_Vendor_Secondary
access-list 120 remark *****Oil ACES NEW*******
access-list 120 deny tcp host 192.168.25.75 eq 3000 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.26.90 eq 3000 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.27.44 eq 3000 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.30.74 eq 3000 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.39.83 eq 3000 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.99.100 eq 3000 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.25.75 eq 3001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.26.90 eq 3001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.27.44 eq 3001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.30.74 eq 3001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.39.83 eq 3001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.99.100 eq 3001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.25.75 eq 10001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.26.90 eq 10001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.27.44 eq 10001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.30.74 eq 10001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.39.83 eq 10001 object-group Fuel_Vendor
access-list 120 deny tcp host 192.168.99.100 eq 10001 object-group Fuel_Vendor
access-list 120 remark *****ACES NEW Secondary*******
access-list 120 deny tcp host 192.168.25.75 eq 3000 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.26.90 eq 3000 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.27.44 eq 3000 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.30.74 eq 3000 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.39.83 eq 3000 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.99.100 eq 3000 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.25.75 eq 3001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.26.90 eq 3001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.27.44 eq 3001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.30.74 eq 3001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.39.83 eq 3001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.99.100 eq 3001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.25.75 eq 10001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.26.90 eq 10001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.27.44 eq 10001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.30.74 eq 10001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.39.83 eq 10001 object-group Fuel_Vendor_Secondary
access-list 120 deny tcp host 192.168.99.100 eq 10001 object-group Fuel_Vendor_Secondary

!
route-map Services_internal permit 1
match ip address 101
!
route-map nonat permit 10
match ip address 120
!

guibarati · ‎04-15-2015

ip route 10.0.19.0 255.255.255.0 GigabitEthernet0/1
ip route 10.1.19.0 255.255.255.0 GigabitEthernet0/1

Remove these routes. Let it use the default to reach it.

pcamera254 · ‎04-15-2015

Sadly I tried that and the same outcome, Whats weird is I removed the Crypto map and rebuilt it and now everything is working as intended. I'm not to sure how tearing down the tunnel then rebuilding it changed the outcome but hey I aint complaining.

guibarati · ‎04-15-2015

If you put the routes back, remove and reapply the crypto map, does it break again?

If so the routes were the problem and you just had to "reset" the crypto process to get it working once the routes were removed.

It's likely they were the trouble since pointing the route to the interface makes it use proxy arp to find the destination so it could have some unexpected behavior.

pcamera254 · ‎04-15-2015

No its working with the routes right now, doesn't clearing the crypto reset all connections or is there an equivalent to clear crypto sa peer x.x.x.x. I'm not sure what happened with this tunnel It is an endpoint for 20+ other connections so maybe that had something to do with it. CPU doesn't say so but I'm happy with the outcome right now.