Re: IPSEC s2s VPN issue

RobotAjay · ‎12-23-2022

HI all,

I have VPN configured between two routers, however, the traffic is not encrypted or decrypted.
Can someone help me with this please?

ITH_WAN#sh crypto ipsec sa

interface: Ethernet0/2

Crypto map tag: mymap, local addr 206.225.215.6

protected vrf: IPSEC
local ident (addr/mask/prot/port): (206.225.198.9/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (208.17.89.5/255.255.255.255/0/0)
current_peer 204.94.94.60 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 206.225.215.6, remote crypto endpt.: 204.94.94.60
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/2
current outbound spi: 0x0(0)

PEER DEVICE:

interface: Ethernet0/0
Crypto map tag: mymap, local addr 204.94.94.60

protected vrf: (none)
local ident (addr/mask/prot/port): (208.17.89.5/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (206.225.198.9/255.255.255.255/0/0)
current_peer 206.225.215.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 204.94.94.60, remote crypto endpt.: 206.225.215.6
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

MHM Cisco World · ‎12-23-2022

you need to exclude the IPsec traffic from NAT overload

RobotAjay · ‎12-23-2022

I am sorry I didn't get you, there is no NAT configured on both ends

MHM Cisco World · ‎12-23-2022

protected vrf: IPSEC <<--
are you config the IPsec under the interface with VRF-aware ??
can I see the config ?

RobotAjay · ‎12-23-2022

Please find the running config:

Device 1:

crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap local-address Loopback1
crypto map mymap 10 ipsec-isakmp
set peer 204.94.94.60
set transform-set myset
match address 100
!
!
!
!
!
interface Loopback1
ip vrf forwarding IPSEC
ip address 206.225.215.6 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
!
interface Ethernet0/1
ip vrf forwarding CALLIDUS
ip address 10.0.6.2 255.255.255.0
!
interface Ethernet0/2
ip vrf forwarding IPSEC
ip address 10.0.5.2 255.255.255.0
crypto map mymap
!
interface Ethernet0/3
no ip address
shutdown
!
router bgp 64901
bgp router-id 10.0.6.2
bgp log-neighbor-changes
!
address-family ipv4 vrf CALLIDUS
network 208.17.89.5 mask 255.255.255.255
neighbor 10.0.6.1 remote-as 64902
neighbor 10.0.6.1 activate
exit-address-family
!
address-family ipv4 vrf IPSEC
neighbor 10.0.5.1 remote-as 64902
neighbor 10.0.5.1 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf CALLIDUS 208.17.89.5 255.255.255.255 Ethernet0/2 10.0.5.1

Device 2:

crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key vpnuser address 206.225.215.6
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap local-address Loopback1
crypto map mymap 10 ipsec-isakmp
set peer 206.225.215.6
set transform-set myset
match address 100
!
!
!
!
!
interface Loopback1
ip address 204.94.94.60 255.255.255.0
!
interface Loopback2
ip address 208.17.89.5 255.255.255.0
!
interface Ethernet0/0
ip address 10.0.8.2 255.255.255.0
crypto map mymap
!
interface Ethernet0/1
ip address 10.0.9.1 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
router bgp 3356
bgp log-neighbor-changes
neighbor 10.0.8.1 remote-as 36774
neighbor 10.0.9.2 remote-as 3356
!
address-family ipv4
neighbor 10.0.8.1 activate
neighbor 10.0.8.1 default-originate
neighbor 10.0.9.2 activate
exit-address-family
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.0.9.2
ip route 206.225.198.0 255.255.255.255 10.0.8.1
ip route 206.225.215.6 255.255.255.255 10.0.8.1
!
!
!
access-list 100 permit ip host 208.17.89.5 host 206.225.198.9
!
control-plane
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
transport input none
!
!
end

!
!
access-list 100 permit ip host 206.225.198.9 host 208.17.89.5

MHM Cisco World · ‎12-23-2022

Configure VRF-aware Site-to-Site IPsec VPN on a Cisco router | TechRepublic

check this lab for config IPsec vrf-aware
I am out home now , tonight I will run lab and check your config.
thanks

RobotAjay · ‎12-23-2022

Sure I will have a check, Thanks

MHM Cisco World · ‎12-23-2022

You are so welcome

tildenp · ‎12-23-2022

Will need to see the running-config.

MHM Cisco World · ‎12-23-2022

R1#show run

ip vrf ISP
rd 1:100
route-target export 1:1
route-target import 1:1
!
crypto keyring MHM vrf ISP
pre-shared-key address 2.2.2.2 key mhm
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto ipsec transform-set mhm ah-md5-hmac esp-des
!
crypto map MHM local-address Loopback0
crypto map MHM 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set mhm
match address 100
!
interface Loopback0
ip vrf forwarding ISP
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding ISP
ip address 10.0.0.1 255.255.255.0
duplex half
!
interface Serial1/0
ip vrf forwarding ISP
ip address 100.0.0.1 255.255.255.0
serial restart-delay 0
crypto map MHM
!
router bgp 100
no synchronization
bgp router-id vrf auto-assign
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf ISP
no synchronization
network 1.1.1.1 mask 255.255.255.255
network 10.0.0.0 mask 255.255.255.0
neighbor 100.0.0.2 remote-as 200
neighbor 100.0.0.2 activate
exit-address-family
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255

R2#show run

ip vrf ISP
rd 2:100
route-target export 1:1
route-target import 1:1
!
crypto keyring MHM vrf ISP
pre-shared-key address 1.1.1.1 key mhm
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto ipsec transform-set mhm ah-md5-hmac esp-des
!
crypto map MHM local-address Loopback0
crypto map MHM 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set mhm
match address 100
!
interface Loopback0
ip vrf forwarding ISP
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip vrf forwarding ISP
ip address 20.0.0.2 255.255.255.0
duplex half
!
interface Serial1/0
ip vrf forwarding ISP
ip address 100.0.0.2 255.255.255.0
serial restart-delay 0
crypto map MHM
!
router bgp 200
no synchronization
bgp router-id vrf auto-assign
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf ISP
no synchronization
network 2.2.2.2 mask 255.255.255.255
network 20.0.0.0 mask 255.255.255.0
neighbor 100.0.0.1 remote-as 100
neighbor 100.0.0.1 activate
exit-address-family
!
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

this lab I run and success,
point I see you missing in your config is
you dont advertise the LO that you use as local=address of IPSec, you must advertise it under BGP
you also not config keyring vrf-aware.

please check my lab