Solved: IPSEC Tunnel between two routers

w-chantre · ‎09-30-2016

Hello,

I actually try to have an IPSEC tunnel between a branche office (with dynamic public IP) to my headquarter (with static public IP).

In my headquarter, I have a router with VRF.

Phase 1 is up and phase 2 is up as well. But I don't have traffic.

Here is my configuration from branche office :

crypto logging session
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp key toto address A.B.C.D no-xauth
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set TS_AES_SHA ah-sha-hmac esp-aes
no crypto ipsec nat-transparency udp-encaps
!
crypto map CM_Client 1 ipsec-isakmp
 set peer A.B.C.D
 set transform-set TS_AES_SHA
 set pfs group5
 match address DE-LAN_Client
!
interface FastEthernet4
 description *** 4G vers TP-Link ***
 ip address 192.168.254.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map CM_Client
!
interface Vlan1
 description *** ID01-LAN ***
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no autostate
!
ip nat inside source list 100 interface FastEthernet4 overload
!
ip access-list extended DE-LAN_Client
 permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10
 permit ip host 10.10.10.10 172.16.0.0 0.0.0.255
!
ip sla 1
 icmp-echo 10.10.10.10 source-ip 172.16.0.254
ip sla schedule 1 life forever start-time now
!
access-list 100 deny   ip 172.16.0.0 0.0.0.255 host 10.10.10.10
access-list 100 permit ip 172.16.0.0 0.0.0.255 any

Here is my configuration for my headquarter :

crypto keyring KR_Client vrf VRF
  pre-shared-key address 0.0.0.0 0.0.0.0 key toto
crypto logging session
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 28800
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
crypto isakmp profile CI_Client
   vrf VRF
   keyring KR_Client
   match identity address 0.0.0.0 VRF
!
!
crypto ipsec transform-set TS_AES_SHA ah-sha-hmac esp-aes
!
crypto dynamic-map CDM_Client 10
 set transform-set TS_AES_SHA
 set pfs group5
 match address DE-LAN_Client
!
!
crypto map CM_Client 1 ipsec-isakmp dynamic CDM_Client

interface Loopback254
 description *** Lo 4G via IPSEC ***
 ip vrf forwarding VRF
 ip address 178.23.152.8 255.255.255.255
 ip nat outside
 crypto map CM_Client
!
interface Loopback255
 description *** Lo 4G via IPSEC ***
 ip vrf forwarding VRF
 ip address 10.10.10.10 255.255.255.255
 ip nat inside

ip nat inside source list 100 interface Loopback254 vrf VRF overload

ip access-list extended DE-LAN_Client
 permit ip host 10.10.10.10 172.16.0.0 0.0.0.255
 permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10

access-list 100 deny   ip host 10.10.10.10 172.16.0.0 0.0.0.255
access-list 100 permit ip host 10.10.10.10 any

Phase 1 is up :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
178.23.152.8    192.168.254.2   QM_IDLE           2002    0 ACTIVE

IPv6 Crypto ISAKMP SA

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
178.23.152.8    80.215.202.236  QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

Phase 2 is up :

  local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   current_peer 178.23.152.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

interface: Loopback254
    Crypto map tag: CM_Client, local addr 178.23.152.8
   protected vrf: VRF
   local  ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   current_peer 80.215.202.236 port 18932
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

Ping between my two LAN is NOK :

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.254
.....
Success rate is 0 percent (0/5)

Encrypted packets are OK but not decryped :

    #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Do you have some idea regarding this problem ?

Thanks a lot

BR

Pawan Raut · ‎09-30-2016

No IPsec will not installed that route. You should have route towards interface where the crypto-map has been applied so that packet will enter in tunnel.Most of the cases default route do that but here in case your headquarter router crypto map applied different interface than ISP interface

So Please add below route on head quarter to resolve issue

ip route 172.16.0.0 255.255.255.0 Lo254

View solution in original post

Pawan Raut · ‎09-30-2016

You can try one workaround change subnet mask for Lo254 from /32 to /31 and give next hop IP address as next IP as 178.23.52.9

View solution in original post

pawelzwierzynski · ‎09-30-2016

Hi

Config looks ok except acl, should be only:

permit ip lan remote

and opposite in the other side.

regards

w-chantre · ‎09-30-2016

Hi,

thanks for you answer.

I just chanded my ACL like this :

ip access-list extended DE-LAN_Client
 permit ip 172.16.0.0 0.0.0.255 host 10.10.10.10

And the opposite on my headquarter.

But I don't have any traffic.

Deepak Kumar · ‎09-30-2016

Hi,

You are missing VPN tunnel Static route. Please check.

As:

IP route <_{Destination LAN Network Subnet}> <_{Destination LAN Subnet}> <_{^{Destination tunnel Public IP/ remote site public IP}}>

Regards,

Deepak Kumar

www.deepuverma.in

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

w-chantre · ‎09-30-2016

Hi,

thanks for you answer.

I already have a default route (Internet access is OK).

I added a static route to my remote LAN : ip route 10.10.10.10 255.255.255.255 A.B.C.D

But I don't have any traffic.

Deepak Kumar · ‎09-30-2016

Hi,

No, Only one default route to the internet is not sufficient. You should apply one default route to the internet and another static route to VPN tunnel.

A Static route to the internet is forwarding traffic to the internet so your VPN tunnel is not working.

as an example, I mentioned in the last comment.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Pawan Raut · ‎09-30-2016

no decrypt packets means issue at remote end. Kindly check routing and acl at remote end

w-chantre · ‎09-30-2016

After few correction, encrypt and decrypt packets are OK :

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   current_peer 178.23.152.8 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

  protected vrf: VRF
   local  ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   current_peer 80.215.202.236 port 18932
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 93, #pkts decrypt: 93, #pkts verify: 93
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

But ping is still NOK

Pawan Raut · ‎09-30-2016

Its not ok Your packet encrypt a first router and goes to second router through tunnel and it decrypt at second router but you are not getting return traffic that is encrypt at second router hence no decrypt at First router.

So issue is at your second router. Do you have route to destination IP on second router?

do you have return route for source IP on second router?

w-chantre · ‎09-30-2016

Thanks for your answer.

On my two routers, I have default route to join Internet (and it's OK).

Pawan Raut · ‎09-30-2016

on second router you have crypto map applied on interface Loopback 254. Do you have default route towards Loopback 254.

Can ou give us output

sh ip route | i 0.0.0.0

sh ip route 172.16.0.254

w-chantre · ‎09-30-2016

Here is my default route :

O*E2 0.0.0.0/0 [110/110] via A.B.C.D 6d21h, GigabitEthernetX/Y

But I don't have a route for the subnet 172.16.0.0/24

I think IPSEC tunnel will install this route no ?

Pawan Raut · ‎09-30-2016

No IPsec will not installed that route. You should have route towards interface where the crypto-map has been applied so that packet will enter in tunnel.Most of the cases default route do that but here in case your headquarter router crypto map applied different interface than ISP interface

So Please add below route on head quarter to resolve issue

ip route 172.16.0.0 255.255.255.0 Lo254

w-chantre · ‎09-30-2016

ip route vrf VRF 172.16.0.0 255.255.255.0 loo254
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface

Is it possible to have an IPSEC tunnel between two Loopback interfaces ?

Pawan Raut · ‎09-30-2016

Ipsec tunnel between two Loopback is possible butt here in your case it is unfortunate that you are doing ipsec tunnel using Loopack and your are using vrf at same time so it creating issue for static route. Let me check for any alternative for this