cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2454
Views
40
Helpful
20
Replies

Ipsec tunnel up no transmitted packets

Alekin
Level 1
Level 1

Hi Folks,

I need some help please, it seems I'm missing something but can't figure it out at the moment. I have identical sites using this setup and they are functioning fine.

My setup is a small branch with a cable modem, I have a Cisco 881 routers connected and have configured an ipsec vpn to my HQ. The tunnel is up both phase 1 and phase 2 but traffic is not going over the tunnel.

The access list for the crypto map is being hit as I turned on logging, if I do an extended ping or trace using the svi on the router I get nothing. I have added the router config below

!
crypto ikev2 proposal MyProposal
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy My-policy
match fvrf any
proposal MyProposal
!
crypto ikev2 keyring My-keyring
peer peer1
address 37.32.117.31
pre-shared-key local XXXXXX
pre-shared-key remote XXXXXX
!
crypto ikev2 profile My-profile
match identity remote address 172.20.65.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local My-keyring
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set My-transform-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map AllowToHOBranch 1 ipsec-isakmp
set peer 37.32.117.31
set security-association lifetime seconds 28800
set transform-set My-transform-set
set pfs group19
set ikev2-profile My-profile
match address 99
!
interface FastEthernet0
no ip address
!
interface FastEthernet4
ip address 58.44.101.117 255.255.255.240
ip tcp adjust-mss 1232
crypto map AllowToHOBranch
!
interface Vlan1
ip address 172.21.17.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 58.44.101.117
!
access-list 99 permit ip 172.21.17.0 0.0.0.255 any

 

Output pf show crypto
sh crypto ikev2 sa


IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 58.44.101.116/4500 37.32.117.31/4500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/4187 sec

No packets seen on the sh crypto ipsec sa peer command

Any help will be greatly appreciated.

Thanks

1 Accepted Solution

Accepted Solutions

No difference in hardware, only IOS image was different!!

And that was the issue as the upgrade resolved the connectivity.

 

View solution in original post

20 Replies 20

@Alekin do you have NAT configured?....this could cause traffic to be unintentially translated and therefore not match the crypto ACL.

Please provide the full output of "show crypto ipsec sa" for this specific tunnel.

@Rob Ingram Thanks for the response, I don't have NAT configured.

I will be visiting site again and will get a full output of the "show crypto ipsec sa", I am using an identical setup that is working elsewhere so somewhat baffled why this isn't working.  Hardware is the same at both branch sites and HO terminating device is same for all connecting branches.

Output of  "show crypto ipsec sa"

sh crypto ipsec sa

interface: FastEthernet4
Crypto map tag: AllowToHOBranch, local addr 58.44.101.117

protected vrf: (none)
local ident (addr/mask/prot/port): (172.21.17.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 37.32.117.31 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 58.44.101.117, remote crypto endpt.: 37.32.117.31
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xD94B45A4(3645588900)
PFS (Y/N): Y, DH group: group19

inbound esp sas:
spi: 0x35F1C88F(905037967)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000040, crypto map: AllowToHOBranch
sa timing: remaining key lifetime (k/sec): (4191108/28557)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD94B45A4(3645588900)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000040, crypto map: AllowToHOBranch
sa timing: remaining key lifetime (k/sec): (4191108/28557)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

 

Access list is showing hits increase when I generate traffic but nothing shown going through the tunnel.

@Alekin zero encaps|decaps, which usually indicates a NAT or routing issue.

 How are you generating interesting traffic for testing? Traffic obviously needs to come from 172.21.17.0 network. I assume a PC/device on the network uses the default gateway of the router (172.21.17.1)?

I'm generating traffic from the router using an extended ping to a device at the HO.

@Alekin I assume you sourcing the ping from the vlan 1 interface right?

Can you provide the full configuration, which may provide other clues to the issue

Yes I am

Branch-RTR#ping ip
Target IP address: 10.10.20.12
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.21.17.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.12, timeout is 2 seconds:
Packet sent with a source address of 172.21.17.1
.....
Success rate is 0 percent (0/5)

 

Branch-RTR#traceroute
Protocol [ip]:
Target IP address: 10.10.20.12
Source address: 172.21.17.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.10.20.12
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * *

Full config

Building configuration...

Current configuration : 4319 bytes
!
! Last configuration change at 16:37:59 BST Sat Sep 24 2022 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname Branch-RTR-1
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
!
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting network default
action-type start-stop
group tacacs+
!
aaa accounting connection default
action-type start-stop
group tacacs+
!
aaa accounting system default
action-type start-stop
group tacacs+
!
no aaa accounting system guarantee-first
!
aaa session-id common
memory-size iomem 10
clock timezone BST 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ip domain lookup
ip domain name abc.local
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ181980BZ
!
archive
log config
hidekeys
!
crypto ikev2 proposal MyProposal
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy My-policy
match fvrf any
proposal MyProposal
!
crypto ikev2 keyring My-keyring
peer peer1
address 37.32.117.31
pre-shared-key local XXXXXX
pre-shared-key remote XXXXXX
!
crypto ikev2 profile My-profile
match identity remote address 172.20.65.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local My-keyring
!
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set My-transform-set esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map AllowToHOBranch 1 ipsec-isakmp
set peer 37.32.117.31
set security-association lifetime seconds 28800
set transform-set My-transform-set
set pfs group19
set ikev2-profile My-profile
match address 99
!
interface FastEthernet0
description uplink-Sw
no ip address
!
interface FastEthernet1
no ip address
duplex full
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 58.44.101.117 255.255.255.240
ip tcp adjust-mss 1232
crypto map AllowToHOBranch
!
interface Vlan1
ip address 172.21.17.1 255.255.255.0
no autostate
!
ip route 0.0.0.0 0.0.0.0 58.44.101.118
ip tacacs source-interface Vlan1
!
logging facility local2
logging source-interface Vlan1
!
access-list 105 permit ip 172.21.17.0 0.0.0.255 any
!
control-plane
!
privilege exec level 0 show cdp neighbors
privilege exec level 0 show cdp
privilege exec level 0 show configuration
privilege exec level 0 show interfaces
privilege exec level 0 show
banner login ^CCCCCCCC
^C
!
line con 0
exec-timeout 120 0
password 7 XXXXXXX
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 60 in
exec-timeout 120 0
password 7 XXXXXXX
transport input ssh
!
scheduler max-task-time 5000
!
end

@Alekin I assume a typo, because your ACL is 105 but in the crypto map configuration you are referring to an ACL 99 - which doesn't appear to exist.

yes that's a typo, the acl exists and is getting hits

crypto ikev2 keyring My-keyring
peer peer1
address 37.32.117.31 
pre-shared-key local XXXXXX
pre-shared-key remote XXXXXX
!
crypto ikev2 profile My-profile
match identity remote address 172.20.65.2 255.255.255.255 <<<-- what is this IP you use for matching ???
authentication remote pre-share
authentication local pre-share
keyring local My-keyring
!
crypto map AllowToHOBranch 1 ipsec-isakmp
set peer 37.32.117.31
set security-association lifetime seconds 28800
set transform-set My-transform-set
set pfs group19
set ikev2-profile My-profile
match address 99
!
interface FastEthernet4
ip address 58.44.101.117 255.255.255.240 <<- IP of Interafce 
ip tcp adjust-mss 1232
crypto map AllowToHOBranch
!
interface Vlan1
ip address 172.21.17.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 58.44.101.117 <<- the IP here must be next-hop not IP in same router !!!

access-list 99 permit ip 172.21.17.0 0.0.0.255 any <<- use remote LAN instead of ANY. 

@MHM Cisco World Thanks for the response appreciate you taking a look.

crypto ikev2 profile My-profile
match identity remote address 172.20.65.2 255.255.255.255 <<- IP of HO VPN firewall, mapped to peer 37.32.117.31
authentication remote pre-share
authentication local pre-share
keyring local My-keyring

!

ip route 0.0.0.0 0.0.0.0 58.44.101.118 <<- Sorry that was a typo. IP is next-hop cable modem public ip

access-list 99 permit ip 172.21.17.0 0.0.0.255 any <<- use remote LAN instead of ANY. (I have multiple subnets hosting various services which branch consumes.  I can give this a try tomorrow, although my other working sites are configured this way.

So there is NAT you also must sure that the PAT UDP port 4500 

 Cisco 881 routers
set pfs group19 <<- I dont think this router support group 19. 
but I will check again