04-09-2021 08:36 AM
Hello everyone.
I try to configure VTI-based IPSec. IPSec SA succesfully established:
!
interface: Tunnel150
Crypto map tag: Tunnel150-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.169
current outbound spi: 0xCC1E0CC9(3424521417)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC142AAE8(3242371816)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2649, flow_id: AIM-VPN/SSL-3:2649, sibling_flags 80000046, crypto map: Tunnel150-head-0
sa timing: remaining key lifetime (k/sec): (4496460/3231)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCC1E0CC9(3424521417)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2650, flow_id: AIM-VPN/SSL-3:2650, sibling_flags 80000046, crypto map: Tunnel150-head-0
sa timing: remaining key lifetime (k/sec): (4496462/3231)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Tunnel configuration:
!
interface Tunnel150
description EDGE_Test
ip address 10.100.100.2 255.255.255.252
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.2
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSec-EDGE-Profile
Incoming ICMP Echo Packets to 10.100.100.2 and Replies are present in Cisco terminal debug, but ipsec counters don't increase:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
Is Cisco VTI compatible with NSX-V Route-Based VPN?
04-09-2021 08:39 AM
Do you have a route to the remote network(s) via the tunnel interface? Either using a static route or dynamic routing protocol.
Providing the full configuration might help pinpoint the issue quicker.
HTH
04-09-2021 08:46 AM
Before configuring any Static or Dynamic Routing I want to check availability on Tunnel network, 10.100.100.0/30
04-09-2021 09:28 AM
but what was the source of the ping? 10.100.100.1? If it wasn't that IP address and you have no static or dynamic routes, then return traffic would never be sent over the tunnel.
Provide the output of icmp debug from the router.
04-09-2021 11:43 AM
Yes, source IP is 10.100.100.1. Debug show only ICMP replies:
!
cisco#terminal monitor
ciscodebug ip icmp
ICMP packet debugging is on
1785149: Apr 9 2021 21:35:43.879 GMT+3: ICMP: echo reply sent, src 10.100.100.2, dst 10.100.100.1, topology BASE, dscp 0 topoid 0
1785153: Apr 9 2021 21:35:44.879 GMT+3: ICMP: echo reply sent, src 10.100.100.2, dst 10.100.100.1, topology BASE, dscp 0 topoid 0
1785155: Apr 9 2021 21:35:45.879 GMT+3: ICMP: echo reply sent, src 10.100.100.2, dst 10.100.100.1, topology BASE, dscp 0 topoid 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide