Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
4
Replies

IPSec VTI between Cisco IOS and VMware NSX-V EDGE

korobkinaa
Level 1
Level 1

‎04-09-2021 08:36 AM

Hello everyone.

I try to configure VTI-based IPSec. IPSec SA succesfully established:

!

interface: Tunnel150
Crypto map tag: Tunnel150-head-0, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb Port-channel1.169
current outbound spi: 0xCC1E0CC9(3424521417)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC142AAE8(3242371816)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2649, flow_id: AIM-VPN/SSL-3:2649, sibling_flags 80000046, crypto map: Tunnel150-head-0
sa timing: remaining key lifetime (k/sec): (4496460/3231)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCC1E0CC9(3424521417)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2650, flow_id: AIM-VPN/SSL-3:2650, sibling_flags 80000046, crypto map: Tunnel150-head-0
sa timing: remaining key lifetime (k/sec): (4496462/3231)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

 

Tunnel configuration:

!

interface Tunnel150
description EDGE_Test
ip address 10.100.100.2 255.255.255.252
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 1.1.1.2
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSec-EDGE-Profile

 

Incoming ICMP Echo Packets to 10.100.100.2 and Replies are present in Cisco terminal debug, but ipsec counters don't increase:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

 

Is Cisco VTI compatible with NSX-V Route-Based VPN?

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎04-09-2021 08:39 AM

@korobkinaa 

Do you have a route to the remote network(s) via the tunnel interface? Either using a static route or dynamic routing protocol.

Providing the full configuration might help pinpoint the issue quicker.

 

HTH

0 Helpful

korobkinaa
Level 1
Level 1
In response to Rob Ingram

‎04-09-2021 08:46 AM

Before configuring any Static or Dynamic Routing I want to check availability on Tunnel network, 10.100.100.0/30

0 Helpful

Rob Ingram
VIP
VIP

‎04-09-2021 09:28 AM

@korobkinaa 

but what was the source of the ping? 10.100.100.1? If it wasn't that IP address and you have no static or dynamic routes, then return traffic would never be sent over the tunnel.

 

Provide the output of icmp debug from the router.

0 Helpful

korobkinaa
Level 1
Level 1
In response to Rob Ingram

‎04-09-2021 11:43 AM

Yes, source IP is 10.100.100.1. Debug show only ICMP replies:

!

cisco#terminal monitor

ciscodebug ip icmp
ICMP packet debugging is on

1785149: Apr 9 2021 21:35:43.879 GMT+3: ICMP: echo reply sent, src 10.100.100.2, dst 10.100.100.1, topology BASE, dscp 0 topoid 0

1785153: Apr 9 2021 21:35:44.879 GMT+3: ICMP: echo reply sent, src 10.100.100.2, dst 10.100.100.1, topology BASE, dscp 0 topoid 0

1785155: Apr 9 2021 21:35:45.879 GMT+3: ICMP: echo reply sent, src 10.100.100.2, dst 10.100.100.1, topology BASE, dscp 0 topoid 0

0 Helpful
Customers Also Viewed These Support Documents