Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2444
Views
0
Helpful
13
Replies

No traffic through IPSEC tunnel between Cisco 877 and Openswan

Criterion
Level 1
Level 1

‎05-17-2016 01:48 AM - edited ‎02-21-2020 08:49 PM

Hi Everyone,

Complete newbie here trying to implement and learn a bit too but wondering if I’m out of my depth here…

 

Anyway, I’ve got the basic IPSEC tunnel up and running between an Openswan server and a Cisco router. VPN tunnel is established and stays up. I have no traffic between the two end points though (by no traffic I mean ICMP/ping traffic. Below are my configs on both ends, any light you can shed is highly appreciated. Thanks in advamce.

 

######/etc/ipsec.conf#######

config setup

 

conn IPSEC

       #auto=start #automatically start if detected

       type=tunnel #tunnel mode/not transport

                                authby=secret

                                auto=add

                               

       ###THIS SIDE###

       left=193.Open.Swan.WAN                                  # OpenSwan-WAN_IP

       leftsubnet=172.16.255.0/24                                # OpenSwan-LAN

       leftsourceip=172.16.255.1                    # OpenSwan-LAN_IP

                               

                               

       ###PEER SIDE###

       right=123.Cisco.Router.WAN                              # CiscoRouter-WAN

       rightsubnet=172.16.0.0/24                   # CiscoRouter-LAN

                                rightsourceip=172.16.0.1                              # CiscoRouter-LAN_IP

                               

       #phase 1

                                keyexchange=ike

       #phase 2

                                esp=3des-md5-96

                              

 

 

#######/etc/ipsec.secrets##############

#{local}   {peer}     : PSK "{secret}"

193.Open.Swan.WAN 123.Cisco.Router.WAN : PSK "{secret}"

 

# IPTABLE ENTRIES ON OPENSWAN                        

iptables -t filter -N FORWARDS

iptables -t filter -A FORWARDS -d 172.16.0.0/24 -i eth0 -o ipsec0 -j ACCEPT

iptables -t filter -A FORWARDS -d 172.16.0.0/24 -i ipsec0 -o eth0 -j ACCEPT

iptables -t filter -A OUTPUT -d 172.16.0.0/24 -o ipsec0 -j ACCEPT                               

                               

                               

                               

 

                               

                               

 

! Cisco Config

!====================================================

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key privacyviolationbybigbrother address 193.Open.Swan.WAN

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac

!

crypto map to-site2 10 ipsec-isakmp

set peer 193.Open.Swan.WAN

set transform-set s1s2trans

match address 101

 

interface Dialer 0

crypto map to-site2

ip route 172.16.255.0 255.255.255.0 193.Open.Swan.WAN

ip nat inside source route-map nonat interface Dialer 0 overload

!

access-list 101 permit ip 172.16.0.0 0.0.0.255 172.16.255.0 0.0.0.255

!access-list 150 deny   ip 172.16.0.0 0.0.0.255 172.16.255.0 0.0.0.255

!access-list 150 permit ip 172.16.0.0 0.0.0.255 any

route-map nonat permit 10

match ip address 150

 

Attached also router config before IPSEC config was added...

Regards,

Labels:
Preview file
6 KB
0 Helpful
13 Replies 13

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-17-2016 05:26 AM

Hi,

The config looks fine.

Could you share the output of sh cry isa sa and sh cry ipsec sa from the Cisco router ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Criterion
Level 1
Level 1
In response to Aditya Ganjoo

‎05-18-2016 01:37 AM

Hi Aditya,

Thank you for your quick response.

I had rebuilt my VPS and now I can't connect the VPN. I've got the status output from the openswan server. Because no VPN connects there's nothing on the cisco. Phase isn't even successful now (?).

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface lo:1/lo:1 172.16.255.1
000 interface lo:1/lo:1 172.16.255.1
000 interface eth0/eth0 Openswan.server.WAN
000 interface eth0/eth0 Openswan.server.WAN
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 172.16.0.0/24, 172.16.255.0/24, 172.16.1.0/24
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "IPSEC": 172.16.255.0/24===Openswan.Server.WAN<Openswan.Server.WAN>...Cisco.Router.WAN<Cisco.Router.WAN>===172.16.0.0/24; unrouted; eroute owner: #0
000 "IPSEC":     myip=172.16.255.1; hisip=172.16.0.1;
000 "IPSEC":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "IPSEC":   policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;
000 "IPSEC":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "IPSEC":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_096; flags=-strict
000 "IPSEC":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000
000

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Criterion

‎05-18-2016 01:55 AM

Hi,

Could you share the debugs from Cisco router as well ?

debug crypto isakmp

debug crypto ipsec

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Criterion
Level 1
Level 1
In response to Aditya Ganjoo

‎05-18-2016 02:06 AM

Yep, did those 2 commands but that turned on debugging. Now the outputs of the previous sh commands are:

constantinople#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

constantinople# sh cry ipsec sa

interface: Dialer0
    Crypto map tag: to-site2, local addr Cisco.RouterWAN

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.0/255.255.255.0/0/0)
   current_peer Openswan.ServerWAN port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: Cisco.RouterWAN , remote crypto endpt.: Openswan.ServerWAN
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access1
    Crypto map tag: to-site2, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.0/255.255.255.0/0/0)
   current_peer Openswan.ServerWAN port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: Openswan.ServerWAN
     path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Criterion

‎05-18-2016 02:51 AM

Hi,

It seems the Phase 2 is failing as I do not see any phase 2 SPI's.

Clear the session on router using clear cry session and take the debugs again.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Criterion
Level 1
Level 1
In response to Aditya Ganjoo

‎05-18-2016 02:57 AM

Hi Aditya,

I ran the clear command followed by the shy cry ipsec sa and the output is exactly the same.

The thing is, I don't see phase 1 being successful either? Are you seeing something I am not?

Thanks

0 Helpful

Criterion
Level 1
Level 1
In response to Aditya Ganjoo

‎05-18-2016 03:10 AM

Hi Aditya,

Ok, so I made some changes back on the OpenS/WAN  side and now have the VPN established again.(opened up ports 500, 50 and 51 on the OpenS/WAN server).

Ok, now I'm back to my original question, cannot ping remote site.Here are the outputs of the two show commands again:

Router01#sh cry ipsec sa

interface: Dialer0
    Crypto map tag: to-site2, local addr Cisco.Router.WAN

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.0/255.255.255.0/0/0)
   current_peer Openswan.Server.WAN port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: Cisco.Router.WAN, remote crypto endpt.: Openswan.Server.WAN
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
     current outbound spi: 0x722A24DB(1915364571)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x47C24D69(1203916137)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4588935/28789)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x722A24DB(1915364571)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4588935/28789)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access1
    Crypto map tag: to-site2, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.0/255.255.255.0/0/0)
   current_peer Openswan.Server.WAN port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: Openswan.Server.WAN
     path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Router01# sh cry ipsec sa

interface: Dialer0
    Crypto map tag: to-site2, local addr Cisco.Router.WAN

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.0/255.255.255.0/0/0)
   current_peer Openswan.Server.WAN port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: Cisco.Router.WAN, remote crypto endpt.: Openswan.Server.WAN
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
     current outbound spi: 0x722A24DB(1915364571)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x47C24D69(1203916137)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4588935/28772)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x722A24DB(1915364571)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: to-site2
        sa timing: remaining key lifetime (k/sec): (4588935/28772)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access1
    Crypto map tag: to-site2, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.0/255.255.255.0/0/0)
   current_peer Openswan.Server.WAN port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: Openswan.Server.WAN
     path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

0 Helpful

Criterion
Level 1
Level 1
In response to Criterion

‎05-19-2016 08:59 PM

Any ideas? Anyone?

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Criterion

‎05-19-2016 09:18 PM

Hi,

I do not see anything wrong with respect to the config.

On the Openswan did you enable ip forwarding on linux box?

vi /etc/sysctl.conf

#change following line from 0 to 1

net.ipv4.ip_forward = 1

# activate it:

sysctl -p

Here is a good link for setting up the tunnels on OpenSwan with Cisco:

https://community.opsourcecloud.net/View.jspprocId=9efb7ca88925381eec45279a2828da19

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Criterion
Level 1
Level 1
In response to Aditya Ganjoo

‎05-18-2016 03:15 AM

Also, sh ip rou include:

S        172.16.255.0/24 [1/0] via Openswan.server.WAN

0 Helpful

Criterion
Level 1
Level 1
In response to Criterion

‎05-18-2016 05:18 AM

Just wondering is this a routing problem? Because the ICMP packets shouldn't be addressed to Openswan.server.WAN; they should be addressed to 172.16.255.1, right? then the ICMP packets should be encapsulated and encrypted and the encryoted payload gets addressed to Openswan.server.WAN?

So, following from this logic does it not sound like a routing and VPN configuration issue?

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Criterion

‎05-18-2016 05:13 PM

Yes it can be a routing issue too.

It should be able to ping Openswan.server.WAN IP unless pings are not blocked on this device.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Criterion
Level 1
Level 1
In response to Aditya Ganjoo

‎05-18-2016 07:39 PM

Hi Aditya,

Sorry, that's not what I meant. I can ping Openswan.server.WAN,

I cannot ping 172.16.255.1 which internal address on Openswan. 

Any ideas?

0 Helpful
Customers Also Viewed These Support Documents