Buy or Renew
Buy or Renew
Welcome to the new Cisco Community. LEARN MORE about the updates and what is coming.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Packets not getting encrypt and decrypt IPSEC

Go to solution
mahesh18
Frequent Contributor
Frequent Contributor

‎12-15-2012 10:07 AM - edited ‎02-21-2020 06:33 PM

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A  Switch which has connection to 1811W  Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.99.2    192.168.99.1    QM_IDLE           2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

3550A

3550SMIA#                                                                                           sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.99.2    192.168.99.1    QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

    Crypto map tag: VPN_MAP, local addr 192.168.99.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 15, #recv errors 0

     local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL  on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

Labels:
0 Helpful
3 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee

‎12-15-2012 10:59 AM

Hello,

Access-list for interesting traffic should be mirrored.

Best Regards,

Eugene

View solution in original post

0 Helpful

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to mahesh18

‎12-15-2012 01:55 PM

Hi Makesh,

No it should not be the same. For example:

Your LAN  is 10.20.10.0/24, remote network is 10.10.10.0/24

access-list on your site should be:

access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list on remote site should be:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255

Please refer to this configuration guide:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

0 Helpful

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to mahesh18

‎12-15-2012 02:19 PM

Hi Mahesh,

Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.

Regarding log option in ACL:

You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

0 Helpful
7 REPLIES 7

Go to solution
Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

‎12-15-2012 10:58 AM

Both ends show the IPSec local and remote identities as the same. The way it should be is that they are reversed.

Each end's ACL should be:

permit ip

Local means local to that router so the network address is different on each (and they must have symmetry with each other).

0 Helpful