12-15-2012 10:07 AM - edited 02-21-2020 06:33 PM
Hi Everyone,
I have 2691 Router conencted to Internet and it is doing Nat.
This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 30, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
3550A
3550SMIA# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
3550SMIA#sh cry
3550SMIA#sh crypto ipsec sa
interface: FastEthernet0/8
Crypto map tag: VPN_MAP, local addr 192.168.99.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
As seen above the packets are not encrypted between 1811w and 3550A.
I have used same ACL on both 1811W and 3550A
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
Any reasons why packets are not getting encrypt and decrypt?
Thanks
MAhesh
Solved! Go to Solution.
12-15-2012 10:59 AM
Hello,
Access-list for interesting traffic should be mirrored.
Best Regards,
Eugene
12-15-2012 01:55 PM
Hi Makesh,
No it should not be the same. For example:
Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24
access-list on your site should be:
access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list on remote site should be:
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255
Please refer to this configuration guide:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml
Please rate helpful posts
Best Regards,
Eugene
12-15-2012 02:19 PM
Hi Mahesh,
Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.
Regarding log option in ACL:
You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.
Please rate helpful posts
Best Regards,
Eugene
12-15-2012 10:58 AM
Both ends show the IPSec local and remote identities as the same. The way it should be is that they are reversed.
Each end's ACL should be:
permit ip
Local means local to that router so the network address is different on each (and they must have symmetry with each other).