Solved: Packets not getting encrypt and decrypt IPSEC

mahesh18 · ‎12-15-2012

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A Switch which has connection to 1811W Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

Crypto map tag: VPN_MAP, local addr 192.168.99.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 30, #recv errors 0

local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

3550A

3550SMIA# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

Crypto map tag: VPN_MAP, local addr 192.168.99.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 15, #recv errors 0

local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

Eugene Korneychuk · ‎12-15-2012

Hello,

Access-list for interesting traffic should be mirrored.

Best Regards,

Eugene

View solution in original post

Eugene Korneychuk · ‎12-15-2012

Hi Makesh,

No it should not be the same. For example:

Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24

access-list on your site should be:

access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list on remote site should be:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255

Please refer to this configuration guide:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

Eugene Korneychuk · ‎12-15-2012

Hi Mahesh,

Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.

Regarding log option in ACL:

You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

Marvin Rhoads · ‎12-15-2012

Both ends show the IPSec local and remote identities as the same. The way it should be is that they are reversed.

Each end's ACL should be:

permit ip

Local means local to that router so the network address is different on each (and they must have symmetry with each other).

Eugene Korneychuk · ‎12-15-2012

Hello,

Access-list for interesting traffic should be mirrored.

Best Regards,

Eugene

mahesh18 · ‎12-15-2012

Hi Eugene,

Do you mean that ACL should be same on both routers?

Currently i have same ACL on both routers.

Thanks

MAhesh

Eugene Korneychuk · ‎12-15-2012

Hi Makesh,

No it should not be the same. For example:

Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24

access-list on your site should be:

access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list on remote site should be:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255

Please refer to this configuration guide:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

Please rate helpful posts

Best Regards,

Eugene

mahesh18 · ‎12-15-2012

Hi Eugene,

I did that here is info now

sh crypto ipsec sa

interface: FastEthernet0

Crypto map tag: VPN_MAP, local addr 192.168.99.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43

#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

current outbound spi: 0x8319FE5B(2199518811)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xAE0A578B(2919913355)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4454255/2388)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x8319FE5B(2199518811)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4454255/2388)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Seems it is encrypted now.

Congig of ACL

!

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

even though i have log command config in thr ACL still it shows only

2 logs

.Dec 15 14:23:55.723 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet

.Dec 15 14:29:28.391 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on vty0 (192.168.98.6)

.Dec 15 14:40:55.749 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet

1811w#

Do you know why is this?

Thanks

MAhesh

Eugene Korneychuk · ‎12-15-2012

Hi Mahesh,

Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.

Regarding log option in ACL:

You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.

Please rate helpful posts

Best Regards,

Eugene

mahesh18 · ‎12-15-2012

Hi Eugene,

Best Regards for answering all my questions

Mahesh