ā12-15-2012 10:07 AM - edited ā02-21-2020 06:33 PM
Hi Everyone,
I have 2691 Router conencted to Internet and it is doing Nat.
This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 30, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
3550A
3550SMIA# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
3550SMIA#sh cry
3550SMIA#sh crypto ipsec sa
interface: FastEthernet0/8
Crypto map tag: VPN_MAP, local addr 192.168.99.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
As seen above the packets are not encrypted between 1811w and 3550A.
I have used same ACL on both 1811W and 3550A
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
Any reasons why packets are not getting encrypt and decrypt?
Thanks
MAhesh
Solved! Go to Solution.
ā12-15-2012 10:59 AM
Hello,
Access-list for interesting traffic should be mirrored.
Best Regards,
Eugene
ā12-15-2012 01:55 PM
Hi Makesh,
No it should not be the same. For example:
Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24
access-list on your site should be:
access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list on remote site should be:
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255
Please refer to this configuration guide:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml
Please rate helpful posts
Best Regards,
Eugene
ā12-15-2012 02:19 PM
Hi Mahesh,
Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.
Regarding log option in ACL:
You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.
Please rate helpful posts
Best Regards,
Eugene
ā12-15-2012 10:58 AM
Both ends show the IPSec local and remote identities as the same. The way it should be is that they are reversed.
Each end's ACL should be:
permit ip
Local means local to that router so the network address is different on each (and they must have symmetry with each other).
ā12-15-2012 10:59 AM
Hello,
Access-list for interesting traffic should be mirrored.
Best Regards,
Eugene
ā12-15-2012 01:14 PM
Hi Eugene,
Do you mean that ACL should be same on both routers?
Currently i have same ACL on both routers.
Thanks
MAhesh
ā12-15-2012 01:55 PM
Hi Makesh,
No it should not be the same. For example:
Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24
access-list on your site should be:
access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list on remote site should be:
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255
Please refer to this configuration guide:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml
Please rate helpful posts
Best Regards,
Eugene
ā12-15-2012 02:03 PM
Hi Eugene,
I did that here is info now
sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x8319FE5B(2199518811)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAE0A578B(2919913355)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4454255/2388)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8319FE5B(2199518811)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4454255/2388)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Seems it is encrypted now.
Congig of ACL
!
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
even though i have log command config in thr ACL still it shows only
2 logs
.Dec 15 14:23:55.723 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet
.Dec 15 14:29:28.391 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on vty0 (192.168.98.6)
.Dec 15 14:40:55.749 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet
1811w#
Do you know why is this?
Thanks
MAhesh
ā12-15-2012 02:19 PM
Hi Mahesh,
Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.
Regarding log option in ACL:
You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.
Please rate helpful posts
Best Regards,
Eugene
ā12-15-2012 02:21 PM
Hi Eugene,
Best Regards for answering all my questions
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide