cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4971
Views
0
Helpful
7
Replies

Packets not getting encrypt and decrypt IPSEC

mahesh18
Level 6
Level 6

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A  Switch which has connection to 1811W  Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.99.2    192.168.99.1    QM_IDLE           2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

3550A

3550SMIA#                                                                                           sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.99.2    192.168.99.1    QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

    Crypto map tag: VPN_MAP, local addr 192.168.99.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 15, #recv errors 0

     local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL  on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

3 Accepted Solutions

Accepted Solutions

Eugene Korneychuk
Cisco Employee
Cisco Employee

Hello,

Access-list for interesting traffic should be mirrored.

Best Regards,

Eugene

View solution in original post

Hi Makesh,

No it should not be the same. For example:

Your LAN  is 10.20.10.0/24, remote network is 10.10.10.0/24

access-list on your site should be:

access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list on remote site should be:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255

Please refer to this configuration guide:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

Hi Mahesh,

Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.

Regarding log option in ACL:

You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Both ends show the IPSec local and remote identities as the same. The way it should be is that they are reversed.

Each end's ACL should be:

permit ip

Local means local to that router so the network address is different on each (and they must have symmetry with each other).

Eugene Korneychuk
Cisco Employee
Cisco Employee

Hello,

Access-list for interesting traffic should be mirrored.

Best Regards,

Eugene

Hi Eugene,

Do you mean that ACL should be same on both routers?

Currently i have same ACL  on both routers.

Thanks

MAhesh

Hi Makesh,

No it should not be the same. For example:

Your LAN  is 10.20.10.0/24, remote network is 10.10.10.0/24

access-list on your site should be:

access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list on remote site should be:

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255

Please refer to this configuration guide:

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml

Please rate helpful posts

Best Regards,

Eugene

Hi Eugene,

I did that here is info now

        sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43

    #pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x8319FE5B(2199518811)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xAE0A578B(2919913355)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4454255/2388)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8319FE5B(2199518811)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4454255/2388)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Seems it is encrypted now.

Congig of ACL

!

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

even though i have log command config in thr ACL  still it shows only

2 logs

.Dec 15 14:23:55.723 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet

.Dec 15 14:29:28.391 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on vty0 (192.168.98.6)

.Dec 15 14:40:55.749 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet

1811w#

Do you know why is this?

Thanks

MAhesh

Hi Mahesh,

Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.

Regarding log option in ACL:

You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.

Please rate helpful posts

Best Regards,

Eugene

Hi Eugene,

Best Regards for answering all my questions

Mahesh