12-15-2012 10:07 AM - edited 02-21-2020 06:33 PM
Hi Everyone,
I have 2691 Router conencted to Internet and it is doing Nat.
This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.99.2 192.168.99.1 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 30, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
3550A
3550SMIA# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.99.2 192.168.99.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
3550SMIA#sh cry
3550SMIA#sh crypto ipsec sa
interface: FastEthernet0/8
Crypto map tag: VPN_MAP, local addr 192.168.99.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
As seen above the packets are not encrypted between 1811w and 3550A.
I have used same ACL on both 1811W and 3550A
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
Any reasons why packets are not getting encrypt and decrypt?
Thanks
MAhesh
Solved! Go to Solution.
12-15-2012 10:59 AM
Hello,
Access-list for interesting traffic should be mirrored.
Best Regards,
Eugene
12-15-2012 01:55 PM
Hi Makesh,
No it should not be the same. For example:
Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24
access-list on your site should be:
access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list on remote site should be:
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255
Please refer to this configuration guide:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml
Please rate helpful posts
Best Regards,
Eugene
12-15-2012 02:19 PM
Hi Mahesh,
Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.
Regarding log option in ACL:
You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.
Please rate helpful posts
Best Regards,
Eugene
12-15-2012 10:58 AM
Both ends show the IPSec local and remote identities as the same. The way it should be is that they are reversed.
Each end's ACL should be:
permit ip
Local means local to that router so the network address is different on each (and they must have symmetry with each other).
12-15-2012 10:59 AM
Hello,
Access-list for interesting traffic should be mirrored.
Best Regards,
Eugene
12-15-2012 01:14 PM
Hi Eugene,
Do you mean that ACL should be same on both routers?
Currently i have same ACL on both routers.
Thanks
MAhesh
12-15-2012 01:55 PM
Hi Makesh,
No it should not be the same. For example:
Your LAN is 10.20.10.0/24, remote network is 10.10.10.0/24
access-list on your site should be:
access-list 100 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list on remote site should be:
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.20.10.0 0.0.0.255
Please refer to this configuration guide:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080ba1d0a.shtml
Please rate helpful posts
Best Regards,
Eugene
12-15-2012 02:03 PM
Hi Eugene,
I did that here is info now
sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x8319FE5B(2199518811)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xAE0A578B(2919913355)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4454255/2388)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8319FE5B(2199518811)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4454255/2388)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Seems it is encrypted now.
Congig of ACL
!
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
even though i have log command config in thr ACL still it shows only
2 logs
.Dec 15 14:23:55.723 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet
.Dec 15 14:29:28.391 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on vty0 (192.168.98.6)
.Dec 15 14:40:55.749 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet
1811w#
Do you know why is this?
Thanks
MAhesh
12-15-2012 02:19 PM
Hi Mahesh,
Yes, traffic is encrypted , since you can see enryptions and decryptions on both ends.
Regarding log option in ACL:
You will see logs, only when tunnel will be initiated. log option in ACL defined for interesting traffic in not a common scenario, cause it is useless.
Please rate helpful posts
Best Regards,
Eugene
12-15-2012 02:21 PM
Hi Eugene,
Best Regards for answering all my questions
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: