Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4368
Views
0
Helpful
7
Replies

Packets not getting encrypt and decrypt IPSEC

Go to solution
mahesh18
Frequent Contributor
Frequent Contributor

‎12-15-2012 10:07 AM - edited ‎02-21-2020 06:33 PM

Hi Everyone,

I have 2691 Router conencted to Internet and it is doing Nat.

This connects to 3550A  Switch which has connection to 1811W  Router.

I setup VPN between 1811W and 3550A.

3550A has connection to 2691 via ospf.

OSPF is running between 1811w and 3550A.

1811

1811w# sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

192.168.99.2    192.168.99.1    QM_IDLE           2005 ACTIVE

IPv6 Crypto ISAKMP SA

1811w# sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 30, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

3550A

3550SMIA#                                                                                           sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.99.2    192.168.99.1    QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

3550SMIA#sh cry

3550SMIA#sh crypto ipsec sa

interface: FastEthernet0/8

    Crypto map tag: VPN_MAP, local addr 192.168.99.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 15, #recv errors 0

     local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

As seen above the packets are not encrypted between 1811w and 3550A.

I have used same ACL  on both 1811W and 3550A

ip access-list extended INTERESTING_TRAFFIC

permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log

Any reasons why packets are not getting encrypt and decrypt?

Thanks

MAhesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Eugene Korneychuk
Cisco Employee
Cisco Employee